Copyright © 2000 by Commandprompt, Inc
This is a LinuxPorts.Com Document for the Linux Documentation Project. It has been sponsored in part by the Open Source Documentation Fund.
The current version is v1.7.0 is a minor update with some grammar fixes.
We will try to provide comprehensive coverage for all Linux Networking implementations. However, time is of the essence, and this document is not a revenue maker. We provide this information in the hope that it will be useful to both the Linux Community and to newly converted Linux users. We are always interested in feedback! We will implement every relevant topic possible in this HOWTO document.
If you would like to assist with this document, there are two primary avenues that are extremely helpful.
Purchase an OpenBook! If you purchase OpenDocs books, OpenDocs Publishing will donate a portion of the proceeds back to the Open Source Documentation Fund. This fund assists authors financially while they continue to write documentation for Open Source projects.
Provide a monetary contribution to the document. By contributing, you can even request what you would like to have updated, written, or expanded within the document. To provide a monetary contribution, please contact Command Prompt, Inc. You may also contact Joshua Drake.
If you have written something that you would like to contribute, please email it to poet@linuxports.com
The original NET-FAQ was written by Matt Welsh and Terry Dawson. NET-FAQ answered frequently asked questions about networking for Linux (at a time before the Linux Documentation Project had formally started). This document covered the very early development versions of the Linux Networking Kernel. The NET-2-HOWTO superseded the NET-FAQ, and it was one of the original LDP HOWTO documents. It covered what was called "version 2" (and subsequently "version 3") of the Linux kernel Networking software. NET-2_HOWTO in turn superseded it, and relates only to version 4 of the Linux Networking Kernel (ie: kernel releases 2.x and 2.2.x. ).
Previous versions of this document became quite large because of the enormous amount of material that fell within its scope. To help reduce this problem, a number of HOWTOs dealing with specific networking topics have been produced. This document will provide pointers to them where relevant, and it will cover those areas not yet reviewed by other documents.
We are always interested in feedback. Please contact us at: poet@linuxports.com.
If you find anything erroneous, or if you feel that something should be added, please contact us.
This document is organized top-down. The first sections include informative material, and it can be skipped if you are not interested; what follows is a generic discussion of networking issues, and you must ensure you understand this before proceeding to more specific parts. The ``technology specific'' information is grouped into three main sections: Ethernet and IP-related information, technologies pertaining to widespread PC hardware, and seldom-used technologies.
The suggested path through this document is as follows:
These sections apply to almost every technology described in subsequent sections, and they are very important for you to understand. I expect many of the readers will be confident with this material.
You should know how your network is (or will be) designed, and you should also be familiar with exactly what hardware and technology types you will be implementing.
This section describes basic Ethernet configurations, and it describes the various features that Linux offers for IP networking (ie: firewalling, advanced routing, etc).
This section describes the widespread technologies used on personal workstations (ie: PLIP, PPP, SLIP, and ISDN).
Your needs may differ from IP and/or other common hardware This final section covers details specific to both non-IP protocols and to peculiar communication hardware.
You should actually try to configure your network. Take careful note of any existing problems
If you experience problems that this document does not help you to resolve, then you should refer to the sections related to "Help" and "Where to report bugs".
Networking is fun! Enjoy it!
No special conventions are used here, but you must be warned about the way commands are shown. This howto follows the classic Unix documentation: any command you type to your shell is prefixed by a prompt. It shows "user%" as the prompt for commands that do not require superuser privileges, and "root#" as the prompt for commands that need to run as root. I chose to use "root#" instead of a plain "#" to prevent confusion with snapshots from shell scripts (where the hash mark is used to define comment lines).
When ``Kernel Compile Options'' are shown, they are represented in the format used by menuconfig. They should be understandable even if you (like me) are not used to menuconfig. If you are in doubt about the options' nesting, then running the program once can always help. Was this section helpful? Why not Donate $2.50?
There are a number of places where you can find good information about Linux networking.
There are a wealth of Consultants available to assist you. A search able listing can be found at: http://www.linuxports.com/.
Alan Cox, the current maintainer of the Linux kernel networking code, maintains a world wide web page containing highlights of current and new developments in Linux Networking: www.uk.linux.org.
There is a newsgroup in the Linux news hierarchy dedicated to networking and related matters at this location: comp.os.linux.networking
You can also subscribe to a mailing list where you may ask questions relating to Linux networking. Send an email message for a subscription to:
To: majordomo@vger.rutgers.edu Subject: anything at all Message: subscribe linux-net |
Please remember to include as much relevant detail about the problem as possible. You should specify the versions of software that you are using (especially the kernel version), the version of tools such as pppd/ or dip , and the exact nature of the problem(s) that you are experiencing. This means you should take notes of both the exact syntax of error message(s) you receive, and of any commands that you are issuing. Was this section helpful? Why not Donate $2.50?
If you are after some basic tutorial information on tcp/ip networking, then I recommend you take a look at the following documents:
This document comes as both a text version and a postscript version.
This document comes as both a text version and a postscript version.
If you are after some more detailed information on tcp/ip networking, then I highly recommend:
"Inter networking with TCP/IP, Volume 1: Principles, Protocols and Architecture, by Douglas E. Comer, ISBN 0-13-227836-7, Prentice Hall publications, Third Edition, 1995."
If you are wanting to learn about how to write network applications in a Unix compatible environment, then I recommend:
"Unix Network Programming, by W. Richard Stevens, ISBN 0-13-949876-1, Prentice Hall Publications, 1990."
A second edition of this book is appearing on the bookshelves. The new book is made up of three volumes. Check Prenice-Hall's web site for further details.
You might also try the comp.protocols.tcp-ip newsgroup.
RFCs are an important source of specific technical information relating to the Internet and the tcp/ip suite of protocols. RFC is an acronym for `Request For Comment' and it is the standard means of submitting and documenting Internet protocol standards. There are many RFC repositories. Many of these sites are ftp sites. Others provide World Wide Web access (with an associated search engine) that allows you to search the RFC database for particular keywords.
One possible source for RFCs is at Nexor RFC database. Was this section helpful? Why not Donate $2.50?
You will pretty much need to know and understand the following subsections before you actually try to configure your network. They are fundamental principles that apply regardless of the exact nature of the network you wish to deploy.
Before you start building or configuring your network, you will need certain items. The most important of these are:
Please note:
The majority of current distributions come with networking enabled. It may not be required to recompile the kernel. If you are running well known hardware you should be fine. For example: 3COM NIC, NE2000 NIC, or an Intel NIC. However, if you find yourself in the position that you do need to update the kernel, the following information is provided.
