Transcript Administração de Sistemas

Administração de Sistemas
(ASIST)
TP 3 (English version)
LINUX – Network administration
1
Network interfaces
A network interface is a set of hardware components that provides a physical
connection to a given network infrastructure. In relations to the OSI layers model
a network interface implements levels 1 and 2, thus providing both physical and
logical link.
When the Linux kernel detects a network interface an appropriate label is attached
to than interface for future reference. Because several interfaces of the same kind
may exist, a zero starting number is appended to the label.
For instance, Ethernet type interfaces will have labels like eth0; eth1; eth2; …, in
the order they are detected by the kernel.
In order for the kernel to be able to detect a network interface (or any other hardware) its
support (driver) must be compiled in, perhaps in a kernel module.
2
Network interface administration - ifconfig
The ifconfig command is the standard Unix command to directly manage
network interfaces.
-bash-3.00$ /sbin/ifconfig --help
Usage:
ifconfig [-a] [-v] [-s] <interface> [[<AF>] <address>]
[add <endereço>[/<tam_prefixo>]] [del <endereço>[/<tam_prefixo>]]
[[-]broadcast [<endereço>]] [[-]pointopoint [<endereço>]]
[netmask <endereço>] [dstaddr <endereço>] [tunnel <endereço>]
[outfill <NN>] [keepalive <NN>] [hw <HW> <endereço>] [metric <NN>]
[mtu <NN>] [[-]trailers] [[-]arp] [[-]allmulti] [multicast]
[[-]promisc] [mem_start <NN>] [io_addr <NN>] [irq <NN>] [media <tipo>]
[txqueuelen <NN>] [[-]dynamic] [up|down] ...
The argument <AF> (Address Family) identifies the network protocol stack to use
the current default value is inet which means IPv4. Other supported values
include inet6 and ipx. Many other arguments form depend on the AF argument.
3
Routing tables management- route
The route command can be used to display and manage the kernel routing table.
The routing table is critical, based on the routing table the kernel will decide what
to do with each network packet it has to handle.
/sbin/route [ add | del ] [ -net | -host ]
[ REDE/IP-DESTINO ] [ netmask MÁSCARA-DE-REDE ]
[ gw GATEWAY ] [ [dev] INTERFACE ]
Without arguments the route command displays the current routing table:
[root@server ~]# route
Kernel IP routing table
Destination
Gateway
172.16.16.2
0.0.0.0
172.16.16.4
0.0.0.0
193.136.62.0
0.0.0.0
192.168.62.0
0.0.0.0
172.18.0.0
0.0.0.0
172.17.0.0
0.0.0.0
172.22.0.0
0.0.0.0
172.23.0.0
0.0.0.0
172.24.0.0
192.168.62.7
172.28.0.0
192.168.62.8
0.0.0.0
193.136.62.1
Genmask
255.255.255.255
255.255.255.255
255.255.255.0
255.255.255.0
255.255.0.0
255.255.0.0
255.255.0.0
255.255.0.0
255.252.0.0
255.252.0.0
0.0.0.0
Flags
UH
UH
U
U
U
U
U
U
UG
UG
UG
Metric
0
0
0
0
0
0
0
0
0
0
0
Ref
0
0
0
0
0
0
0
0
0
0
0
Use
0
0
0
0
0
0
0
0
0
0
0
Iface
ppp0
ppp2
eth0
eth0.3
eth1.7
eth1.6
eth1
eth1.5
eth0.3
eth0.3
eth0
4
IPv4 configuration of a network interface
To configure a IPv4 network interface only two elements of data are requires: the
IPv4 address to use and the network mask. Other IPv4 parameters cab be
deducted from this two.
Broadcast address
IPv4 address
+
Network mask
Local network address
+
Network mask
Routing table
Even though this data is insufficient for the normal networking functions of the
operating system, from the interface configuration point of view its all that is
required.
-bash-3.00$ /sbin/ifconfig eth0 192.168.111.150 netmask 255.255.255.0
-bash-3.00$ /sbin/route add -net 192.168.111.0 netmask 255.255.255.0 eth0
-bash-3.00$ /sbin/ifconfig eth0
eth0
Link encap:Ethernet Endereço de HW 00:0C:29:FE:E7:F8
inet end.: 192.168.111.150 Bcast:192.168.111.255 Masc:255.255.255.0
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:243766872 errors:0 dropped:0 overruns:0 frame:0
TX packets:249142107 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:3379540387 (3.1 GiB) TX bytes:1843450578 (1.7 GiB)
5
ip command
The new ip command gathers the functions that were scattered by several network
administration commands like ifconfig, route and adds some other capabilities.
