Transcript ch12x
Network Configuration
• In order to access a network (whether a local
area network or an Internet Service Provider),
you need
– To have a network interface device
• for instance, an Ethernet card that physically connects to
a network cable or is wireless, this would be called eth#
such as eth0
• there is also the loopback device which allows software
running on your computer to communicate to your
computer as if the communication came over the
network, this device is called lo or localhost and is
always denoted with the IP address of 127.0.0.1
– you cannot communicate over network if lo is down, but if lo
is up it does not mean you can communicate over the network!
Network Configuration
• You need to have your network service
running
– The network service establishes your IP
address(es)
– Other services are useful but not critical such as
your firewall (iptables) and nfs (to mount remote
file systems)
• You need to have access to a network
broadcast device
– This will typically be a router, gateway, switch or
hub but may also be a MODEM
Computer Networks: Broadcast Devices
• Computers in a network operate by sending their
messages to a nearby broadcast device
• The network is divided into subnets where each
subnet is “glued together” by a broadcast device
– The hub is a device which broadcasts any received
message to all connected devices
– The switch receives a message with an address and uses
that address to send the message to one machine – the
address is a MAC address
– The router receives a message with an address and uses
that address to send the message to one machine – the
address is a network address (IPv4, IPv6)
– The gateway is a router used to connect different types of
networks together
Computer Networks
• Here we see a local area network in which two subnets
uses switches and are connected together by a router
• The router knows how to route a message from network
to network while the switch only knows how to route a
message within the subnet or to the router
TCP/IP
• All Internet communication requires an
implementation of TCP/IP
– This is a four-level protocol suite
– Each level can be implemented by one of many
protocols
TCP/IP: Layers
• Application layer
– Application software takes your message and
produces an initial, application-neutral message
• DNS, FTP, HTTP, IMAP, LDAP, MIME, NFS, POP,
SSH, SMTP, SNMP, Telnet
• Transport layer
– Uniform interface between two resources
– Supports host-to-host communication
– Segments message into packets
– Adds detail such as packet number (6 of 9),
checksum for error correction (if needed)
• TCP, UDP, also SCTP, DCCP, UDP Lite
TCP/IP: Layers
• Internet Layer
– Add appropriate address(es) to message header
• IPv4 or IPv6 addressing
• IPv4 uses 32 bits as 4 octets, each octet is 8 bits (or an integer
between 0 and 255)
– 32 bits gives us a little over 4 billion addresses, most of which have
been used so we need larger addresses and thus IPv6
• IPv6 uses 128 bits as 32 hexadecimal digits
– Gives us over 1038 addresses!
– Communicate with routers
• Link layer
– Handles physical communication including such tasks as
modulation, multiplexing
– Operates with MAC addresses instead of IP addresses
TCP/IP: Ports
• A 16-bit number assigned with a message’s
address as the destination for the message
• The port is a specification of the protocol that the
message should use to be received
– The protocol then dictates the application software to
be used to handle the message
• 16 bits gives us ports numbered 0 to 65,535
– Most ports are unassigned but many of the first 1024
ports are assigned to currently used protocols or
protocols being developed
TCP/IP: Common Ports
Port
20
21
22
23
25
43
53
57
67
68
70
80
109, 110
118
123
Packet Type (TCP, UDP)
both
TCP
both
both
TCP
TCP
both
TCP
UDP
UDP
TCP
TCP
TCP
both
UDP
Usage
FTP data
FTP control
ssh (also SCP, SFTP)
telnet
SMTP
WHOIS
DNS
Mail transfer protocol
Bootstrap Protocol (used by DHCP)
Bootstrap Protocol (used by DHCP)
Gopher
HTTP
POP2, POP3
SQL
Network time protocol
TCP/IP: Common Ports
Port
161
194
443
514
530
636
989
990
992
2049
3128
6660-6669
6888-6900
8008, 8080,
8090
Packet Type (TCP, UDP)
UDP
both
TCP
UDP
both
both
both
both
both
both
TCP
TCP
both
TCP
Usage
SNMP
IRC (Internet relay chat)
HTTPS
Syslog (Linux system logging)
RPC
LDAP
FTPS data (FTP over TLS/SSL)
FTPS control (FTP over TLS/SSL)
Telnet over TLS/SSL
NFS
Squid proxy
IRC
BitTorrent
Alternate for HTTP