Because the kernel you are running now might not yet have support for the network types or cards that you wish to use, you will probably need the kernel source to recompile the kernel with the appropriate options.
For users of the major distributions such as Redhat, Caldera, Debian, or Suse, this no longer holds true. As long as you stay within the mainstream of hardware, there should be no need to recompile your kernel (unless there is a very specific feature that you need).
You can always obtain the latest kernel source from ftp.cdrom.com. This is not the official site, but they have LOTS of bandwidth and capacity. The official site is kernel.org, however, please use the above URL if you can. Please remember that ftp.kernel.org is seriously overloaded. Use a mirror.
Normally the kernel source will be untarred into the /usr/src/linux directory. For information on how to apply patches and build the kernel, you should read the Kernel-HOWTO. For information on how to configure kernel modules, you should read the ``Modules mini-HOWTO''. The README file found in the kernel sources and the Documentation directory are very informative: for the brave reader!
Unless specifically stated, I recommend you stick with the standard kernel release (the one with the even number as the second digit in the version number). Development release kernels (the ones with the odd second digit) may have structural or other changes that may cause problems working with other software on your system. If you are uncertain that you could resolve those sorts of problems, then don't use Development release kernels.
Internet Protocol Addresses are composed of four bytes. The convention is to write addresses in what is called `dotted decimal notation'. In this form, each byte is converted to a decimal number, (0-255). It drops any leading zeros (unless the number is zero) and written with each byte separated by a `.' character. By convention, each interface of a host or router has an IP address. It is legal for the same IP address to be used on each interface of a single machine, but usually each interface will have its own address.
Internet Protocol Networks are contiguous sequences of IP addresses. All addresses within a network have a number of digits within the address in common. The portion of the address that is common amongst all addresses within the network is called the `network portion' of the address. The remaining digits are called the `host portion'. The number of bits that are shared by all addresses within a network is called the netmask. It is the role of the netmask to determine which addresses belong to the network it is applied to and which don't belong. For example, consider the following:
----------------- --------------- Host Address 192.168.110.23 Network Mask 255.255.255.0 Network Portion 192.168.110. Host portion .23 ----------------- --------------- Network Address 192.168.110.0 Broadcast Address 192.168.110.255 ----------------- --------------- |
Any address that is 'bitwise anded' with its netmask will reveal the address of the network that it belongs to. The network address is therefore always the lowest numbered address within the range of addresses on the network, and it always has the host portion of the address coded in all zeroes.
The broadcast address is a special address that every host on the network listens to (in addition to its own unique address). This address is the one that datagrams are sent to if every host on the network is meant to receive it. Certain types of data, like routing information and warning messages, are transmitted to the broadcast address so that every host on the network can receive it simultaneously. There are two commonly used standards for the broadcast address. The most widely accepted one is to use the highest possible address on the network as the broadcast address. In the above example, this would be 192.168.110.255. For some reason other sites have adopted the convention of using the network address as the broadcast address. In practice it doesn't matter very much which you use, but you must make sure that every host on the network is configured with the same broadcast address.
For administrative reasons (some time early in the development of the IP protocol), some arbitrary groups of addresses were formed into networks. These networks were grouped into what are called classes. Classes provide a number of standard size networks that could be allocated. The ranges allocated are:
-------------------------------------------------------------------------------- | Network | Netmask | Network Addresses | | Class | | | -------------------------------------------------------------------------------- | A | 255.0.0.0 | 0.0.0.0 - 127.255.255.255 | | B | 255.255.0.0 | 128.0.0.0 - 191.255.255.255 | | C | 255.255.255.0 | 192.0.0.0 - 223.255.255.255 | |Multicast| 240.0.0.0 | 224.0.0.0 - 239.255.255.255 | -------------------------------------------------------------------------------- |
What addresses you should use depends on exactly what it is that you are doing. You may have to use a combination of the following activities to get all the addresses you need:
If you wish to install a Linux machine onto an existing IP network, then you should contact the network administrator and ask them for the following information:
Host IP Address
IP network address
IP broadcast address
IP netmask
Router address
Domain Name Server Address
You should then configure your linux network device with those details. You can not make them up and expect your configuration to work.
If you are building a private network, and you never intend that network to be connected to the Internet, then you can choose whatever addresses you like. However, for safety and consistency reasons, there have been some IP network addresses that have been reserved specifically for this purpose. These are specified in RFC1597 and are as follows:
----------------------------------------------------------- | RESERVED PRIVATE NETWORK ALLOCATIONS | ----------------------------------------------------------- | Network | Netmask | Network Addresses | | Class | | | ----------------------------------------------------------- | A | 255.0.0.0 | 10.0.0.0 - 10.255.255.255 | | B | 255.255.0.0 | 172.16.0.0 - 172.31.255.255 | | C | 255.255.255.0 | 192.168.0.0 - 192.168.255.255 | ----------------------------------------------------------- |
You should first decide how large you want your network to be, then choose as many of the addresses as you require.
There are a few different approaches to Linux system boot procedures. After the kernel boots, it always executes a program called `init'. The init program then reads its configuration file called /etc/inittab and commences the boot process. There are a few different flavors of init Everyone now seems to be gravitating to the System V (Five) flavor, developed by Miguel van Smoorenburg.
Despite the fact that the init program is always the same, the setup of system boot is organized in a different way by each distribution.
Usually the /etc/inittab file contains an entry looking something like:
si::sysinit:/etc/init.d/boot |
This line specifies the name of the shell script file that actually manages the boot sequence. This file is somewhat equivalent to the AUTOEXEC.BAT file in MS-DOS.
There are usually other scripts that are called by the boot script, and often the network is configured within one of these scripts.
The following table may be used as a guide for your system:
--------------------------------------------------------------------------- Distrib. | Interface Config/Routing | Server Initialization --------------------------------------------------------------------------- Debian | /etc/init.d/network | /etc/rc2.d/* --------------------------------------------------------------------------- Slackware| /etc/rc.d/rc.inet1 | /etc/rc.d/rc.inet2 --------------------------------------------------------------------------- RedHat | /etc/rc.d/init.d/network | /etc/rc.d/rc3.d/* --------------------------------------------------------------------------- |
Note that Debian and Red Hat use a whole directory to host scripts that fire up system services (and usually information does not lie within these files: for example, Red Hat systems store all of system configuration in files under /etc/sysconfig, where it is retrieved by boot scripts). If you want to grasp the details of the boot process, my suggestion is to check /etc/inittab and the documentation that accompanies init. Linux Journal is also going to publish an article about system initialization, and this document will point to it as soon as it is available on the web.