/sbin/ip [ ... ] [ link | addr | route | rule | neigh | tunnel |
maddr | mroute | monitor | xfrm ] ...
With the ip command, the previous demonstration would be:
-bash-3.00$ /sbin/ip addr add 192.168.111.150/24 broadcast + dev eth0
-bash-3.00$ /sbin/ip route add 192.168.111.0/24 eth0
-bash-3.00$ /sbin/ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0C:29:FE:E7:F8 brd ff:ff:ff:ff:ff:ff
inet 192.168.111.150/24 brd 192.168.111.255 scope global eth0
# /sbin/ip route show
172.16.16.11 dev ppp9 proto kernel scope link src 172.16.16.1
172.16.16.10 dev ppp8 proto kernel scope link src 172.16.16.1
193.136.62.0/24 dev eth0 proto kernel scope link src 193.136.62.11
192.168.62.0/24 dev eth0.3 proto kernel scope link src 192.168.62.11
172.18.0.0/16 dev eth1.7 proto kernel scope link src 172.18.0.1
default via 193.136.62.1 dev eth0
6
Default route
Only the destination networks referenced in the routing table will be reachable
by the system.
Of course holding a line for each network in the internet is impossible. Anyway,
except for the local networks, all others would have a route pointing in the same
direction: the internet.
If so then all this routes can be gathered in a single line in the routing table: the
default route.
The router that provides access to the other networks is called the default router or
default gateway.
Network D
INTERNET
Network A
(all other networks)
ROUTER 1
ROUTER
2
Network B
Network C
“Router 1” will be the default gateway for networks A and B.
“Router 2” will be the default gateway for networks D and C.
7
Multiple address on a single interface
Up to kernel version 2.4 the support for multiple addresses on a single network
interface was known as ip alias, to achieve that a number was appended to the
interface name in the form “:n”, for instance eth0:0, eth0:1, are “ip alias” of interface
eth0, each alias has its own address independent from the eth0 interface address.
Newer kernels support this feature natively, the “ip addr add …” command allows
several addresses to be attached to the same interface. To keep backword
compatibility with the “ifconfig” command a compatible label cam be added by with
the “ip” command.
[root@server]# /sbin/ip address add 192.168.199.35/24 brd + dev eth0
[root@server]# /sbin/ip address add 192.168.199.37/24 brd + dev eth0 label eth0:0
[root@server]# /sbin/ip address show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:80:c8:f8:4a:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.199.35/24 brd 192.168.199.255 scope global eth0
inet 192.168.199.37/24 brd 192.168.199.255 scope global secondary eth0:0
[root@server]# /sbin/ifconfig
eth0
Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51
inet addr:192.168.199.35 Bcast:192.168.199.255 Mask:255.255.255.0
eth0:0
Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51
inet addr:192.168.199.37 Bcast:192.168.199.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
8
VLAN support
Multiple IP aliases are defined at network level (for instance IPv4), virtual LANs on
the other hand are settled at a lower level. VLANs are created at the logical link level
(for instance Ethernet), each VLAN shares the same physical medium but is
independent from other VLANs, packets don’t get mixed.
VLAN packets don’t get mixed because they are labeled with a tag, IEEE 802.1q sets
the way to store the label in level 2 frames. The VLAN identifier (label/tag) is a 12
bits number (0 a 4095).
The “vconfig” command can be used to create a VLAN on an existing interface:
[root@server]# /sbin/vconfig add eth0 9
VLANID
After running the command above a new interface will be available: eth0.9, all frames
send by eth0.9 interface carry the IEEE 802.1q with the label “9”. Equallity this
interface only receives frames with IEEE 802.1q label with value “9”.
To remove a VLAN the same command can be used:
# /sbin/vconfig rem eth0.9
9
Network automatic configuration
Although not a wise option for servers, network automatic configuration is
very useful for workstations and other network nodes.
IPv4 automatic configuration depends on DHCP servers on directly attached
network, in Linux the dhclient service gets the data from the server and uses that
data to configure interfaces. Because DHCP servers lease addresses to clients the
dhclient service must keep control over that and will refresh the lease before it
expires.
The ifplugd service detects when a network cable in
plugged or unplugged and activates or deactivates the
network interface.