TCP/IP: IPv4 vs IPv6
• IPv4: 32 bit addresses
– 00001010.000001011.10110110.00111010
– Protocol dates back to the 80s at a time when there
were thousands of hosts (instead of billions)
• IPv6: 128 bit stored as 32 hexadecimal digits
grouped into 8 sections, separated by colons
– 1234:5678:90ab:cdef:0012:0034:0000:5678
– a 0000 entry can be deleted so that the address
1234:5678:9000:0000:0000:0000:00bc:def0 can
appear as 1234:5678:9000::00bc:def0
TCP/IP: IPv4 vs IPv6
• IPv4 is not set up to handle secure transmission
– Today, we add SSL on top of the protocol
• IPv6 is an attempt not only to increase the number
of addresses but also to rectify other problems of
IPv4
– IPsec (IP security) for encryption
– auto configuration for hosts on a network
– optional header components for smaller (when
available) header sizes but can also be expanded to
what we call jumbograms
TCP/IP: IPv4 vs IPv6
• Many networks are not yet IPv6 compliant
– Most operating systems can handle IPv6 but not all
network administrators have set it up
– Or there are network devices that cannot handle it
(e.g., routers)
• IPv4 and IPv6 are not compatible (different
addresses, different headers)
• So most networks need to implement both
versions (or at least IPv4)
– Another solution is to use a tunnel in IPv4 where
inside the tunnel we have IPv6
The Internet: DNS
• The Internet is made up of domains and
subdomains
– Domains and subdomains are managed by authorities
– We tend to use IP aliases to reference resources on the
Internet because they are easier to remember than IP
addresses
– However, we need to then have a mechanism to map
from an IP alias to the proper IPv4 (or IPv6) address
– We use the domain name system (DNS) for this
– Scattered around the Internet are devices that contain
this mapping information, DNS name servers
The Internet: Name Servers
• Every organization that exists in its own domain
(subdomain) has its own DNS name server
– It is the authority for the devices within its domain
• If you want to map an IP alias to an address, how do
you find that particular name server?
– You don’t, instead you query your own name server and if
it has the information cached locally, it returns it to you
– Otherwise, it kicks the request to another DNS name
server
– This makes for recursive name servers and when a name
server receives information from another, it can cache it
locally making it a caching name server
The Internet: Domains and Subdomains
• The top-level domains of the Internet are well-defined
– .edu, .gov, .net, .com, etc
• Within each of these, subdomains are established by
requesting a domain name and IP addresses
– amazon.com, nku.edu
• Within a subdomain, the organization can define further
subdomains
– informatics.nku.edu
– it.nku.edu
• And then within the organization, you name your resources
and provide them IP addresses
– This information is then stored in your organization’s name
server(s)
The Internet: Name Servers
• There are generally two forms of name servers
– Authorities – those that an organization has that describes
their domain and subdomains
– Caches – those that merely cache responses from other
authorities so that requests can be handled locally
• note that authorities can also be caching name servers
• In Linux
– Your local DNS name servers addresses are stored in the
file /etc/resolv.conf
– If you already know the IP address for an alias and want
to bypass DNS, store this mapping information locally in
/etc/hosts (but if this information changes on you, you
will have to update this yourself)
Linux: network Service
• network – used to establish IP addresses for your
interfaces
– loopback (lo) is always 127.0.0.1 but eth0 (or other
interface device) will not be established unless
network is running
– network also establishes your /etc/resolv.conf DNS
server addresses
– starting this service runs the script /etc/init.d/functions
followed by /etc/sysconfig/network
• this gives you the environment variables
NETWORKING=yes and HOSTNAME=hostname
• it then runs the script /etc/sysconfig/network-scripts/networkfunctions
Linux: network Service
• The network-functions script
– Queries devices for their statuses (up or down)
– Sets the interface’s MAC address or if there is a
wireless device available
– Establish values for variables hostname, IP address,
default routes
– Locate the local network’s gateway
• At this point, all network interface devices will be