Most modern distributions include a program that will allow you to configure many of the common sorts of network interfaces. If you have one of these, you should see if it will do what you want before attempting a manual configuration.
----------------------------------------- Distrib | Network configuration program ----------------------------------------- RedHat | /usr/bin/netcfg Slackware | /sbin/netconfig ----------------------------------------- |
In many Unix operating systems, the network devices have appearances in the /dev directory. This is not so in Linux. In Linux, the network devices are created dynamically in software, and they do not require device files to be present.
In the majority of cases, the network device is automatically created by the device driver (while it is initializing and locating your hardware). For example, the Ethernet device driver creates eth[0..n] interfaces sequentially as it locates your Ethernet hardware. The first Ethernet card found becomes eth0, the second eth1 etc.
In some cases though, notably with slip and ppp, the network devices are created through the action of some user program. The same sequential device numbering applies, but the devices are not created automatically at boot time. The reason for this is that unlike Ethernet devices, the number of active slip or ppp devices may vary during the uptime of the machine. These cases will be covered in more detail in later sections. Was this section helpful? Why not Donate $2.50?
When you have all of the programs you need (and your address and network information), you can configure your network interfaces. When we talk about configuring a network interface, we are talking about two items. One is the process of assigning appropriate addresses to a network device. The second is setting the appropriate values for other configurable parameters of a network device. The program most commonly used to do this is the ifconfig (interface configure) command.
Typically you would use a command similar to the following:
root# ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up |
In this example, I'm configuring an Ethernet interface `eth0' with the IP address `192.168.0.1' and a network mask of `255.255.255.0'. The `up' that trails the command tells the interface that it should become active (but can usually be omitted) since it is the default. To shutdown an interface, you can just call ``ifconfig eth0 down''.
The kernel assumes certain defaults when you are configuring interfaces. For example, you may specify the network address and broadcast address for an interface. If you don't (as in my example above), then the kernel will make reasonable guesses as to what these addresses should be. If you don't supply a netmask then on the network class of the IP address is auto-configured. In my example, the kernel would assume that it is a class-C network that is being configured on the interface. It would thus configure a network address of `192.168.0.0' ,and a broadcast address of `192.168.0.255' for the interface.
There are many other options to the ifconfig command. The most important of these are:
This option activates an interface (and it is the default).
This option deactivates an interface.
This option enables or disables use of the address resolution protocol on this interface .
This option enables or disables the reception of all hardware multicast packets. Hardware multicast enables groups of hosts to receive packets addressed to special destinations. This may be of importance if you are using applications like desktop video conferencing. This option is normally not used.
This parameter allows you to set the MTU of this device.
This parameter allows you to set the network mask of the network. This device belongs to:
This parameter only works on certain types of hardware. It allows you to set the hardware IRQ of this device.
This parameter allows you to enable and set the accepting of datagrams destined to the broadcast address.It also allows you to disable reception of these datagrams.
This parameter allows you to set the address of the machine at the remote end of a Point-to-Point link (ie; for slip or ppp).
This parameter allows you to set the hardware address of certain types of network devices. This is not often useful for Ethernet, but is useful for other network types like AX.25.
With the release of Kernel 2.2, there are a number of options available that are not listed above. Some of the most interesting ones are tunneling and IPV6. The ifconfig parameters for kernel 2.2 are listed below.
The name of the interface. This is usually a driver name followed by a unit number. For example, eth0 for the first Ethernet interface.
This flag causes the interface to be activated. It is implicitly specified if an address is assigned to the interface.
This flag causes the driver for this interface to be shut down.
Enables or disables the use of the ARP protocol on this interface.
Enables or disables the promiscuous mode of the interface. If selected, all packets on the network will be received by the interface.
Enables or disables all-multicast mode. If selected, all multicast packets on the network will be received by the interface.
This parameter sets the interface metric.
This parameter sets the Maximum Transfer Unit (MTU) of an interface.
Sets the remote IP address for a point-to-point link (such as PPP). This keyword is now obsolete; you should now use the pointopoint keyword.
Sets the IP network mask for this interface. This value defaults to the usual class A, B or C network mask (as derived from the interface IP address). It can, however, be set to any value.
Adds an IPv6 address to an interface.
Removes an IPv6 address from an interface.
Creates a new SIT (IPv6-in-IPv4) device that tunnels to the given destination.
Sets the interrupt line used by this device. Not all devices can dynamically change their IRQ set- ting.
Sets the start address in I/O space for this device.
Set the start address for shared memory used by this device. Only a few devices need this parameter.
Sets the physical port (or medium type) to be used by the device. Not all devices can change this set- ting. Those that can change the setting vary in what values they support. Typical values for type are 10base2 (thin Ethernet), 10baseT (twisted-pair 10Mbps Ethernet), AUI (external transceiver) and so on. The special medium type of auto can be used to tell the driver to auto-sense the media. Again, not all drivers can do this.
If the address argument is given, set the protocol broadcast address for this interface. Otherwise, set (or clear) the IFF_BROADCAST flag for the interface.
This keyword enables the point-to-point mode of an interface. This means that it is a direct link between two machines, and that nobody else is listening on it. If the address argument is also given, set the pro- tocol address of the other side of the link ( just as the obsolete dstaddr keyword does). Otherwise, set or clear the IFF_POINTOPOINT flag for the interface.
Set the hardware address of this interface (if the device driver supports this operation). The keyword must be followed by the name of the hardware class and the printable ASCII equivalent of the hardware address. Hardware classes currently supported include ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR NET/ROM).
Set the multicast flag on the interface. This should not normally be needed because the drivers set the flag correctly themselves.
The IP address to be assigned to this interface.
Sets the length of the transmit queue of the device. It is useful to set this to small values for slower devices with a high latency (modem links, ISDN). This prevents fast bulk transfers from disturbing inter- active traffic (like telnet) too much.
You may use the ifconfig command on any network interface. Some user programs such as pppd and dip automatically configure the network devices as they create them, so manual use of ifconfig is unnecessary.
The `Name Resolver' is a part of the linux standard library. Its prime function is to provide a service to convert human-friendly hostnames (like `ftp.funet.fi' ) into machine friendly IP addresses (such as 128.214.248.6).
