Linux Basics - McMaster University
Download
Report
Transcript Linux Basics - McMaster University
Linux Basics
Reading:
Chap 1-2 [WFR05]
Linux Command Manual
About Linux
Linux is the name of the kernel
Linux is Open Source Software (OSS)
Linux is licensed through the General Public
License (version 2, aka GPL2)
The right to redistribute is granted only if the
distribution is licensed under the terms of the
GPL and either includes, or unconditionally offers
to include at the moment of distribution, the
source code
The Linux kernel by itself can serve as a firewall,
router, access point, and even a static web page
server
Typically, Linux is packaged with a great number of
applications and utilities, also OSS
Components of a Linux System
Kernel (can be monolithic or modular)
Modules (if modular kernel)
Filesystem(s)
Boot Loader
Libraries and Dynamic Linker
Init and rc system
Utilities
Applications
Components of a Linux System
Kernel (can be monolithic or modular)
Modules (if modular kernel)
Filesystem(s)
Boot Loader
Libraries and Dynamic Linker
Init and rc system
Utilities
Applications
Linux Kernel
A kernel is the central component of
most computer operating systems
(OS). Its responsibilities include
managing the system's resources
Monolithic architecture includes
much of OS functionality in kernel
Memory and process management
Device drivers
File systems
Network
In contrast, microkernels (e.g.,
Mach and NT) includes minimal
functionality
Inter-process communication and memory
management
Pros and cons
Linux Kernel
Since V1.2, a combination of
Base kernel
Loadable kernel modules
Linux Kernel Configuration
●
Monolithic architecture includes much of OS
functionality in kernel
–
–
–
–
Memory and process management
Device drivers
File systems
Network
Linux Kernel Configuration
●
Configuration in a
tree structure to
decide which files
to be compiled
into the kernel
Linux Kernel Configuration
●
●
Configuration in a
tree structure to
decide which files
to be compiled
into the kernel
Options to
compile directly in
or as a module
Linux Kernel Configuration
●
●
●
Configuration in a
tree structure to
decide which files
to be compiled
into the kernel
Options to
compile directly in
or as a module
Online help to
explain choices
Components of a Linux System
Kernel (can be monolithic or modular)
Modules (if modular kernel)
Filesystem(s)
Boot Loader
Libraries and Dynamic Linker
Init and rc system
Utilities
Applications
Linux Loadable Kernel Modules
(LKM)
Linux supports kernel modules as an option
Modules are loaded at run time
Reduce memory requirements
Add functionality to Linux kernel
Run in privileged kernel mode
As fast as base kernel
Doesn't require a reboot to add or remove
functionality or develop your own module
LKMs are used for
Device drivers
Filesystem drivers
Network drivers
…
LKM utilities
ismod – insert LKM
rmmod – remove LKM
lsmod – list LKM
modinfo
modprob – can read /etc/modules;
insert/remove a set of LKMs intelligently
Components of a Linux System
Kernel (can be monolithic or modular)
Modules (if modular kernel)
File system(s)
Boot Loader
Libraries and Dynamic Linker
Init and rc system
Utilities
Applications
Linux File System Support
Linux uses the virtual file system (VFS)
interface to modularize file system support
File systems may be compiled in as modules
(but watch out for catch-22)
“you need to mount the root filesystem to add the
module that lets you mount the root filesystem”
In addition to file systems that manage disk
partitions, there are also pseudo file
systems
Pseudo File Systems
A 'pseudo' file system provides a file style
interface to the inner workings of the
kernel.
Most important is the /proc file system
which provides many important interfaces
to the kernel and running processes
/proc can be used to set parameters in the
running kernel as well as to read states
e.g. echo “1” >
/proc/sys/net/ipv4/ip_forward
Components of a Linux System
Kernel (can be monolithic or modular)
Modules (if modular kernel)
Filesystem(s)
Boot Loader
Libraries and Dynamic Linker
Init and rc system
Utilities
Applications
Boot Loader
Takes over from BIOS after POST
Usually on master boot record (MBR) of
hard drive
the 512-byte boot sector that is the first sector
of a partitioned disk
Can offer choice of different OSes (dual
boot)
Linux typically uses GRUB (LILO in the past)
GRUB
GRand Unified Boot loader
Two stages
The first being small with the sole purpose of loading the
second one.