known and either be down or up with IP addresses
assigned to them
Linux: network-scripts Directory
• This directory is used to house scripts that can
start and stop interface devices
• It also stores the configuration files for all of your
network devices (and lo)
– A script like ifup-eth or ifdown-eth can start or stop the
given device
– Or, you can start or stop a device using the more
generic ifup and ifdown by supplying the device name
Linux: ifcfg-eth0
• This file contains a list of directives that establish
environment variables for your eth0 device
• This will include (see the next slides for
descriptions of these variables)
–
–
–
–
–
–
BOOTPROTO
HWADDR
ONBOOT
DEVICE and/or NAME
BROADCAST or GATEWAY (assigned if static)
IPADDR (assigned if static)
Linux: ifcfg-eth0
Variable
BOOTPROTO
Range/Type of Value
Meaning
“static”, “dhcp”, “none” Source of the IP address (static or via
DHCP server or none at all)
BROADCAST
IP address
Broadcast device’s address (typically
you will use this variable or GATEWAY
but not both)
DEVICE
alphanumeric
Device’s name (e.g., eth0, ippp, lo)
DHCP_HOSTNAME IP alias
Name of DHCP server
DHCP_TIMEOUT
integer
Number of seconds before timing out
when waiting for DHCP server to
respond
GATEWAY
IP address
IP address of subnet router/gateway
HWADDR
hexadecimal address
MAC address of device
IPADDR
IP address
Set by system administrator for static IP
IPV6INIT
yes, no
Initialize IPv6 address by default
NAME
alphanumeric
Name of device, e.g., ethernet, loopback
Linux: ifcfg-eth0
Variable
NETMASK
NETWORK
NM_CONTROLLED
ONBOOT
TYPE
USERCTL
UUID
Range/Type of Value
Meaning
Subnet mask
The mask used to obtain the local
network portion of the IP address,
e.g., 255.248.0.0
network address
IP address of the local network
yes, no
Whether the device is controlled by a
network manager program
yes, no
Whether to start this interface upon
boot or have it manually started
alphanumeric
Type of device, e.g., Ethernet, PPP
yes, no
Is user allowed to control this device?
hexadecimal address
Address of physical device
Internet: Netmask
• One variable needed for network communication
is the netmask
– The netmask is used to obtain the network portion of
an IPv4 address
– The netmask is either assigned by the network
administrator or provided by the network’s gateway
– The idea is to AND the netmask with the IP address
which gives you the IP address of the local network
hosting the resource
– If you NOT the netmask and apply this to the IP
address of the resource you are given its local address
within the network
Internet: Netmask
• Let’s look at some examples
– Assume the IP address of 10.11.12.13
– And a netmask of 255.255.240.0
AND
11111111.11111111.11110000.00000000
00001010.00001011.00001100.00001101
00001010.00001011.00000000.00000000 = 10.11.0.0
– This example is not very illustrative of the concept
because 240 AND 12 = 0, let’s try the IP address
128.58.221.39
AND
11111111.11111111.11110000.00000000
10000000.00111010.11011101.00100111
10000000.00111010.11010000.00000000 = 128.58.208.0
Linux: Other Network Services
• snmpd – (Simple Network Management Protocol
daemon)
– Listen and respond to SNMP messages
– This is usually used by a network administrator to
control a device remotely
• portreserve and portrelease
– While most ports that we use are already reserved, you
can temporarily assign a port to a particular application
and then release it later
• Avahi
– Discovers available services on y our local network
such as printers and file servers
Linux: Other Network Services
• rdisc
– Locates your subnet’s router using ICMP (Internet Control
Message Protocol)
• dnsmasq
– A simplified DNS server that is primarily used to cache
previously fulfilled IP alias to address mappings as
provided by DNS name servers
• postfix
– Controls Linux email and calls upon the sendmail program
• httpd
– The Apache web server
• certmonger
– Maintains your downloaded digital certificates and keeps
them up to date
Linux: xinetd Service
• Sometimes known as a superserver
• It is a service that calls other network services on
demand
– This is preferably than keeping the various on demand
services running all the time
– Use the /etc/xinetd.conf file to configure it
– First define default configurations including number of
available instances and who will handle logging and
what should be logged
– Then for each service, provide a configuration that
includes the service’s executable location, whether the