When a cable is plugged iplugd activates the interface
as result of that dhclient will configure the interface.
10
DHCP server
The DHCP server (dhcpd in Linux) receives requests
from clients sent as UDP packets to the broadcast
address “255.255.255.255”.
DHCP servers use the client physical address (MAC
address) to identify it in order to lease an IP address
to it.
Although static addresses clients can also be configured on the dhcp server, this
kind off servers are most useful to self manage an IP addresses range. For each
new client that shows up a new IP address is reserved for that client and leased to
it.
DHCP servers provide to clients network data beyond the IP address. Data like
network mask, default gateway, domain name and domain name servers is also
included in dhcp server's reply. In Linux dhcpd configuration is stored in a
configuration file, normally /etc/dhcpd.conf.
11
Internet Daemon – INETD/XINETD
Most services available on a Linux system are provided by independent processes,
for each service a running process is required. This assures a high level of availability
for the service.
Beyond highly used and high performance services a large set of low use services
also exist and are required on a Linux server.
The Internet Daemon goal it replacing a large number of running processes that
implement those low performance services. The Internet Daemon receives client
initial requests on standard service ports, when the initial contact occurs Internet
Daemon call the appropriate external program to handle the client request.
Internet Daemon configuration is on /etc/inetd.conf or /etc/xinetd.conf files,
depending on the version used, either way, for each service a protocol must be
specified (TCP or UDP), a port number (or service identifier in /etc/services) and
the external program that implements the application protocol.
12
DNS host name resolution – client service
Depending on the “hosts” line in “nsswitch.conf ” the host name resolution may start
by searching /etc/hosts, but in most cases, on the bottom line, the DNS system will
be used.
DNS host name resolution works by sending a qualified host name to a name
server and receiving the equivalent IP address. To configure the DNS client only the
DNS name server IP address is required, although it's wiser to configure more than
one name server, in case the first fails the second can be used.
Many times users provide unqualified names (without domain name), to handle this a
domain name must be added before sending the request to the name server, for this
purpose a the local domain name can be defined and also a list of other domains to
search in. In Linux the DNS client configuration file is /etc/resolv.conf.
[root@server ~]# cat /etc/resolv.conf
domain dei.isep.ipp.pt
search isep.ipp.pt
nameserver 192.168.60.7
nameserver 192.168.60.11
nameserver 193.136.62.3
13
Filtering – iptables command
The iptables command interacts with the kernel traffic management features, among
the filtering. There are 4 tables: filter; nat; mangle e raw, the first two are more used,
for now we are interested in the first only. The default table for iptables is filter, some
of the basic operations are: iptables –A
- add (append) a rule to a chain
iptables
iptables
iptables
iptables
iptables
–D
–I
–R
–L
–P
-
delete a rule
insert a rule
replace a rule
list rules in a chain
set the policy for a chain
Each table has its own special purpose predefined rule chains, but others can be
added. For the 2 main tables predefined chains are:
“filter” : “INPUT”; “FORWARD” e “OUTPUT”.
“nat”
: “PREROUTING”; “OUTPUT”; “POSTROUTING”
In each chain a sequence of rules can be defined, there is an implicit rule numbering,
starting from 1. The rule number is important to some iptables operations like delete;
insert and replace.
14
IPTABLES – default behavior (chain policy)
Each chain of rules has a default behavior (chain policy) this stands for what will
happen when none of the rules in the chain matches the packet.
Among the four behaviors available (ACCEPT; DROP; QUEUE e RETURN) the
safest way is to set the chain policy to DROP and then use ACCEPT rules to let pass
only what is meant to.
iptables –P INPUT DROP
iptables –P OUTPUT DROP
iptables –P FORWARD DROP
15
IPTABLES - rules
There is a wide range of tests available to be used, some of the most used are:
-p [!] protocol
-s [!] address[/mask]
-d [!] address[/mask]
-i [!] interface
-o [!] interface
--dport [!] port1[:port2]
--sport [!] port1[:port2]
When creating a rule, the action to take if a match happens must be also defined:
-j BEHAVIOR
-g CHAIN
Sample:
iptables –P FORWARD DROP
iptables –A FORWARD –i eth0 –s 195.20.10.23/32 –o eth2 –p tcp –j ACCEPT
iptables –A FORWARD –i eth0 –d 193.136.0.0/16 –p tcp –dport 8080:8081 –j ACCEPT
16