Understands several file system types
Provides for changing of boot options at boot time (useful
for testing new kernel features)
For more information: http://www.gnu.org/software/grub/
Which partition contains the kernel
1st partition on first hard disk
root (hd0,0)
kernel /vmlinuz-i686-up-4GB root=/dev/hda9
boot
File name of the kernel
Partition containing /sbin/init,
which becomes the root partition
Boot process on Linux
BIOS -> bootloader -> kernel
The first process to start is a script
/etc/rc.d/rc.sysinit
6 run-time levels
/etc/rc.d/rc?.d/
Runtime 5 is used for boot the system into GUI
mode using XDM and X-Windows.
Runtime 3 is used for single-user mode
Scripts with S for startup and K for shutdown
Init and RC System
Takes over once kernel loads
Brings system up to ready state
Starts different services
Can be used after boot to start and stop
services e.g. /etc/init.d/httpd start
boot the system into GUI mode using XDM
and X-Windows.
Components of a Linux System
Kernel (can be monolithic or modular)
Modules (if modular kernel)
Filesystem(s)
Boot Loader
Libraries and Dynamic Linker
Init and rc system
Utilities
Applications
Unix and the toolkit approach
/bin and /sbin (/usr/bin and /usr/sbin too)
STDIN, STDOUT, STDERR
Redirection and Pipes
e.g. dmesg | head -l
Practices (cont’d)
Hints:
If the commands are not in the default
paths, try /sbin or /usr/sbin
A number of ways for finding out linux
distributions
dmesg | head –l
Cat /proc/versions
“man” is your friend!
Top Network Utilities
ifconfig
route
ping
traceroute (tcptraceroute)
nmap
netstat
ssh (scp, sftp)
telnet
nc
tcpdump
Components of a Linux System
Kernel (can be monolithic or modular)
Modules (if modular kernel)
Filesystem(s)
Boot Loader
Libraries and Dynamic Linker
Init and rc system
Utilities
Applications
Applications
Anything more complex than a utility?
System services (daemons)
X Windowing system
Interactive programs
Practices
ssh to linux01~04.cs.uh.edu
1. Find out the followings:
2.
Try the following command
3.
what Linux distribution is used?
Processor type, memory, CPU speed, # of CPUs
Which boot loader is used?
ifconfig
route
ping www.uh.edu
traceroute www.google.com
Netstat
Explain the results from ping, netstat
Linux Networking Tools
Top Network Utilities
ifconfig
ping
iwconfig
traceroute
route
host, (nslookup)
iptables
dig
iwconfig
nmap
netstat
telnet
ssh (scp, sftp)
tcpdump
ifconfig
Configure a network interface
Without options, ifconfig shows current
settings
can bring interface up or down
example:
ifconfig eth1 up
pump -i eth1 --- dhcp client program
ifconfig eth1
ifconfig (CS Firewall)
eth0
Link encap:Ethernet HWaddr 00:E0:81:2A:9D:C3
inet addr:129.7.240.254 Bcast:129.7.240.255 Mask:255.255.255.192
inet6 addr: fe80::2e0:81ff:fe2a:9dc3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:222210314 errors:0 dropped:0 overruns:0 frame:0
TX packets:194237844 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2468437723 (2354.0 Mb) TX bytes:1403836636 (1338.8 Mb)
Base address:0xdc00 Memory:fe9e0000-fea00000
eth1
Link encap:Ethernet HWaddr 00:04:23:A8:58:82
inet addr:129.7.254.188 Bcast:129.7.254.191 Mask:255.255.255.192
inet6 addr: fe80::204:23ff:fea8:5882/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:397766811 errors:0 dropped:0 overruns:0 frame:0
TX packets:521981776 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2719493949 (2593.5 Mb) TX bytes:217572585 (207.4 Mb)
Base address:0xc880 Memory:fe8c0000-fe8e0000
eth2
Link encap:Ethernet HWaddr 00:04:23:A8:58:83
inet addr:192.168.10.254 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::204:23ff:fea8:5883/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:334616505 errors:0 dropped:0 overruns:0 frame:0
TX packets:238180941 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2097863118 (2000.6 Mb) TX bytes:2193856536 (2092.2 Mb)
Base address:0xcc00 Memory:fe8e0000-fe900000
IP-Aliasing
“IP-aliases are additional IP-
addresses/masks hooked up to a base
interface by adding a colon and a string
when running ifconfig.”
