TCP/IP Sections: 13.7, 13.8, 13.11, 13.12
Download
Report
Transcript TCP/IP Sections: 13.7, 13.8, 13.11, 13.12
TCP/IP
Sections: 13.7, 13.8, 13.11, 13.12
13.7
Adding A Machine to a Network
13.8
Distribution-Specific Network Configuration
13.11 Security Issues
13.12 Linux NAT (IP MASQUERADING)
Adding A Machine to a Network
The Basic steps to add a new machine to a local network
are:
Assign a unique IP Address and Hostname.
Set up the new host to configure its network interfaces at
boot time
Set up a default route
Point to a DNS name server, to allow access to the rest of
the internet.
Reboot the system each time you make changes that
might affect the reboot to make sure that the machine
comes up correctly
Adding a mechine to a network
Each distribution has established its own configuration files for automating
network configuration at boot time as summarized in the following table
System
File
What's set there
Red Hat
/etc/sysconfig/network
network-scripts/ifcfg-ifname
Hostname, default route
Ip address,netmask,broadcast
address
SuSE
/etc/rc.config
/etc/route.conf
Hostname, IP address, netmask,
and more Default route
Debian
/etc/hostname
/etc/network/interfaces
Hostname
IP address, netmask, default route
Assigning hostnames and IP
addresses
Mapping from hostnames to IP addresses can be
maintained through
Hosts file (/etc/hosts)
NIS = Network Information Service
DNS = Domain Name Service
some combination of above sources
Renumbering Issue
Renumbering = Assigning new IP addresses
Using Hostnames in the configuration files and
making the hostname-to-IP address translation be
done through DNS help overcoming the problem of
changing IP addresses.
However,
Using IP addresses in configuration files reduces
dependencies during bootup when all services are
not available.
/etc/hosts example
127.0.0.1
localhost
192.108.21.48 lollipop.xor.com lollipop loghost
192.108.21.254 chimchim-gw.xor.com chimchim-gw
192.108.21.1
ns.xor.com ns
192.225.33.5
licenses.xor.com license-server
Because hosts file contains local mappings only. Most mapping
systems use it for mappings that are needed at boot time.
Can be used for mappings that u don’t want others to know
about it.
Minimal data are mappings for loopback address and the host
itself.
/etc/hosts (cont.)
Some put all their really important hosts, servers and
gateways.
•
•
•
Debian – only localhost
Red Hat – localhost and the machine itself
SuSE – local host, the machine itself, and a few special
IPv6 names.
The hostname command assigns a hostname to a machine. It
typically run at boot time from one of the startup scripts, which
obtains the name to be assigned from a configuration file.
ifconfig: configure network interfaces
Enables/disables a network interface
Sets IP address and subnet mask
Sets various other parameters
Ifconfig interface address options
Interface: identifies the hardware interface to which
the
command applies
Address: the IP address of the interface, many
versions of ifconfig accept hostname for this
parameter.
ifconfig Examples
Ifconfig eth0 128.138.240.1 netmask 255.255.255.0 up
Ifconfig interface
Ifconfig –a
Netstat –I
Options:
•
•
•
•
Up: turns the interface on (default)
Down : turns the interface off
Netmask: set the subnet mask for the network, used if subnetting
isused , the network part is set to ones , the host part is set to zero
Broadcast : IP broadcast address for the interface, expressed in
either hex or dotted quad notation.
Broadcast address is, in most systems, found by setting host part to all
1s.
Most systems used the netmask and ip address to calculate the
broadcast address.
ifconfig Examples
Red Hat% /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:02:b3:19:C8:86
inet addr:192.168.1.13 Bcast:192.168.1.255
UP BRADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets 206983 errors:0 dropped:0 overruns:0 frame:0
TX packets 218292 errors:0 dropped:0 overruns:0 frame:0
collisions:0 txqueuelen:100
interrupt:7 Base address:0xef00
Ifconfig eth0 128.138.243.151 netmask 255.255.255.192
broadcast 128.138.243.191 up
Mii-tool: configure autonegotiation
and other media-specific options
Autonegotiation mode: both the card and its upstream
connection (usually a switch port) try to guess what the
other wants to use.