You will probably be familiar with the appearance of Internet host names, but you may not understand how they are constructed or de-constructed. Internet domain names are hierarchical in nature. In other words, they have a tree-like structure. A `domain' is a family, or group, of names. A `domain' may be broken down into a `subdomain'. A `top level domain' is a domain that is not a subdomain. The Top Level Domains are specified in RFC-920. Some examples of the most common top level domains are:
Commercial Organizations
Educational Organizations
Government Organizations
Military Organizations
Other Organizations
Internet-Related Organizations
These are two- letter codes that represent a particular country.
For historical reasons, most domains belonging to one of the non-country based top level domains were used by organizations within the United States (even though the United States also has its own country code `.us'). This is not true any more for .com and .org domains, which are commonly used by non-us companies.
Each of these top level domains has subdomains. The top level domains based on country name are often next broken down into subdomains based on the com, edu, gov, mil and org domains. So for example you end up with: com.au and gov.au for commercial and government organizations in Australia; note that this is not a general rule, as actual policies depend on the naming authority for each domain.
The next level of division usually represents the name of the organization. Further subdomains vary in nature. Often the next level of subdomain is based on the departmental structure of the organization. It can, however, be based on any criterion considered reasonable and meaningful by the network administrators of the organization.
The very left-most portion of the name is always the unique name assigned to the host machine. It is called the `hostname'. The portion of the name to the right of the hostname is called the `domainname' and the complete name is called the `Fully Qualified Domain Name'.
To use Terrys host as an example, the fully qualified domain name is `perf.no.itg.telstra.com.au'. This means that the host name is `perf' and the domain name is `no.itg.telstra.com.au'. The domain name is based on a top level domain (based on his country Australia). And since his email address belongs to a commercial organization, `.com' is positioned as the next level domain. The name of the company is (was) `Telstra' . Their internal naming structure is based on organizational structure. In this case, the machine belongs to the Information Technology Group (Network Operations section).
Usually, the names are much shorter. For example, my ISP is called ``systemy.it'' . My non-profit organization is called ``linux.it'', without any com and org subdomain. My own host is just called ``morgana.systemy.it'' : rubini@linux.it is a valid email address. Note that the owner of a domain has the rights to register hostnames as well as subdomains. For example, the LUG I belongs to uses the domain pluto.linux.it, because the owners of linux.it agreed to open a subdomain for the LUG.
You will need to know what domain your hosts name will belong to. The name resolver software provides this name translation service by making requests to a `Domain Name Server'. You will need to know the IP address of a local name server that you can use.
There are three files you need to edit. I'll cover each of these in turn.
The /etc/resolv.conf is the main configuration file for the name resolver code. Its format is quite simple. It is a text file that has one keyword per line. There are three keywords typically used by the file. These keywords are:
This keyword specifies the local domain name.
This keyword specifies a list of alternate domain names to search for a hostname
This keyword, which may be used many times, specifies an IP address of a domain name server to query when resolving names
An example /etc/resolv.conf might look something like:
domain maths.wu.edu.au search maths.wu.edu.au wu.edu.au name server 192.168.10.1 name server 192.168.12.1 |
This example specifies that the default domain name to append to unqualified names (ie hostnames supplied without a domain) is maths.wu.edu.au . If the host is not found in that domain, it will also try the wu.edu.au domain directly. Two name server entries are supplied. These entries may be called upon by the name resolver code to resolve the name.
The /etc/host.conf file is where you configure some items that govern the behavior of the name resolver code. The format of this file is described in detail in the `resolv+' man page. In nearly all circumstances, the following example will work for you:
order hosts,bind multi on |
This configuration tells the name resolver to check the /etc/hosts file before attempting to query a name server. It also tells the resolver to return all valid addresses for a host found in the /etc/hosts file (instead of just the first address).
The /etc/hosts file is where you put the name and IP address of local hosts. If you place a host in this file, then you do not need to query the domain name server to get its IP Address. The disadvantage of doing this is that if the IP address for that host changes, you must keep this file up to date yourself . In a well managed system, the only hostnames that usually appear in this file are an entry for the loopback interface, and also the local hosts name.
# /etc/hosts 127.0.0.1 localhost loopback 192.168.0.1 this.host.name |
You may specify more than one host name per line (as demonstrated by the first entry), which is a standard entry for the loopback interface.
If you want to run a local name server, you can do it easily. Please refer to the DNS-HOWTO and to any documents included in your version of BIND (Berkeley Internet Name Domain).
The `loopback' interface is a special type of interface that allows you to make connections to yourself. There are various reasons why you might want to do this. For example, you may wish to test some network software without interfering with anybody else on your network. By convention, the IP address `127.0.0.1' has been assigned specifically for loopback. No matter what machine you go to, if you open a telnet connection to 127.0.0.1 you will always reach the local host.
Configuring the loopback interface is simple, and it must be done (but note that this task is usually performed by the standard initialization scripts).
root# ifconfig lo 127.0.0.1 root# route add -host 127.0.0.1 lo |
We'll talk more about the route command in the next section. Was this section helpful? Why not Donate $2.50?
Routing is a big topic. It is easily possible to write large volumes of text about the subject. Most of you will have fairly simple routing requirements; some of you will not. I will cover some basic fundamentals of routing only. If you are interested in more detailed information, then I suggest you refer to the references provided at the start of this document.
Let's start with a definition. What is IP routing? Here is one that I'm using:
"IP Routing is the process by which a host with multiple network connections decides where to deliver the IP datagrams that it has received."
It might be useful to illustrate this with an example. Imagine a typical office router. It might have a PPP link off the Internet, a number of Ethernet segments feeding the workstations, and another PPP link off to another office. When the router receives a datagram on any of its network connections, it uses the routing mechanism to determine which interface it should send the datagram to next. Simple hosts also need to route. All Internet hosts have two network devices, one is the loopback interface described above, and the other is the one it uses to talk to the rest of the network (perhaps an Ethernet, perhaps a PPP, or an SLIP serial interface).
Ok, so how does routing work ? Each host keeps a special list of routing rules called a "routing table". This table contains rows which typically contain at least three fields: the first is a destination address, the second is the name of the interface where the datagram is to be routed, and the third is optionally the IP address of another machine that carries the datagram on its next step through the network. You can see this table in linux by using the following command:
user% cat /proc/net/route |
or by using either of the following commands:
user% /sbin/route -n user% netstat -r |
The routing process is fairly simple. The incoming datagram is received, the destination address (who it is for) is examined, and then it is compared with each entry in the table. The entry that best matches that address is selected, and the datagram is forwarded to the specified interface. If the gateway field is filled, then the datagram is forwarded to that host via the specified interface. The destination address is otherwise assumed to be on the network supported by the interface.