example:
ifconfig eth0:0 192.168.100.1
ifconfig eth0:1 192.168.101.1
Remove an aliasing
Ifconfig eth0:0 down
linux/Documentation/networking/alias.txt
route
Show and/or manipulate the IP routing table
Commonly used in determining or setting
default routers for a machine on network
example:
route add default gw 129.7.243.254
route add -net 192.168.1.0 gw 10.0.0.10 netmask
255.255.0.0
route del -net 192.168.1.0 gw 10.0.0.10 netmask
255.255.0.0
To remove all routes: ifconfig eth0 down
Static Routes
Routes can be static or dynamic
Most host-based routes are static
Static routes are layer 3 clues as to where
to find hosts on a complicated network.
They include a destination network and a
next-hop IP address.
The default route's destination network is a
wildcard
route (CS Firewall)
Computer Science department firewall configuration
$ /sbin/route
Kernel IP routing table
Destination Gateway
Genmask
Flags Metric Ref Use Iface
129.7.240.0 192.168.10.253 255.255.255.192 UG 0
0
0 eth2
129.7.240.64 192.168.10.253 255.255.255.192 UG 0
0
0 eth2
129.7.240.128 192.168.10.253 255.255.255.192 UG 0
0
0 eth2
129.7.240.192 0.0.0.0
255.255.255.192 U 0
0
0 eth0
129.7.241.0 192.168.10.253 255.255.255.192 UG 0
0
0 eth2
129.7.254.128 0.0.0.0
255.255.255.192 U 0
0
0 eth1
129.7.242.0 192.168.10.253 255.255.255.0 UG 0
0
0 eth2
129.7.243.0 192.168.10.253 255.255.255.0 UG 0
0
0 eth2
192.168.10.0 0.0.0.0
255.255.255.0 U 0
0
0 eth2
loopback
127.0.0.1
255.0.0.0
UG 0
0
0 lo
0.0.0.0
129.7.254.190 0.0.0.0
UG 0
0
0 eth1
Flag U. This flag indicates that the route entry is up and running or ACTIVE.
Flag G. This flag indicates that the route entry specifies an indirect route.
Flag H. This flag indicates that the destination field in this route entry specifies a host route.
tcpdump
Prints out headers of packets on a network
interface
Provides for filtering output, and can also
do some protocol analysis
example
tcpdump -i eth0
tcpdump -i eth0 host [hostname]
init scripts
Scripts for starting services are in
/etc/init.d/
Arguments are required for these scripts
(start, stop, restart, status)
To run a service at boot time
update-rc.d xxx defaults
To remove a service at boot time
update-rc.d -f xxx remove
netstat
Prints information about various parts of
the networking subsystem
Current network connections
Routing tables
Interface statistics
Masqueraded connections
Multicast memberships
Alternatively, cat /proc/net/xxx
netstat examples
netstat
-r (provides same result as route
command)
netstat
-a (shows all connections)
netstat -tulp (shows all services)
gives programs listening for TCP and UDP
connections
• t for TCP, u for udp, l for listening sockets, -p for
program (show the PIC and name of the program)
Try this
Run as root:
# netstat -tulp
# /etc/init.d/apache start
# netstat -tulp
Compare the results
HTTP (WWW)
HyperText Transport Protocol
Uses TCP connections on port 80*
Commands are plaintext; human readable (if
you don't mind html)
example: telnet www.uh.edu 80
Try the following:
telnet localhost 80
Trying 127.0.0.1...
Connected to Cougar.
Escape character is '^]'.
GET /apache2-default/ HTTP/1.1
* Typically. Other ports such as 8080, 443
for SSL, etc. can also be used.
