Linux networking

From miki
Jump to navigation Jump to search

References

On this wiki:

External:

Tools:

  • GoAccess is an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.

Network tools

Available tools:

  • nmcli (package network-manager)
  • ip and ss (package iproute2)

See also Linux Commands for more tools.

nmcli

nmcli is the command-line tool for controlling NetworkManager. It can be used to enable / disable wifi, manage wired and wireless connections...

nmcli comes with a detailed comman help: 

nmcli help
nmcli c[onnection] help
nmcli c[onnection] m[odify] help

To get a clear and complete overview of network (address, route, dns) on this machine: 

nmcli
# enp0s31f6: connected to Wired connection 1
#         "Intel Ethernet"
#         ethernet (e1000e), B0:0C:D1:C9:90:1E, hw, mtu 1500
#         ip4 default
#         inet4 192.168.1.9/24
#         ...
# 
# wlp1s0: unavailable
#         "Intel 8265 / 8275"
#         wifi (iwlwifi), 6E:3B:39:B9:03:78, hw, mtu 1500
# 
# lo: unmanaged
#         "lo"
#         loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
# 
# DNS configuration:
#         servers: 127.0.0.1 192.168.1.1
#         domains: lan
#         interface: enp0s31f6
# ...

Network manager configures devices depending on predefined connections. To list these connections: 

# List available connections
nmcli c[onnection] [sh[ow] [--active]]
NAME                UUID                                  TYPE      DEVICE    
tun0                fbc01821-9f88-4162-a514-5fe82b30ef87  tun       tun0      
Wired connection 1  89818eee-7bb4-4def-bc24-ad77c97b2c87  ethernet  enp0s31f6 
...

# Show a connection
nmcli c[onnection] [sh] "Wired connection 1" | grep ipv4
nmcli c[onnection] [sh] "Wired connection 1" | grep dns

Use nmcli c[onnection] m[odify] or nmcli c e[dit] to modify or edit a connection.

Note: When editing a connection, the corresponding device must be restarted. 

# Set up manual connection
nmcli c mod "Wired connection 1" ipv4.method manual ipv4.addresses 192.168.20.1/24 ipv4.gateway 192.168.20.254
nmcli d reapply enp0s31f6
# Set up DHCP connection
nmcli c mod "Wired connection 1" ipv4.method auto ipv4.addresses "" ipv4.gateway ""
nmcli d reapply enp0s31f6

# Edit a connection
nmcli c edit "Wired connection 1"

View or configure devices.

Note: These settings will be overridden by connections settings on restart / connect. 

# Get device list
nmcli d[evice] [list]
# Get device info
nmcli d[evice] show [enp0s31f6 | tun0 | wlp1s0]
# Connect / disconnect the device
nmcli d[evice] c[onnect] enp0s31f6
nmcli d[evice] dis[disconnect] enp0s31f6

To switch on/off the WIFI: 

nmcli r[adio]                         # Show radio status (basically WIFI status)
nmcli r[adio] wifi off                # Disable wifi (as done via the GUI)
nmcli r[adio] wifi on                 # Enable wifi (as done via the GUI)

To view network device configuration, like DHCP client settings: 

nmcli dev show
nmcli device show eth0 | grep IP4   # View eth0 configuration (like DHCPclient settings)

To troubleshoot network-manager: 

# Get NM / dnsmasq status information
systemctl status network-manager.service

ip

ip show / manipulate routing, devices, policy routing and tunnels.

Basic uses

Use ip addr or (shorter) ip a to show ip configuration (roughly equivalent to ifconfig): 

ip addr
# 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
#     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
#     inet 127.0.0.1/8 scope host lo
#        valid_lft forever preferred_lft forever
#     inet6 ::1/128 scope host 
#        valid_lft forever preferred_lft forever
# 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
#     link/ether a0:d3:c1:9c:59:56 brd ff:ff:ff:ff:ff:ff
#     inet 10.137.2.54/23 brd 10.137.3.255 scope global dynamic eth0
#        valid_lft 589545sec preferred_lft 589545sec
#     inet6 fe80::68ea:8b5c:bd71:f190/64 scope link 
#        valid_lft forever preferred_lft forever
# ...