service can operate in a multithreaded mode and how
logging information should be adjusted
Linux: xinetd Service
• Here we see a default setting followed by the
specific setting for rsync
defaults {
instances
= 50
log_type
= RSYSLOG authpriv
log_on_success = PID HOST DURATION EXIT
log_on_failure = HOST
cps
= 25 10
umask
= 002
}
includedir /etc/xinetd.d
service rsync
{
disable
= yes
flags
= IPv6
socket_type = stream
wait
= no
user
= root
server
= /usr/bin/rsync
server_args
= --daemon
log_on_failure += USERID
}
IP Addresses: Static
• The network administrator assigns the resource
with its IP address
• This is typically reserved for servers as we would
not want a server’s IP address to change (or
change often) but we would not have to do this
for non-servers such as workstations
– In the ifcfg file (e.g., ifcfg-eth0)
• IPADDR=static address
• BOOTPROTO=static
• Manually assign NETMASK, HOSTNAME, GATEWAY (or
BROADCAST)
IP Addresses: Dynamic
• An organization will have a limited number of
addresses available
– Rather than assigning one per device, let the
device request an address when the device is in use
(booted)
– This approach uses dynamic IP addressing
– Some device needs to be in charge of handling the
“pool” of addresses and assigning one on demand
to a device
– Usually we will have our network’s router or
gateway handle this task
IP Addresses: DHCP Server
• Dynamic Host Configuration Protocol
– Based on the Boostrap Protocol from the early 90s
– The DHCP server receives a request from a client on
its subnet and assigns it one of the available IP
addresses
– Sometimes addresses are assigned temporarily known
as a lease
• if the time limit expires, the client must request a new
address but it may request the same one if it is still
available
– DHCP is available for Linux, stored under
/sbin/dhclient
IP Addresses: DHCP Server
• DHCP Directives
Directive
subnet
netmask
range
routers
domain-name
domain-nameservers
default-lease-time
value
max-lease-time value
authoritative
log-facility level
group
Meaning
DHCP’s network (or subnet) address
DHCP’s local network (or subnet) netmask
Range of IP addresses available to assign to clients, ranges are
indicated by separating IP addresses with a space as in 10.11.12.1
10.11.12.20
IP address (or alias) of router(s) that DHCP server will respond to
organization (or subnet) domain name
IP addresses (or aliases) of domain DNS servers
value is the amount of time (in seconds) that an IP address can be
made available to a client
value is the maximum amount of time IP address is leased
If listed, means this DHCP is the official server for network
Use level listed for syslogd logging (e.g., local7)
Specify parameters that apply to a group of subnets
IP Addresses: DHCP Server
Example configuration for a DHCP server operating on two subnets
option domain-name somecompany.com;
option domain-name-servers 10.11.1.1 10.11.1.2;
subnet 10.11.0.0 netmask 255.255.128.0 {
range 10.11.12.0 10.11.12.20;
option broadcast-address 10.11.12.22;
option routers 10.11.12.21;
}
subnet 10.11.128.0 netmask 255.255.128.0 {
range 10.11.128.129 10.11.128.253;
broadcast-address 10.11.128.255;
option routers 10.11.128.254;
}
Linux: Network Programs
• The ip program is an umbrella program handling
tasks of many older Linux network instructions
– It can assign/display/delete IP addresses for interfaces
– It can assign/display a network device
– It can manipulate, replace, display or delete router
tables
– It can add, change, delete or display neighbor ARP and
cache entries
– It can create a tunnel over IP
• The syntax of the instruction differs by the object
type (e.g., address versus route versus tunnel)
– Each object type will have its own type of operation
such as set, show, add, change, del, flush, or replace
Linux: Network Programs
• ifconfig – set or display IP addresses of interfaces
(including lo), replaced by ip
• ping/traceroute – send out packets and respond
about time to receive responses (traceroute also
outputs the routers in the path taken)
• route – display or modify the router table(s),
replaced by ip
• ss – display socket usage information and
statistics
• netstat – provide network connection information,
replaced by ss
The Firewall
• A firewall is a program that examines messages
and decides whether the messages should be
allowed passed the firewall
• A firewall can examine incoming messages,
outgoing messages and forwarding messages