To manipulate this table, a special command is used. This command takes command line arguments and converts them into kernel system calls. These calls request the kernel to add, delete, or modify entries in the routing table. The command is called `route'.
Here is a simple example. Imagine you have an Ethernet network. You've been told it is a class-C network with an address of 192.168.1.0. You've been supplied with an IP address of 192.168.1.10 for your use, and you have been told that 192.168.1.1 is a router connected to the Internet.
The first step is to configure the interface as described earlier. You would use a command similar to the following:
root# ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up |
You now need to add an entry into the routing table to tell the kernel that datagrams for all hosts with addresses that match 192.168.1.* should be sent to the ethernet device. You would use a command similar to:
root# route add -net 192.1Ethernetetmask 255.255.255.0 eth0 |
Note the use of the `-net' argument to tell the route program that this entry is a network route. Your other choice here is a `-host' route, which is a route that is specific to one IP address.
This route will enable you to establish IP connections with all of the hosts on your ethernet segment. But what about all of the IP hosts that aren't on your ethernet segment?
It would be a very difficult job to have to add routes to every possible destination network. There is a special trick that is used to simplify this task. The trick is called the `default' route. The default route matches every possible destination (but poorly). If any other entry exists that matches the required address, it will be used instead of the default route. The idea of the default route is simply to enable you to say in effect: "and everything else should go here". In this example you would use an entry like:
root# route add default gw 192.168.1.1 eth0 on them |
The `gw' argument tells the route command that the next argument is the IP address, or name, of a gateway or router machine. This machine is where all datagrams matching the entry should be directed to for further routing. on them
So, your complete configuration would look like:
root# ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up root# route add -net 192.168.1.0 netmask 255.255.255.0 eth0 root# route add default gw 192.168.1.1 eth0 on them |
If you take a close look at your network `rc' files, you will find that at least one of them looks very similar to this configuration (a very common one).
Let's now look at a slightly more complicated routing configuration. Let's imagine we are configuring the router we looked at earlier (the one supporting the PPP link to the Internet, and the lan segments feeding the workstations in the office). Lets imagine the router has three ethernet segments, and it also has one PPP link. Our routing configuration would look something like the fEthernet:
root# route add -net 192.168.1.0 netmask 255.255.255.0 eth0 root# route add -net 192.168.2.0 netmask 255.255.255.0 eth1 root# route add -net 192.168.3.0 netmask 255.255.255.0 eth2 root# route add default ppp0 |
Each of the workstations would use the simpler form presented above. Only the router needs to specify each of the network routes separately. The default route for the workstations mechanism will capture all of them, letting the router worry about splitting them up appropriately. You may be wondering why the default route presented doesn't specify a `gw'. The reason for this is simple: serial link protocols such as PPP and SLIP only have two hosts on their network (one at each end). To specify the host at the other end of the link as the gateway is both pointless and redundant. You do not need to specify a gateway for these types of network connections as there is no other choice. Other network types, such as ethernet, arcnet, or token ring, do actually require the gateway to be specified (as these networks support Ethernetmbers of hosts ).
The routing configuration described above is best suited for simple network arrangements where there are only single possible paths to destinations. When you have a more complex network arrangement, things get a little more complicated. Fortunately for most of you this won't be an issue.
The big problem with `manual routing' or `static routing' is that if a machine or link fails in your network, the only way to re-direct your datagrams (if another way in fact exists) is by manually intervening and executing the appropriate commands. Naturally this is clumsy, slow, impractical, and hazard prone. Various techniques have been developed to automatically adjust routing tables in the event of network failures (where there are alternate routes). All of these techniques are loosely grouped by the term `dynamic routing protocols'.
You may have heard of some of the more common dynamic routing protocols. The most common are probably RIP (Routing Information Protocol) and OSPF (Open Shortest Path First Protocol). The Routing Information Protocol is very common on small networks (such as small-medium sized corporate networks or building networks). OSPF is more modern. It is more capable at handling large network configurations, and it is better suited to environments where there is a large number of possible paths through the network. Common implementations of these protocols are: `routed' - RIP and `gated' - RIP, OSPF and others. The `routed' program is normally supplied with your Linux distribution, or it is included in the `NetKit' package detailed above.
An example of where and how you might use a dynamic routing protocol might look something like the following:
192.168.1.0 / 192.168.2.0 /
255.255.255.0 255.255.255.0
- -
| |
| /-----\ /-----\ |
| | |ppp0 // ppp0| | |
eth0 |---| A |------//---------| B |---| eth0
| | | // | | |
| \-----/ \-----/ |
| \ ppp1 ppp1 / |
- \ / -
\ /
\ /
\ /
\ /
\ /
\ /
\ /
\ /
ppp0\ /ppp1
/-----\
| |
| C |
| |
\-----/
|eth0
|
|---------|
192.168.3.0 /
255.255.255.0 |
We have three routers A, B and C. Each router supports one ethernet segment with a Class C IP network (netmask 255.255.255.0). Each one also has a PPP link to each of tEthernet routers. The network ultimately forms a triangle.
It should be clear that the routing table at router A could look like the following:
root# route add -net 192.168.1.0 netmask 255.255.255.0 eandth0 root# route add -net 192.168.2.0 netmask 255.255.255.0 ppp0 root# route add -net 192.168.3.0 netmask 255.255.255.0 ppp1 |
This would work just fine until the link between router A and B fails. Hosts on the ethernet segment of A (see above diagram) could not reach hosts on the ethernet segment on B: their datagramEthernete directed to router As ppp0 link (which in this example is broEthernetey could still continue to talk to hosts on the ethernet segment of C. And hosts on CCsethernet segment could still talk to hosts on BBsethernet segment. TheEthernetnications can still occur because the link between B and C is still intact.
If A can talk to C, and C can still talk to B, why shouldn't A route its datagrams for B via C (and let C send them to B) ? This is exactly the sort of problem that dynamic routing protocols like RIP were designed to solve. If each of the routers A, B and C were running a routing daemon, then their routing tables would be automatically adjusted to reflect the new state of the network (should any one of the links in the network fail). To configure such a network is simple: at each router you need only do two things. In this case for Router A:
root# route add -net 192.168.1.0 netmask 255.255.255.0 eth0 root# /usr/sbin/routed |
The `routed' routing daemon automatically finds all active network ports (when it sends and listens for messages on each of the network devices) to allow it to both determine and update the routing table on the host.