Problem: high packet loss
It is better to lock the interface speed and duplex both on
servers and on the switch ports they are connected to.
Mii-tool sets Media specific parameters such as link
speed and duplex
Mii-tool –force=100BaseTx-FD eth0
Route: configure static routes
If a packet is destined for some host on a directly connected network,
the “next-hop gateway” address in the routing table will be one of the
local host’s own interfaces.
If no route matches the destination address, the default route is
invoked if one exists, otherwise, an ICMP “netrwork unreachable” or
“host unreachable”.
route [op] [type] destination gw gateway [metric] [dev interface]
Op:
•
•
Add: add a route
Del : remove a route
Route (cont.)
Destination : host address (type – host) or a network address
(type –net)
Gateway: the machine to which packets should be forwarded.it
must be on a directly connected network.
Dev is optional and can be ommited
Metric: the number of forwardings (the hop count) required to
reach the destinaction.
Type: optional “-net” or “-host”. If not specified then check the
host part (is it all zeros), route may also check the /etc/networks
Route examples
Route –f ,or route –flush : completely flushes the routing tables and
starts over.
Netstat –nr : inspect existing routes
netstat –r : see names instead of numbers.
redhat% netstat -nr
Kernel IP routing table
Destination
Gateway
Genmask
Flags
MSS Window
irrt Iface
192.168.1.0
0.0.0.0
255.255.255.0
U
0 0
0 eth0
127.0.0.0
0.0.0.0
U
0 0
0 lo
0.0.0.0
192.168.1.254
UG
0 0
0 eth0
Route examples
redhat% netstat -r
Kernel IP routing table
Destination
Gateway
Genmask
Flags
MSS Window
irrt Iface
192.168.1.0
*
255.255.255.0
U
0 0
0 eth0
127.0.0.0
*
U
0 0
0 lo
0.0.0.0
Sprint-gw
UG
0 0
0 eth0
Genmask: the netmask associated with the destination
Flags: status of the route, how is was learned and other parameters
Iface: the interface through which the packets using the route are sent.
Default routes
All packets whose destination network is not found in
the kernels routing table are sent to the default route.
route add default gw gateway-ip-address
How to set default route
System
File to change
Variable to change
Red Hat
/etc/sysconfig/network
GATEWAY
SuSE
/etc/route.conf
Add line: default IP-addr mask interface
Debian
/etc/network/interfaces
gateway
Configuring DNS
To configure a machine as a DNS client:
Modify /etc/resolv.conf,
•
•
this file lists the domains that should be searched to
resolve names that are incomplete(not fully qualified)
It lists the IP addresses of the name servers to contact
for name lookups.
Some requires modification of “service switch”
file
Modify /etc/resolv.conf
Search cs.clorado.edu colorado.edu
Nameserver 128.138.242.1
Nameserver 128.138.234.151
Nameserver 192.108.21.1
Domain is sometimes used instead of search
in ancient resolve,conf file.
Search is preferred, but Red Hat defaults tp
resolv.conf file that uses domain instead of
search
service switch
Some systems have a “service switch”
file that determines which mechanism
will be used to resolve hostname-to-IPaddress mappings. See page 498 for
prioritization .
Allow specification of the order in which
DNS, NIS, and /etc/hosts should be
consulted.
Service switch files by system
System
Switch file
Default for hostname
lookups
Red Hat
/etc/nsswitch.conf
/etc/hosts.conf
Files nisplus nis dns
Hosts, bind
SuSE and
Debian
/etc/nsswitch.conf
/etc/hosts.conf
Files dns
Hosts, bind
The Linux networking stack
Includes support for virtual network interfaces,
selective acknowledgments as well as a new IP
feature , Explicit Congestion Notification (NCF)
ECN marks TCP packets to notify the sender of
congestion. It is a good thing for both bulk transfers
of data and transactional data such as web requests
and responses.
Distributed-Specific Network
Configuration
Linuxconf: module-based utility that provides a
simple interface for managing a number of system
administration tasks, including most network-related
configuration.
Three interfaces: text-based, web, and X windows.
Reboot or bring the network interface down or up to
see for a change to a configuration file to take effect.