Configuring Apache
Typically, Apache configuration files can be
found under /etc/apache/conf
Knoppix and Debian create a symbolic link so
everything is under /etc/apache
Most of the configuration is in httpd.conf
Additional configurations can be included
from other files with the “Include”
directive
Most distributions break this up into
multiple files to provide for ease of
management
Common Apache Directives
Apache.conf contains two basic types of
options
Directives are one-liner Attribute Value
pairs
DocumentRoot /var/www
ServerName www.example.com
Blocks
(also considered directives in apache
documentation) define sections where
directives have a limited scope
<Directory /var/www/> ... </Directory>
<IfModule SSL> ... </IfModule>
Name Services
Provides a map from human readable
address space (hostnames) to machine
readable address space (IP)
Hierarchical system checks local resources
before querying remote ones
/etc/hosts
optional local network naming systems
DNS
DNS works off a hierarchy as well.
DNS and BIND
The internet's most common DNS server is
BIND.
BIND consists of a set of configuration
under /etc/bind and a daemon called named
For
further information, O'Reilly has a
great book, DNS and BIND (4th ed.)
The default install creates a caching
nameserver
Querying DNS
Several utilities provide the ability to
perform name resolution using DNS
The most simple is the host command.
example
host www.uh.edu
host 129.7.1.1
For
more power and flexibility in
interrogating DNS servers, use the dig
command.
dig
$ dig @129.7.240.1 www.cs.uh.edu
; <<>> DiG 9.2.5 <<>> @129.7.240.1 www.cs.uh.edu
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35927
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.cs.uh.edu.
IN
;; ANSWER SECTION:
www.cs.uh.edu.
3600
IN
;; AUTHORITY SECTION:
cs.uh.edu.
3600 IN
cs.uh.edu.
3600 IN
;; ADDITIONAL SECTION:
dns.cs.uh.edu.
3600 IN
ns2.uh.edu.
34494 IN
;;
;;
;;
;;
A
A
NS
NS
A
A
Query time: 0 msec
SERVER: 129.7.240.1#53(129.7.240.1)
WHEN: Wed Feb 8 12:25:20 2006
MSG SIZE rcvd: 115
129.7.228.92
dns.cs.uh.edu.
ns2.uh.edu.
129.7.240.1
129.7.1.6
DHCP server
Set up the configuration file
Edit /etc/dhcp3/dhcpd.conf
/etc/init.d/dhcp3-server start
Set route to broadcast address
• route add 255.255.255.255 dev eth0
Formation of an Ad Hoc Network
Plug in the wireless card.
Bring your wireless card online using
ifconfig eth1 up, but do not set it up with
an IP address. (Don't use pump)
Set the card in ad-hoc mode using
iwconfig eth1 mode "ad-hoc"
iwconfig eth1 essid COSC6397sp07
channel 6
ifconfig eth1 192.168.0.x
route add default gw 192.168.0.1
Firewalls
firewall
isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
two types of firewalls:
application-level
packet-filtering
public
Internet
administered
network
firewall
Basic functionalities
IP Filter
Used to filter packets
Full matching on IP, TCP, UDP and ICMP packet headers
Stateful firewalls, NAT
Certain protocols are "complex“ and require extra modules
called "conntrack helpers"
Ex: ftp connection, NAT
Port 1050
Port 1051
client
Packet mangling
PORT 1051
Comm Port 21
Data Port 20
Modify IP header fields of a packet
server
Linux Implementation
The iptables command to enter a rule
Use iptables-save and iptables restore script to
save them
The framework inside the kernel is called
netfilter
Five hooks defined in IPv4:
• PRE_ROUTING, LOCAL_IN, FORWARD,
LOCAL_OUT, POST_ROUTING.
The Hooks (cont.)