This has been a very brief explanation of dynamic routing. If you would like more information, please refer to the suggested references listed at the top of this document.
The important points relating to dynamic routing are:
You only need to run a dynamic routing protocol daemon when your Linux machine has the possibility of selecting multiple route alternatives to a destination. An example of this would be if you plan to use IP Masquerading.
The dynamic routing daemon will automatically modify your routing table to adjust to changes in your network.
RIP is suitable for small to medium sized networks.
Network servers and services are programs that allow a remote user to make use of your Linux machine. Server programs listen on network ports. Network ports are a means of addressing a particular service on any particular host. They are how a server knows the difference between an incoming telnet connection and an incoming ftp connection. The remote user establishes a network connection to your machine. The server program (the network daemon program) listening on that port accepts the connection and then executes. There are two ways that network daemons may operate. Both are commonly employed in practice. The two ways are:
The network daemon program listens on the designated network port. When an incoming connection is made, the daemon manages the network connection itself to provide the service.
The inetd server is a special network daemon program that specializes in managing incoming network connections. It has a configuration file which tells it what program needs to be run upon receiving an incoming connection. Any service port may be configured for either of the tcp or udp protocols. The ports are described in another file that we will soon review..
There are two important files that need to be configured. They are the /etc/services file (which assigns names to port numbers), and the /etc/inetd.conf file (the configuration file for the inetd network daemon).
The /etc/services file is a simple database that associates a human friendly name to a machine friendly service port. Its format is quite simple. The file is a text file where each line represents and entry in the database. Each entry is comprised of three fields separated by any number of whitespace (tab or space) characters. The fields are:
name port/protocol aliases # comment
A single word name that represents the service being described.
This field is split into two subfields.
A number that specifies the port number where the named service will be available. Most of the common services have assigned service numbers. These are described in RFC-1340.
This subfield may be set to either tcp or udp.
It is important to note that an entry of 18/tcp is very different from an entry of 18/udp There is no technical reason why the same service needs to exist on both. Normally common sense prevails. It is only if a particular service is available via both tcp and udp that you will see an entry for both.
Other names that may be used to refer to this service entry.
Any text appearing in a line after a `#' character is ignored, and it is treated as a comment.
All modern linux distributions provide a good /etc/services file. Just in case you happen to be building a machine from the ground up, here is a copy of the /etc/services file supplied with an old Debian distribution:
# /etc/services: # $Id: Net-HOWTO.sgml,v 1.1.1.1 2001/01/17 19:55:16 lx Exp $ # # Network services, Internet style # # Note that it is presently the policy of IANA to assign a single well-known # port number for both TCP and UDP; hence, most entries here have two entries # even if the protocol doesn't support UDP operations. # Updated from RFC 1340, ``Assigned Numbers'' (July 1992). Not all ports # are included (only the more common ones): tcpmux 1/tcp # TCP port service multiplexer echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users daytime 13/tcp daytime 13/udp netstat 15/tcp qotd 17/tcp quote msp 18/tcp # message send protocol msp 18/udp # message send protocol chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp 21/tcp ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp # SSH Remote Login Protocol telnet 23/tcp # 24 - private smtp 25/tcp mail # 26 - unassigned time 37/tcp timserver time 37/udp timserver rlp 39/udp resource # resource location nameserver 42/tcp name # IEN 116 whois 43/tcp nicname re-mail-ck 50/tcp # Remote Mail Checking Protoconame server re-mail-ck 50/udp # Remote Mail Checking Protocol domain 53/tcp nameserver # name-domain server domain 53/udp nameserver mtp 57/tcp # deprecated bootps 67/tcname serverTP server bootps 67/udp bootpc 68/tcname serverTP client bootpc 68/udp tftp 69/udp gopher 70/tcp # Internet Gopher gopher 70/udp rje 77/tcp netrjs finger 79/tcp www 80/tcp http # WorldWideWeb HTTP www 80/udp # HyperText Transfer Protocol link 87/tcp ttylink kerberos 88/tcp kerberos5 krb5 # Kerberos v5 kerberos 88/udp kerberos5 krb5 # Kerberos v5 supdup 95/tcp # 100 - reserved hostnames 101/tcp hostname # usually from sri-nic iso-tsap 102/tcp tsap # part of ISODE. csnet-ns 105/tcp cso-ns # also used by CSO name server csnet-ns 105/udp cso-ns rtelnet 107/tcp # Remote Telnet rtelnet 107/udp pop-2 109/tcp postoffice # POP version 2 pop-2 109/udp pop-3 110/tcp # POP version 3 pop-3 110/udp sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP auth 113/tcp authentication tap ident sftp 115/tcp uucp-path 117/tcp nntp 119/tcp readnews untp # USENET News Transfer Protocol ntp 123/tcp ntp 123/udp # Network Time Protocol netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp imap2 143/tcp # Interim Mail Access Proto v2 imap2 143/udp snmp 161/udp # Simple Net Mgmt Proto snmp-trap 162/udp snmptrap # Traps for SNMP cmip-man 163/tcp # ISO mgmt over IP (CMOT) cmip-man 163/udp cmip-agent 164/tcp cmip-agent 164/udp xdmcp 177/tcp # X Display Mgr. Control Proto xdmcp 177/udp nextstep 178/tcp NeXTStep NextStep # NeXTStep window nextstep 178/udp NeXTStep NextStep # server bgp 179/tcp # Border Gateway Proto. bgp 179/udp prospero 191/tcp # Cliff Neuman's Prospero prospero 191/udp irc 194/tcp # Internet Relay Chat irc 194/udp smux 199/tcp # SNMP Unix Multiplexer smux 199/udp at-rtmp 201/tcp # AppleTalk routing at-rtmp 201/udp at-nbp 202/tcp # AppleTalk name binding at-nbp 202/udp at-echo 204/tcp # AppleTalk echo at-echo 204/udp at-zis 206/tcp # AppleTalk zone information at-zis 206/udp z3950 210/tcp wais # NISO Z39.50 database z3950 210/udp wais ipx 213/tcp # IPX ipx 213/udp imap3 220/tcp # Interactive Mail Access imap3 220/udp # Protocol v3 ulistserv 372/tcp # UNIX Listserv ulistserv 372/udp # # UNIX specific services # exec 512/tcp biff 512/udp comsat login 513/tcp who 513/udp whod shell 514/tcp cmd # no passwords used syslog 514/udp printer 515/tcp spooler # line printer spooler talk 517/udp ntalk 518/udp route 520/udp router routed # RIP timed 525/udp timeserver tempo 526/tcp newdate courier 530/tcp rpc conference 531/tcp chat netnews 532/tcp readnews netwall 533/udp # -for emergency broadcasts uucp 540/tcp uucpd # uucp daemon remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem klogin 543/tcp # Kerberized `rlogin' (v5) kshell 544/tcp krcmd # Kerberized `rsh' (v5) kerberos-adm 749/tcp # Kerberos `kadmin' (v5) # webster 765/tcp # Network dictionary webster 765/udp # # From ``Assigned Numbers'': # #> The Registered Ports are not controlled by the IANA and on most systems #> can be used by ordinary user processes or programs executed by ordinary #> users. # #> Ports are used in the TCP [45,106] to name the ends of logical #> connections which carry long term conversations. For the purpose of #> providing services to unknown callers, a service contact port is #> defined. This list specifies the port used by the server process as its #> contact port. While the IANA can not control uses of these ports it #> does register or list uses of these ports