•
•
Red Hat and Debian ifup and ifdown
SuSE reboot the machine
Network Configuration for Red Hat
File
What’s set there
/etc/sysconfig/network
Host name, Default route
/etc/sysconfig/staticroutes
Static Routes
/etc/sysconfig/networkscripts/ifcfg-ifname
IP address, netmask, broadcast
address per interface
etc/sysconfig/network example
NETWORKING=yes
HOSTNAME=redhat.toadranch.com
DOMAINNAME=toadranch.com
###OPTIONAL
GATEWAY=192.168.1.254
/etc/sysconfig/network-scripts/ifcfg-ifname
examples
DEVICE=eth0
IPADD=192.168.1.13
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=yes
DEVICE=lo
IPADD=127.0.0.1
NETMASK=255.0.0.0
NETWORK=172.0.0.0
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback
Ifcfg-eth0 file
Ifcfg-lo file
Network Configuration for Red Hat
(cont.)
Ifup ifname : brings an interface up
Ifdown ifname : brings an interface down
/etc/rc.d/init.d/network
•
•
•
script that accepts the argument start, stop, restart, and status
Manage all the interfaces at once
Invoked at boot time
Any routes added to the file /etc/sysconfig/static-routes
are entered into the routing table at root time
eth0 net 130.255.204.48 netmask 255.255.255.248 gw 130.255.204.49
eth1 net 192.38.8.0 netmask 255.255.255.224 gw 192.38.8.9
Arguments are provided to route add
Network Configuration for SuSE
File
What’s set there
/etc/rc.config
Hostname, IP address,netmask, and more
/etc/route.conf
Default route, static routes
/sbin/SuSEconfig: a tool that uses scripts in /sbin/conf.d and
/etc/rc.config.d to do configuration stuff.
/etc/rc.config contains all network-related parameters except routing
information and DNS information. Example
START_LOOPBACK=“yes”
NETCINFIG=“_0”
IPADDR_0=“192.168.1.101”
NETDEV_0=“eth0”
IFCONFIG_0=“192.168.1.101 broadcast 192.168.1.255 netmask 255.255.255.0”
FQHOSTNAME=“inura.toadranch.com”
DISABLE_ECN=“yes”
Dynamic Routing in SuSE
Dynamic routing is also configured in with rc.config
Example
START_ROUTED=“no” ### RIP (Routing Information Protocol) version 1 daemon
START_ZEBRA=“no” ### zebra routing manager
START_BGPD=“no” ### BGB (Border Gateway Protocol)daemon
START_RIPING=“no” ### RIP version 2 daemon
START_OSPFD=“no” ### OSPF (Open Shortest Path First) daemon
START_MRTD=“no” ### Multithreaded routing daemon
Network configuration for Debian
File
What’s set there
/etc/hostname
Hostname (should be fully qualified)
/etc/network/interfaces
IP address, netmask, default route
/etc/network/options
Low-level network options (IP forwarding, etc)
Example of /etc/network/interfaces file
Iface lo inet loopback
Iface eth0 inet static
address 192.168.1.102
netmask 255.255.255.0
gateway 192.168.1.254
The interfaces file is read by ifup and ifdown that prings the
interfaces up and down respectively.
The inet keyword in the iface line is the address family, this
will always be inet.
static specifies that the IP address and netmask lines are
required for static configuration
gatway specifies the address of the default gateway and is
used to install default route
The options file allows some network variables to be set at boot
time.
Network Configuration with GUI
Red Hat include a tool called neat (Network
administration Tool) that can perform Ethernet,
modem, ISDN, xDSL, and wireless configuration.
To run
•
Select Main menu programs system network
configuration
Or
•
type neat in a shell
Security Issues
IP forwarding
let the linux box acts as a router.
Turn this feature off unless you have multiple
network interfaces and intend to have a the Linux
box as router.
Hosts with this feature enabled can compromise
security by making external packets appear to have
come inside local network which can enables
naughty packets evade network scanners and
packet filters
Security issues
ICMP redirectors
Can be used maliciously to reroute the traffic and
mess with the networking table.
Most operating systems listen to them and follow
their instructions
It is recommended to configure routers and hosts
acting as routers to ignore and perhaps log ICMP
Security issues
Source routing
IP source routing mechanism let the series of gateways for a
packet to transit on the way to its destination.
