Linux Networking

Download Report

Transcript Linux Networking

Linux Networking

TCP/IP stack
–
–
–
kernel controls the TCP/IP protocol
Ethernet adapter is hooked to the kernel in with the
ipconfig command
ifconfig sets the ip address as well as netmask and
broadcast addresses
Network Hardware


Typically linux finds the NIC (PCI) at bootup but
the administrator needs to tell linux that the
card is to be enabled.
If linux doesn’t discover the NIC (network
interface card) you must assign the card type,
interrupt and base address for the card in the
linux kernel.
Ipconfig



ifconfig eth0 addr 129.123.109.154 broadcast
129.123.7.255 netmask 255.255.255.0
Netmask forces TCP/IP to go only to the router
interface for any address except those in
129.123.7.
Broadcast limits broadcasts to the 129.123.7
subnet
DHCP

Dynamic Host Configuration Protocol
–
–
–
Allows the client to grab TCP/IP setup information
from a centralized service
The client broadcasts the request over the ethernet
interface.
The router recognizes the DHCP request and
forwards that request to a server or system that is
configured into the router as a DHCP device.
Name Service






DHCP typically assigns the nameservers for the linux box. DHCP
does not assign the search domain for the box.
Name resolution configuration is done in the /etc/resolv.conf file.
If the domain search field is set to usu.edu then you can access:
cc.usu.edu as just cc. If you want to contact www.cs.usu.edu you
would have to use www.cs
If the domain search field is usu.edu and cs.usu.edu then you can
access www.cs.usu.edu as www.
The ambiguity is: What if you want www.usu.edu and not
www.cs.usu.edu.
You would then need to use the fully qualified host name to
contact the site you desire.
Routers




Routers are added via DHCP or the route command.
The default route for a system is the address that all of
the packets flow if they are resolved elsewhere.
Other routers may be defined using appropriate
netmasks and ip addresses.
Since route configuration may follow indistinct paths
the configuration may have to tell route how may hops
(intermediate routers) there are between the local box
and the actual ‘default’ router.
Linux Network Features

NFS
–
–

Network File System
Centralized File sharing
NIS (Yellow Pages)
–
Centralized password/authentication system
NFS Server Setup



NFS Server enabled
RPC server enabled
/etc/exportfs file created
–
–
/usr/local –o ro sys1,sys2,sys3
/home/users –o rw sys1,sys2,sys3
NFS Client Setup


Run mountd, lockd, statd
Mount the remote disk as:
–
mount –o ro server.cs.usu.edu:/usr/local /usr/local
NIS Server Setup

Domainname
–
–
–
–
–
This is the YP domainname not necessarily the
DNS domain name
ypserve, set up the yp server as a master
ypbind, bind to the server
yppasswdd, the password changing daemon
Create the maps with ypmake
NIS Client Setup


Set the yp domainname
Bind to the server
–


ypbind
Add wildcard info to the /etc/passwd and
/etc/group files (+::::::::)
Add wildcard to other files as needed
PPP (dialup)




PPP will automatically configure the linux box to act as
a router for the dialin users.
When a user dials in, the PPP protocol typically starts
immediately so the user doesn’t see a login prompt.
The PPP (CHAP/PAP) authorization is built into the
protocol.
NAT (Network Address Translation) will allow the linux
box to take packets from systems on an internal (nonroutable) address and translate those requests to the
address of the router interface.
Linux as a router





The linux box can handle up to 4 NIC (network interface
cards) to act as a router for a wide area network and 3
internal networks.
With this configuration the linux box can act as a firewall.
The program routed handles the packet exchange between
boards.
Care must be exercised in configuring routed so that packets
are misrouted, i.e. packets are sent to the wrong interface.
One of the interfaces is the WAN and should be listed as the
default router.
IP access control




Ipchains and iptables can limit packets (by address
and port) in either direction (coming in to the box or
going out of the box)
If a particular address needs to be filtered then
ipchains or iptables can block that address and never
even look a which port it’s want to attach to.
IP access can be controlled (filtered) by using ipchains
or iptabels on the linux box.
Ipchains or iptables can also limit which service (port)
is available to outside addresses.
Xinetd




Xinetd controls which services are accessible from the
internet
The port numbers xinetd translate into service names
are located in /etc/services.
Xinetd controls what process owns the service and
what flags are passed to the service program.
Xinetd times outs the service program when the
internet user completes to that memory and CPU time
are freed.
Xinetd server programming



Xinetd redirects input that would be from stdin
and takes that from the IP packets
Xinetd redirects output that would go to stdout
and puts them into the IP packets.
If a program is dispatched through xinetd then
all I/O can be done via stdin and stdout
Background Programs



The xinetd system has a time latency since packets
need to be dispatched and the a program must start
before the service can begin.
To enhance network speed a program can be started
at boot time and run in the background.
These programs must communicate with the TCP/IP
stack using system calls. Stdin and stdout calls will be
lost or redirected to system logs and not the network.
Network Programs

High network intensive programs need to run at all
times on the system. Examples are:
–
Web servers (http)

–
–
–

May run several processes to gain throughput
Network file services
Remote Procedure Call programs
Mail
Low impact programs
–
–
–
–
telnet
ftp
Time
news
Network monitoring



ping echo test
traceroute check the router path
netstat
–
–
–
–
-r show the routing table
-i shows the interfaces
-p what program is doing network stuff
No option

What is presently going on
External Tools

Sniffer, snoop, tcpdump
–

Scanner (nmap)
–

Look at packets on the wire
What ports are open?
Security checks
–
Mail relays, writeable anonymous ftp
Class Evaluations

Remember to do the evaluations!
December 5, 2002
The End