as a convenience to the #> community. # ingreslock 1524/tcp ingreslock 1524/udp prospero-np 1525/tcp # Prospero non-privileged prospero-np 1525/udp rfe 5002/tcp # Radio Free Ethernet rfe 5002/udp # Actually uses UDP only bbs 7000/tcp # BBS service # # # Kerberos (Project Athena/MIT) services # Note that these are for Kerberos v4 and are unofficial. Sites running # v4 should uncomment these and comment out the v5 entries above. # kerberos4 750/udp kdc # Kerberos (server) udp kerberos4 750/tcp kdc # Kerberos (server) tcp kerberos_master 751/udp # Kerberos authentication kerberos_master 751/tcp # Kerberos authentication passwd_server 752/udp # Kerberos passwd server krb_prop 754/tcp # Kerberos slave propagation krbupdate 760/tcp kreg # Kerberos registration kpasswd 761/tcp kpwd # Kerberos "passwd" kpop 1109/tcp # Pop with Kerberos knetd 2053/tcp # Kerberos de-multiplexor zephyr-srv 2102/udp # Zephyr server zephyr-clt 2103/udp # Zephyr serv-hm connection zephyr-hm 2104/udp # Zephyr hostmanager eklogin 2105/tcp # Kerberos encrypted rlogin # # Unofficial but necessary (for NetBSD) services # supfilesrv 871/tcp # SUP server supfiledbg 1127/tcp # SUP debugging # # Datagram Delivery Protocol services # rtmp 1/ddp # Routing Table Maintenance Protocol nbp 2/ddp # Name Binding Protocol echo 4/ddp # AppleTalk Echo Protocol zip 6/ddp # Zone Information Protocol # # Debian GNU/Linux services rmtcfg 1236/tcp # Gracilis Packeten remote config server xtel 1313/tcp # french minitel cfinger 2003/tcp # GNU Finger postgres 4321/tcp # POSTGRES mandelspawn 9359/udp mandelbrot # network mandelbrot # Local services |
In the real world, the actual file is always growing as new services are being created. If you fear your own copy is incomplete, I'd suggest to copy a new /etc/services from a recent distribution.
The /etc/inetd.conf file is the configuration file for the inetd server daemon. Its function is to tell inetd what to do when it receives a connection request for a particular service. For each service that you wish to accept connections, you must tell inetd what network server daemon to run (and how to run it).
Its format is also fairly simple. It is a text file with each line describing a service that you wish to provide. Any text in a line following a `#' is both ignored, and it is considered a comment. Each line contains seven fields separated by any number of whitespace (tab or space) characters. The general format is as follows:
service socket_type proto flags user server_path server_args |
Is the service relevant to this configuration as taken from the /etc/services file.
This field describes the type of socket that this entry will consider relevant. Allowable values are: stream, dgram, raw, rdm, or seqpacket. This is a little technical in nature. As a rule of thumb nearly all tcp based services use stream, and nearly all udp based services use dgram. It is only very special types of server daemons that would use any of the other values.
The protocol to be considered valid for this entry. This should match the appropriate entry in the /etc/services file. It will typically be either tcp or udp. Sun RPC (Remote Procedure Call) based servers will use eitherrpc/tcp or rpc/udp.
There are really only two possible settings for this field. This field setting tells inetd whether the network server program frees the socket after it has been started (whether inetd can start another one on the next connection request), or, whether inetd should wait and assume that any server daemon already running will handle the new connection request. This is a little tricky to work out, but as a rule of thumb all tcp servers should have this entry set to nowait. Most udp servers should have this entry set to wait. Be warned there are some notable exceptions. You should let the example guide you if you are not sure.
This field describes which user account from /etc/passwd will be set as the owner of the network daemon when it is started. This is often useful if you want to safeguard against security risks. You can set the user of an entry to the nobody user. If the network server security is breached, the possible damage is minimized by using nobody. Typically this field is set to root, because many servers require root privileges in order to function correctly.
This field is pathname to the athoughctual server program to execute for this entry.
This field comprises the rest of the line and it is optional. This field is where you place any command line arguments that you wish to pass to the server daemon program when it is launched.
As for the /etc/services file all modern distributions will include a good /etc/inetd.conf file for you to work with. Here is the /etc/inetd.conf file from the Debian distribution.
# /etc/inetd.conf: see inetd(8) for further informations. # # Internet server configuration database # # # Modified for Debian by Peter Tobias <tobias@et-inf.fho-emden.de> # # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # # Internal services # #echo stream tcp nowait root internal #echo dgram udp wait root internal discard stream tcp nowait root internal discard dgram udp wait root internal daytime stream tcp nowait root internal daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal time stream tcp nowait root internal time dgram udp wait root internal # # These are standard services. # telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd #fsp dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.fspd # # Shell, login, exec and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd talk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.talkd ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd # # Mail, news and uucp services. # smtp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.smtpd #nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/in.nntpd #uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico #comsat dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.comsat # # Pop et al # #pop-2 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.pop2d #pop-3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.pop3d # # `cfinger' is for the GNU finger server available for Debian. (NOTE: The # current implementation of the `finger' daemon allows it to be run as `root'.) # #cfinger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.cfingerd #finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.fingerd #netstat stream tcp nowait nobody /usr/sbin/tcpd /bin/netstat #systat stream tcp nowait nobody /usr/sbin/tcpd /bin/ps -auwwx # # Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." # #tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd #tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd /boot #bootps dgram udp wait root /usr/sbin/bootpd bootpd -i -t 120 # # Kerberos authenticated services (these probably need to be corrected) # #klogin stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind -k #eklogin stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind -k -x #kshell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd -k # # Services run ONLY on the Kerberos server (these probably need to be corrected) # #krbupdate stream tcp nowait root /usr/sbin/tcpd /usr/sbin/registerd #kpasswd stream tcp nowait root /usr/sbin/tcpd /usr/sbin/kpasswdd # # RPC based services # #mountd/1 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.mountd #rstatd/1-3 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rstatd #rusersd/2-3 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rusersd #walld/1 dgram rpc/udp wait root /usr/sbin/tcpd /usr/sbin/rpc.rwalld # # End of inetd.conf. ident stream tcp nowait nobody /usr/sbin/identd identd -i |
There are a number of miscellaneous files relating to network configuration under linux that might be of interest. You may never have to modify these files, but it is worth describing them so you know what they contain and why they are used.