– Messages being forwarded are usually only of interest
to broadcast devices like routers, we typically wouldn’t
worry about such messages for our PCs
• A stateful firewall is one that can apply rules not
just to one message but to many related messages
– Such as the messages that make up a session with a
remote host
The Firewall
• Firewalls can run on PCs/laptops and mobile devices
– We can also implement them in routers
– We can also implement them in other software/servers like
Proxy servers
• While a firewall is software, we might have a
dedicated computer serve as a firewall for an
organization
– In this case, the firewall is both software and hardware
– We would implement the firewall on a device the serves
as our Internet connection
• A firewall uses a set of rules which analyze a
message for specific criteria to decide what to do
with the message
The Firewall
• Here we seen an example of a firewall which
– is allowing all outgoing messages to move from the
computer to the Internet
– while restricting incoming messages to only those that
pass the firewall’s rules
The Firewall: iptables
• In Linux, the firewall service is called iptables
– There is also ip6tables for IPv6
• Each of these has two files of note
– iptables-config (and ip6tables-config) which is the
configuration file that dictates mostly how the
firewall information can be viewed
– iptables (and ip6tables) which is the rules file
• You can also adjust the firewall through the
Firewall GUI (refer back to chapter 11)
The Firewall: iptables
• The config file uses the following directives
Directive
IPTABLES_MODULES
Meaning
List of modules to load
Default
“” (none)
IPTABLES_MODULES_UNLOAD
Unloads modules on stop/restart
yes
IPTABLES_SAVE_ON_STOP
Rules may be added to your firewall no
from the command line; if this directive
is set to yes then rules are saved to
iptables upon stopping the firewall
If set to yes, saves all current rules to no
iptables upon restarting the firewall
Saves all chains of rules and counters no
for rules to iptables upon stop or restart
IPTABLES_SAVE_ON_RESTART
IPTABLES_SAVE_COUNTER
IPTABLES_STATUS_NUMERIC
IPTABLES_STATUS_VERBOSE
IPTABLES_STATUS_LINENUMBERS
Print IP addresses and ports in numeric yes
format
Print statistics about packets and bytes yes
Print line numbers of rules
yes
The Firewall: iptables
• Here we see the output of /sbin/service iptables
status with the following directive values
– IPTABLES_STATUS_VERBOSE=yes
– IPTABLES_STATUS_LINENUMBERS=yes
The Firewall: iptables
• Rules are placed into chains
– For instance, all INPUT rules are in one chain, all
OUTPUT rules are in a separate chain
• Most rules use the –A option to indicate that
we are adding this rule to an existing chain
– Syntax: -A chain [options] [-j target]
– The chain will be INPUT, OUTPUT, FORWARD
– Options specify the criteria by which this rule will
judge a packet, such as destination port or source
IP address
– Target is one of ACCEPT, REJECT, DROP or
LOG
The Firewall: iptables
• The targets are defined as follows
– ACCEPT – permit the packet entry to the system
– REJECT – reject the packet and notify the sender
– DROP – reject the packet without notifying the
sender
– LOG – log the packet but continue chaining rules
to reach one of the other targets.
• The distinction here is between REJECT and
DROP because DROP does not notify sender
– You would use DROP if you feel the message was
spam or an attack
The Firewall: iptables
Option
-p protocol
Meaning
True if the message is of the given protocol -p tcp
-i interface
True if message received by given interface -i eth0
-o interface
True if message sent over given interface
-s address
True if message originated from given IP -s 10.11.12.13
address
-s 10.11.0.0/16
True if message being sent to IP address
-d 172.19.31.141
-d address
--dport port
--sport port
--dports
port1,port2,…
--sports
port1,port2,…
Example
-o lo
True if message is intended to be received --dport 431
at given port
True if message originated from port
--sport 22
True if message intended for any ports
--dports 80,8080,443
True if message originated from any ports
--sports 67,68
The Firewall: iptables
• Another option is –m to specify a further module
to use
• There are numerous modules (see the next slide)
– One module is state which will test the state of the
message
– Is this a new message, a message in response to an
already established communication, or a message
related to an already established communication?