IPETH0=$(ip addr show eth0 | perl -lne 'print for /inet[^0-9]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/')      # Get local ip address

To temporarily configure a device to use dhcp [1]: 

sudo ip link set dev eth0 down
sudo dhclient eth0

To use a static address: 

# Add a static address
sudo ip addr add 192.168.1.14/24 dev eth0
sudo ip link set dev eth0 up
sudo ip route add default via 192.168.1.1

# Remove the static address:
sudo ip addr del 192.168.1.14/24 dev eth0
sudo ip route del [table main] default dev enp0s31f6
ip help
  • ip help to display help summary.
  • ip COMMAND help to display detailed help on COMMAND.
shortcuts

All ip command can be shortened to their minimal non-ambiguous form. For instance ip a instead of ip addr. 

ip addr
ip a                # Idem, shorter
ip rules

ip is a policy-based packet router. Policies are defined in rules. Use ip rule to display current rules, by priority order. Each rules gives the corresponding _routing_ table. 

ip rule
# 0:	from all lookup local 
# 32766:	from all lookup main 
# 32767:	from all lookup default
ip routes

ip route shows the main route table. Use ip route list table TABLE (or ip route show table TABLE) to show given _TABLE_. 

ip route list table local       # Show local table
ip route show table local       # ... same as above
ip route list table main        # Show main table
ip route                        # ... Same as above
ip route list table default     # Show default table

ip routes can be deleted. Let's get the route table: 

ip route show table main
# default via 192.168.20.254 dev enp0s31f6 proto static metric 100 
# default via 192.168.43.1 dev wlp1s0 proto dhcp metric 600 
# 10.0.10.0/24 dev tun0 proto kernel scope link src 10.0.10.1 
# ...

We can delete the first default route: 

ip route del table main default dev enp0s31f6

iw / iwconfig

See Wifi.

ss

ss is the newer toolchain for network management, to be preferred over netstat and co. 

ss -tupan                       # Roughly equivalent to netstat -lpn

WiFi

See Wifi (iwconfig, nmcli...).

Legacy network configuration

The following tools are old legacy tools (ifconfig(8), route(8), netstat) that should no longer be used.

  • From [2]: And remember: every time you use ifconfig(8), Cthulhu eats a kitten. Please, think of the kittens
  • This HOW-TO says that route and ip(8) are not compatible.
  • Why iproute2 says that Linux kernels 2.2 and up include a completely redesigned network system, and that legacy tools like arp, ifconfig and route are actually obsolete and show some unexpected behaviours that are only available with iproute2 ([3]).
  • 43. LVS: Newer networking tools: Policy Routing gives more example of ifconfig hiding (wrongly) complexity of an interface having multiple IP addresses.

ifconfig

ifconfig configure a network devices.

To view current configuration: 

ifconfig -l

To temporarily setup a network device [4]: 

sudo ifconfig eth0 10.0.0.100 netmask 255.255.255.0

Note that ifconfig is obsolete. Use ip instead [5], [6], [7].

netstat

netstat is the legacy utility. Better use ss from package iproute2.

Print network connections, routing tables, interface statistics, masqurade connections, and multicast memberships 

netstat -utpn      #Active ports, tcp, socket program PID, numeric
netstat -lutpn     #Listen ports, tcp, socket program PID, numeric
netstat -autpn     #All (active and listen), tcp, socket program PID, numeric
netstat -rn        #Kernel route table, numeric

When listing sockets (default output), you'll get an output like: 

% netstat -at

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:time                  *:*                     LISTEN
tcp        0      0 localhost:mysql         *:*                     LISTEN
tcp        0      0 andLinux.local:43449    windows-host:x11        ESTABLISHED

% netstat -atn

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 192.168.11.150:43449    192.168.11.1:6000       ESTABLISHED
Local Address
* or 0.0.0.0 means that the process accepts connection from any interface.
127.0.0.1 means it only accepts connection on localhost loopback (and so only connection that originates from local PC as well).
Any other IP address means that the process listen on the given port at the given IP address

Firewall / iptables

References:

Summary of iptables:

  • There are several tables: filter, raw...
  • In the filter table, there are 3 builtin chains: INPUT, OUTPUT and FORWARD
  • iptables extensions provide some more chains.
  • In each chain, rules are processed in sequence. If the packet matches the rule, the counter for that rule is incremeneted; if a target is given, it is taken (if any) and process ends; otherwise process continues to next rule.
  • One can create custom chains, and use custom rules with RETURN as target for creating more elaborate rules.

Some tricks:

  • To view all current iptables rules:
sudo iptables --list -n -v
  • Save all rules in readable / restorable form:
sudo iptables-save > iptables-rules
  • iptable-restore does not like command like -N mychain to restore a chain. Instead use the following:
#-N my-chain
:my-chain - [0:0]
  • To clear all rules:
 sudo iptables -F           # flush
 sudo iptables -X           # Delete all chains but builtin

Example of script. This one was added to /etc/ufw/before.rules (see Nxl67170 - Windows and Dansguardian for more examples): 