It can create security problems because packets are often
filtered to their origin
If some one can cleverly route a packet to make it appear to
have originated from your network instead of the internet, it
might slip through your firewall.
It is recommended to not accept neither forward source routed
packets
Security issues
Broadcast pings and other forms of directed broadcast
Ping packets addressed to a network’s broadcast address
(instead of to a particular host address).
Can be used in denial of service attacks
Most hosts have a way to diable broadcast pings
The router can also be configured not to filter out
broadcast pings
Security issues
IP spoofing
If the software creating the packet uses a raw socket, it can fill
in any source address it likes.
Te machine identified by the spoofed source address (if it is a
real address) is often the victim in this scheme. Error and return
packets can disrupt or flood the victims network connections.
IP spoofing should be denied at border router by blocking
outgoing packets whose source address is not within your
address space.
If a network uses private address space, addresses escaping to
the internet can be filtered and caught since private addresses
are not routable.
Security issues
IP spoofing (cont.)
Linux-based firewalls provide a way to implement filtering,
however, most sites prefer to implement this type of filtering at
their border routers.
Protect against a hacker forging the source address on external
packets to fool the firewall into thinking that they originated on
your internal network. Rp_filter kernel parameter (settable in
the /proc/sys/net/ipv4/conf/ifname directory) can help
detecting these packets. set rp (reversed path) to 1.
If the site has multiple connections to the internet, rp has to be
set to 0 if inbound and outbound routes are different (preferred
to be different)
Security issues
Host-based firewalls
Packet filtering (aka “firewall”) software
Linux security is weak and NT’s security is worse.
It is recommended to buy a dedicated hardware solution to
use as a firewall.
Go to page 676 to read more about firewall-related issues.
Security issues
Virtual private networks (VPN)
Private networks that include a series secure, encrypted
“tunnels”.
These “tunnels” allow using the internet as if it were a private
data line
Used to connect several parts of the world as if they are
within a one pig private network
Some VPNs use the IPSEC protocol (standarized by the
IETF in 1998. other use proprietary solutions.
Examples: Cisco’s 3660 router and the Watchguard FireBox
provide VPN. They provide tunneling and encryption.
Security issues
Security-related kernel variables
Feature
Host
Gatew
ay
Controlfile(in /proc/sys/net)
IP forwarding
off
on
Ipv4/ip_forward for the whole system
Ipv4/conf/interface/forwarding per interface
ICMP redirects
obeys
ignores
Ipv4/conf/interface/accept_redirects
Source routing
ignores
obeys
Ipv4/conf/interface/accept_source_routes
Broadcasting ping
answers snswers
Ipv4/icmp_echo_ignore_broadcasts
Security issues
Changing of Security-related kernel variables
Red hat :
• Add values to /etc/sysctl.conf, which is read by sysctl command
ar boot time.
• Format of sysctl.conf is variable=value
• Net.ipv4.ip_forward=0
(turn off IP forwarding)
SuSE
•
•
sysctl doesn’t run at boot process
Edit rc.config(in /etc/init.d/boot) or add a call to the sysctl command
somewhere in the startup sequence
Debian
•
It provides a sample sysctl.conf file nad also calls sysctl during startup
Linux NAT (IP MASQUERADING)
Linux provides limited form of NAT (Network Address
Translation) that is more properly called PAT (Port Address
Translation) or “IPMASQUERADING”
The predominant Linux software (up to writing of this book) for
setting up NAT is called ipchains .However,
A new improved package called iptables uses the “netfilter”
feature in linux 2.4 kernel and is the current release of Red Hat.
For IP masquerading to work
•
•
•
Enable IP forwarding
Build the kernel with CONFIG_IP_MASQUERADING defined
It is helpful to set the kernel variable ip_masq_debug
IP MASQUERADING Examples
To disguise the private address space used on the internal network
192.168.1.0/24, you could use the following command
Ipchains –A forward –i ppp0 –s 192.168.1.0/24 –d ! 192.168.1.0 –j MASQ
To map packets from 192.168.1.0/24 network to a range of 10 addresses
in the routable network 128.138.198.0 ,
Iptables –A POSTROUTING SNAT –to-source 128.138.198.1-128.138.198.0