– By using this module with ESTABLISHED and/or
RELATED then you can allow messages in through
your firewall if they are in response to messages that
you initiated (such as an HTTP request)
The Firewall: iptables
Module
addrtype
conntrack
icmp
iprange
length
limit
time
Meaning
Extensions
Match based on source --src-type type
address type or destination --dst-type type
address type
Types include BLACKHOLE, BROADCAST, MULTICAST, NAT,
UNICAST
Match based on the --ctstate state
connection’s status
States include
INVALID, ESTABLISHED, NEW, RELATED, SNAT, DNAT
Match based on ICMP type --icmp-type [!] type
Type can be any ICMP type or its corresponding number
Match if message’s source [!]--src-range range
or destination falls within [!]--dst-range range
the given range
Range denoted as address1-address2
Match if message’s length is --length [!] length[:length]
equal to, or within the Examples:
range, provided
--length 500:1000
--length ! 0
Limit the number of --limit-burst number
received messages
Match if specified time is --timestart value, --timestop value, --days days, --datestop days
met
value is a time given in hh:mm format and days is Mon, Tue, Wed, etc
The Firewall: iptables
• You can add a default rule to serve at the end of a
chain
– -P INPUT REJECT
• if the message does not match any rule in the INPUT chain, then
reject it
• If you want to start with all new rules, use –F to
flush the current chain and then define new rules
– This makes more sense when you are defining rules from
the command line
– To input a rule from the command line, prepend iptables
to the rule as in
• iptables –A INPUT …
• To list all rules of a chain, use -L
The Firewall: iptables
• Here we look at an example
–P INPUT REJECT
# default for incoming packets
–P OUTPUT ACCEPT
# allow all outgoing messages
–P FORWARD DROP
# do not perform forwarding
# Forwarding is commonly used for routers, not workstations.
–A INPUT –i lo –j ACCEPT
# accept anything over “lo”
–A INPUT –p tcp --dport 22 –j ACCEPT # accept incoming ssh
–A INPUT –m state --state ESTABLISHED,RELATED –j ACCEPT
# accept continuation messages of previously established connections
–A INPUT –p icmp –j ACCEPT # accept ICMP messages
–A INPUT –i eth0 –s 10.11.12.0/24 –j ACCEPT # accept messages from
# subnet 10.11.12.0
–A INPUT –p tcp –s facebook.com --sports 80, 443 –j DROP
# drop webpage responses from facebook.com
The Firewall: iptables
• Additional rules
–A INPUT –p tcp –m multiport --dports 80,8080,443
–m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT –s 1.80.0.0/13 –j DROP
–A INPUT –p tcp –m multiport --dports 80, 443 –m limit
--limit 25/minute --limit-burst 100 –j ACCEPT
–A INPUT –p icmp --icmp-type echo-request –j DROP
–A OUTPUT –p icmp --icmp-type echo-reply –j DROP
–A LOGGING --log-level 7 –j LOG
–A LOG –j DROP
Network Scripts
• We wrap up by looking at some shell scripts that might
be useful tools
try_ip( ) {
ip=$1
num=$2
x=`ping –c $num –q $ip | awk '/received/ {print $4}'`
if [ $x –eq 0 ]; then
echo "$ip not responsive on `date` with $num tries"
>> /root/net_stats/non_responding_devices.txt
fi
}
list=(10.11.12.13 10.11.12.14 10.11.12.15 10.11.21.22 10.11.38.83 10.11.0.1)
for ip in $list; do
try_ip $ip 10
done
Network Scripts
try_wget( ) {
filename=$2.index
/usr/bin/wget –q --tries=$1 $2 –O /root/$filename
if [ -e $filename ]
then
rm /root/$filename
return 0
else
return 1
fi
}
Network Scripts
urls=(www.google.com www.yahoo.com www.bing.com)
numAttempts=0
contact=0
while [[ $contact –eq 0 && $numAttempts –lt ${#urls[@]} ]]
do
u=${urls[numAttempts]}
try_wget 5 $u
if [ $? –eq 0 ]; then
contact=1
fi
numAttempts=$((numAttempts+1))
done
if [ $contact –eq 1 ]; then
echo Warning, Internet connection appears to be down
fi
Network Scripts
list=
# start list as NULL
count=0
for user in `who | egrep –v $USER | awk '{print $1}'`; do
if [ -z `echo $list | grep $user | awk '{print $1}'` ];
then
list="$list $user"
fi
done
echo "Users at `date` are $list" >> /root/logged_in_users.txt