:vbox-output-logging-deny - [0:0]
:vbox-output-logging-allow - [0:0]
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.124.210 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp -m multiport --dports 135,139,389,445 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p udp -m multiport --dports 53,137,138,389 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -p tcp --dport 88 -j ACCEPT
-A ufw-before-output -m owner --uid-owner 7000 -d 92.120.0.0/16 -j vbox-output-logging-deny
-A ufw-before-output -m owner --uid-owner 7000 -j ACCEPT
-A vbox-output-logging-deny -j LOG --log-prefix "[UFW BLOCK] [VBOX] "
-A vbox-output-logging-deny -j REJECT
# -A vbox-output-logging-allow -p tcp -m multiport --dports 135,139,389,445 -j RETURN
# -A vbox-output-logging-allow -p udp -m multiport --dports 53,137,138,389 -j RETURN
# -A vbox-output-logging-allow -p tcp -m multiport --dports 88 -j RETURN
# -A vbox-output-logging-allow -j LOG --log-prefix "[UFW ALLOW] [VBOX] "

UFW

On Ubuntu, the default firewall is UFW.

When deploying UFW, first move the user rules to /etc/ufw so that they can be tracked by etckeeper: 

cd /lib/ufw
sudo mv user* /etc/ufw
sudo ln -s /etc/ufw/user.rules
sudo ln -s /etc/ufw/user6.rules

Then enable ufw: 

sudo ufw enable

It is easy to add new rules for ufw: 

sudo ufw allow from 192.168.11.2                   # Enable full access from local virtualbox
sudo ufw allow from 172.19.0.0/16 to any port 22   # Enable - from home local network - SSH
sudo ufw reload

Tips and How-tos

Enable WINS and NetBIOS

To enable WINS and NetBIOS name resolution on Ubuntu [8]: 

sudo apt-get install winbind libnss-winbind             # samba must be installed as well

Edit /etc/nsswitch.conf: 

-hosts:      files dns
+hosts:      files dns wins

Then reload: 

sudo service winbind reload

Setup Wake-on-LAN

See gWakeOnLan.

Auto-mount network shares with autofs

  • To troubleshoot autofs [9]
sudo service autofs stop
sudo automount -f -v
  • Use option --ghost to show share directories when browsing mount points [10]:
# mount point   config file        options
/-              /etc/auto.direct   --ghost
/misc           /etc/auto.misc     --timeout=30 --ghost
+auto.master
  • Mount sshfs with autofs [11]
Install necessary package
sudo apt-get install sshfs autofs
Add current user to group fuse:
usermod -a -G fuse tjansson
Add to /etc/auto.master:
/sshfs              /etc/auto.sshfs                 uid=1000,gid=1000,--timeout=30,--ghost
Add to /etc/auto.sshfs (this assumes the key is password-less):
alpha-blue -fstype=fuse,rw,nodev,nonempty,noatime,allow_other,max_read=65536,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789 :sshfs\#nightmoore@alpha-blue\:
Troubleshoot, add first to /etc/fstab:
sshfs#nightmoore@alpha-blue:/ /mnt/sshfstab/        fuse    user,_netdev,reconnect,uid=1000,gid=1000,IdentityFile=/home/peetersm/.ssh/id_dsa_nightmoore,port=45789,idmap=user,allow_other,default_permissions,debug,sshfs_debug  0   2
Then
mount /mnt/sshfstab
Add option debug,sshfs_debug to get really debug output [12]:

Auto-mount network shares with libpam-mount

References:

libpam-mount allows you to mount automatically network shares when you login, using your login password as credentials.

  • The advantage is that, unlike for autofs, you don't need to store your password in a file;
  • However, your username/password must be the same as the ones used to mount the network drive.

Install libpam-mount: 

sudo apt-get install libpam-mount

Edit /etc/security/pam_mount.conf.xml as follow:

  • Uncomment luserconf.
  • Add the necessary allow options to <mntoptions> tag.
<!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,dmask,username,domain,iocharset,dir_mode" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

Create the user file ~/.pam_mount.conf.xml 

<?xml version="1.0" encoding="utf-8" ?>

<pam_mount>
<volume options="nosuid,nodev,dir_mode=0700,iocharset=utf8" user="*" mountpoint="/media/mediashare" path="sharename" server="servername" fstype="cifs" />
</pam_mount>

Network setup via command line

sudo ifconfig eth0 192.168.1.1 netmask 255.255.255.0
sudo route add default gw 192.168.1.129
sudo vi /etc/resolv.conf
# nameserver 192.168.1.129
# search domainname
sudo dhclient eth0

Tun/Tap devices

tun/tap are software-only interfaces, accessed through a character device (usually located at /dev/net/tun), and that allow userspace networking

On Linux, there are basically 3 ways to create tun/tap devices:

  • ip (package iproute, aka iproute2 [14]).
    Unfortunately this is option is only available in recent distribution (not available in Ubuntu Lucid)
    • ip tuntap help
ip tuntap add dev tun0 mode tap user $USER
  • openvpn
    • sudo openvpn --mktun --dev tun0 --user $USER
sudo openvpn --rmtun --dev tun0
  • tunctl

    • Do not use version from package uml-utilities because it can only create tap devices, not tun. Instead fetch the latest version from SourceForge. 
    sudo tunctl -n -u $USER       # Create a tun device. '-n' can be replaced by '-t tun0'

See the how-to section below to learn how to create VPNs with virtual devices.