PRE_ROUTING
POST_ROUTING
FORWARD
LOCAL_IN
LOCAL_OUT
Netfilter Hooks
PRE_ROUTING
Incoming packets pass this hook in ip_rcv() before routing
LOCAL_IN
All incoming packets addressed to the local host pass this hook in
ip_local_deliver()
FORWARD
All incoming packets not addressed to the local host pass this hook
in ip_forward()
LOCAL_OUT
All outgoing packets created by this local computer pass this hook
in ip_build_and_send_pkt()
POST_ROUTING
All outgoing packets (forwarded or locally created) will pass this
hook in ip_finish_output()
Basic iptables syntax
iptables -A INPUT -p tcp --dport 80:1024 -j DROP
iptables [-t table] [commands] [options] <matches> -j <target>
Table: filter (default), nat, mangle
Commands:
append, insert, replace, delete, list, policy, etc
Built-in chains: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
Options:
verbose, line numbers, exact, etc.
Matches:
-p for dport, dst, sport, src, states, TCP options
-m for matching module name
! to invert the sense of the match.
Targets:
Immediate actions: ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.
User defined chain
Extentions: -p
Iptables syntax
Listing the rules
-L, --list [chain]
-F, --flush [chain]
Flushes (erases) all rules in a chain
Or a table
-N, --new chain
Creates a user-specified chain
There must be no target with that name previously
-X, --delete-chain [chain]
Deletes a user-created chain
No rules may reference the chain
Can delete all user-created chains in a table
Iptables syntax - Creating &
Deleting user-created chains
Creating...
iptables -t filter -N badtcppackets
and Deleting a chain
iptables -t filter -X badtcppackets
and Deleting all user-created chains
iptables -t filter -X
Iptables syntax - A few matches
Protocol
-p, --protocol [!] [protocol]
tcp, udp, icmp or all
Numeric value
/etc/protocols
Destination IP & Port
-d, --destination [!] address[/mask]
Destination address
Resolvable (/etc/resolve.conf)
--dport, --destination-port [!] port[:port]
Destination port
Numeric or resolvable (/etc/services)
Port range
Iptables syntax - A few matches
(cont.)
Source IP & Port
-s, --source [!] address[/mask]
Source
address
Resolvable (/etc/resolve.conf)
--sport, --source-port [!] port[:port]
Source
port
Numeric or resolvable (/etc/services)
Port range
Iptables syntax - A few matches
(cont.)
Incoming and Outgoing interface
-i, --in-interface [!] interface
-o, --out-interface [!] interface
State module
--state state
INVALID: the packet is associated with no known
connection
ESTABLISHED: the packet is associated with a
connection which has seen packets in both directions
NEW: the packet has started a new connection, or
otherwise associated with a connection which has not
seen packets in both directions
RELATED: the packet is starting a new
connection, but is associated with an
existing connection, such as an FTP data transfer, or
an ICMP error
iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcpreset
Iptables syntax - Some targets
ACCEPT
Accepts the packet
Ends further processing of the specific chain
Ends processing of all previous chains
Except other main chains and tables
DROP
Drops the packet
No reply
Ends all further processing
Iptables syntax - Some targets
(cont.)
REJECT
Drops packet
Returns a reply
• User specified reply
• Calculated reply
• TCP-RST or ICMP errors
Ends all further processing
RETURN
Returns from a chain to the calling chain
Iptables syntax - ... and a few
simple rules
iptables
iptables
iptables
iptables
iptables
iptables
-A INPUT -p tcp --dport 80:1024 -j DROP
-A FORWARD -p tcp --dport 22:113 -j DROP
-A FORWARD -p tcp --dport ftp-data:ftp -j DROP
-A OUTPUT -p tcp -o eth0 -j ACCEPT
-A OUTPUT -p tcp -o lo -j ACCEPT
-P OUTPUT DROP
Iptables syntax - Some targets
(cont.)
SNAT
only valid in the nat table, in the
POSTROUTING chain.
specifies that the source address of the packet
should be modified
--to-source ipaddr[-ipaddr][:port-port]
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --tosource 194.236.50.155-194.236.50.160:1024-32000
Iptables syntax - Some targets
(cont.)
DNAT
only valid in the nat table, in the PREROUTING
and OUTPUT chain.
specifies that the destination address of the
packet should be modified
--to-destination ipaddr[-ipaddr][:port-port]
iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --todestination 10.10.14.2
iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 j DNAT --to-destination 10.10.14.2
A simple example ruleset – The
Goals
See handout