Tun2socks / Transparent SOCKS proxy via tuntap device (badvpn-tun2socks)

See tun2socks.

IPv4 vs IPv6

  • Define in /etc/hosts (Note that its always canonical name first, then alias names last [15]):
::1 ipv6.localdomain ipv6
127.0.0.1 ipv4.localdomain ipv4
voilà, use ipv4/ipv6 hostnames where its needed (replace localdomain and ipv4 as needed)

Measure internet bandwidth

Sites that measure internet bandwidth:

Set / Get server hostname / domainname

See [SO]: 

# Set hostname
sudoedit /etc/hostname
# ... if avahi running, check also /etc/avahi/avahi-daemon.conf

# Activate hostname
sudo hostname -F /etc/hostname

# Set server domainname and address
sudoedit /etc/hosts
# 92.168.1.2   server.domain server

# Verify
hostname --short 
hostname --domain
hostname --fqdn
hostname --ip-address

Enable packet forwarding

Persistently: 

sudo vi /etc/sysctl.conf
# Uncomment:
#
#     net.ipv4.ip_forward=1

For current session: 

sudo sysctl -w net.ipc4.ip_forward=1
# Or
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Setup bridge

References

If the PC has two network ports, it can be configured as a network bridge (ie. "switch").

Using the networking service
  • Create a file /etc/network/interfaces.d/br0:
# Make sure the file doesn't contain configuration for the interface listed in bridge_ports

# Bridge between eth0 and eth1
auto br0
iface br0 inet dhcp
# For static configuration delete or comment out the above line and uncomment the following:
# iface br0 inet static
#  address 192.168.1.10
#  netmask 255.255.255.0
#  gateway 192.168.1.1
#  dns-nameservers 192.168.1.5
#  dns-search example.com
   bridge_ports eth1
   bridge_stp off
   bridge_fd 0
   bridge_maxwait 0
  • Restart the network configuration:
sudo systemtl restart networking
Using NetworkManager (doesn't work)
sudo nmcli dev set eth1 managed no
sudo nmcli connection add type bridge autoconnect yes con-name br0 ifname br0
sudo nmcli connection add type ethernet autoconnect yes con-name br0-port ifname eth1 master br0
# Optional:
# sudo nmcli connection modify br0 bridge.stp true
sudo nmcli connection up br0

# To setup eth1 to use manual address:
sudo nano /etc/NetworkManager/system-connections/br0 # ! Check the actual name
# Edit file as follows:
#    [ipv4]
#    method=manual
#    address1=10.136.0.221/24
sudo systemctl restart NetworkManager

Network basic

ARP (Address Resolution Protocol)

Links on Wikipedia:

ARP is a protocol used for resolution of network layer addresses (OSI level 3, e.g. IP addresses) into link layer addresses (OSI level 2, e.g. MAC addresses).

Example (adapted from wikipedia):

Computers A and B are in an office, connected to each other on the office local area network by Ethernet cables and network switches, with no intervening gateways or routers. A wants to send a packet to B. Through other means, it determines that B's IP address is 192.168.0.55. In order to send the message, it also needs to know B's MAC address:

  • First, A uses a cached ARP table to look up B's MAC address from B's IP address. If the MAC address is found, it sends the IP packet on the link layer to that MAC address via the local network cabling.
  • If the cache did not produce any result, A has to send a broadcast ARP message (destination FF:FF:FF:FF:FF:FF) requesting an answer for B's IP address. B responds with its MAC address. B may insert an entry for A into its own ARP table for future use. The response information is cached in A's ARP table and the message can now be sent.

ARP Proxy

Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as publishing.

  • (+) simplicity. A router may extend a network without knowledge of the upstream router.
  • (-) scalability
  • (-) reliability (no fallback mechanism)

Gateway

If after routing, the selected route contains IP address of a gateway, the destination address in the IP packet is *not* changed. Instead, it tells the link layer to use the gateway's MAC address in the frame header instead of the one of the destination IP address (see [16]).

Troubleshooting

See Network troubleshooting.

Retrieved from "https://miki.immie.org/mediawiki/index.php?title=Linux_networking&oldid=17101"