The /etc/protocols file is a database that maps protocol id numbers against protocol names. This is used by programmers to allow them to specify protocols by name in their programs. The file is also used by some programs such as tcpdump to allow them to display names instead of numbers in their output. The general syntax of the file is:
protocolname number aliases |
The /etc/protocols file supplied with the Debian distribution is as follows:
# /etc/protocols: # $Id: Net-HOWTO.sgml,v 1.1.1.1 2001/01/17 19:55:16 lx Exp $ # # Internet (IP) protocols # # from: @(#)protocols 5.1 (Berkeley) 4/17/89 # # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992). ip 0 IP # Internet protocol, pseudo protocol number icmp 1 ICMP # Internet control message protocol igmp 2 IGMP # Internet Group Management ggp 3 GGP # gateway-gateway protocol ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'') st 5 ST # ST datagram mode tcp 6 TCP # transmission control protocol egp 8 EGP # exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # user datagram protocol hmp 20 HMP # host monitoring protocol xns-idp 22 XNS-IDP # Xerox NS IDP rdp 27 RDP # "reliable datagram" protocol iso-tp4 29 ISO-TP4 # ISO Transport Protocol class 4 xtp 36 XTP # Xpress Tranfer Protocol ddp 37 DDP # Datagram Delivery Protocol idpr-cmtp 39 IDPR-CMTP # IDPR Control MessTransfernsport rspf 73 RSPF # Radio Shortest Path First. vmtp 81 VMTP # Versatile Message Transport ospf 89 OSPFIGP # Open Shortest Path First IGP ipip 94 IPIP # Yet Another IP encapsulation encap 98 ENCAP # Yet Another IP encapsulation |
The /etc/networks file has a similar function to that of the /etc/hosts file.This file provides a simple database of network names against network addresses. Its format differs in that there may be only two fields per line, and that the fields are coded as:
networkname networkaddress |
An example might look like:
loopnet 127.0.0.0 localnet 192.168.0.0 amprnet 44.0.0.0 |
You will get a display of the network name (NOT its address) while using a command like route in the following instance: the destination is a network, and that network has an entry in the /etc/networks file.
Let me start this section by warning you that securing your machine and network against malicious attack is a complex art. I do not consider myself an expert in this field. The following mechanisms I describe will help. If you are serious about security, then I recommend you do some research of your own into the subject. There are many good references on the Internet relating to the security, including the Security-HOWTO
An important rule of thumb is: `Don't run servers you don't intend to use'. Many distributions come configured with all sorts of services that are configured and automatically started. To ensure even a minimum level of safety, you should go through your /etc/inetd.conf file. Comment out (place a `#' at the start of the line) any entries for services you don't intend to use. Good candidates are services such as: shell, login, exec, uucp, ftp and informational services such as finger, netstat and systat.
There are all sorts of security and access control mechanisms. I'll now describe the most elementary:
The /etc/ftpusers file is a simple mechanism that allows you to deny certain users from logging into your machine via ftp. When an incoming ftp connection is received, the /etc/ftpusers file is read by the ftp daemon program (ftpd). The file is a simple list of those users who are not allowed login. It might look something like:
# /etc/ftpusers - users not allowed to login via ftp root uucp bin mail |
The /etc/securetty file allows you to specify which tty devices root are allowed for login. The /etc/securetty file is read by the login program (usually /bin/login). Its format is a list of the tty devices names allowed: on all others root login is disallowed:
# /etc/securetty - tty's on which root is allowed to login tty1 tty2 tty3 tty4 |
The tcpd program listed in the samone /etc/inetd.conf provides logging and access control mechanisms to services. It is configured to protect.
When it is invoked by the inetd program, it reads two files containing access rules. It will then either alallow oreny access to the server it is protecting.
It will search the rules files until the first match is found. If no match is found, then it assumes that access should be allowed to anyone. The files it searches in sequence are: /etc/hosts.allow, /etc/hosts.deny. I'll describe each of these in turn. For a complete description of this facility, you should refer to the appropriate man pages (hosts_access(5) is a good starting point).
The /etc/hosts.allow file is a configuration file of the /usr/sbin/tcpd program. The hosts.allow file contains rules describing which hosts are allowed access to a service on your machine.
The file format is quite simple:
# /etc/hosts.allow # # <service list>: <host list> [: command] |
This is a comma delimited list of server names where this rule applies. Example server names are: ftpd, telnetd and fingerd.
This is a comma delimited list of host names. You may also use IP addresses here. You may additionally specify either hostnames or addresses using wildcard characters to match groups of hosts. Examples include: gw.vk2ktj.ampr.org to match a specific host, .uts.edu.au to match any hostname ending in that string, 44. to match any IP address commencing with those digits. There are some special tokens to simplify configuration. Some of these are: ALL matches every host, LOCAL matches any host whose name does not contain a `.' ie is in the same domain as your machine and PARANOID matches any host whose name does not match its address (name spoofing). There is one last token that is also useful. The EXCEPT token allows you to provide a list with exceptions. This will be covered in an example later.
This is an optional parameter. This parameter is the full pathname of a command that would be executed everytime this rule is matched. It could, for example, run a command that would attempt to identify who is logged onto the connecting host. It could also generate a mail message or some other warning to a system administrator that someone is attempting to connect. There are a number of expansions that may be included. Some common examples are: %h expands to the name of the connecting host or address if it doesn't have a name, %d the daemon name being called.
An example:
# /etc/hosts.allow # # Allow mail to anyone in.smtpd: ALL # All telnet and ftp to only hosts within my domain and my host at home. telnetd, ftpd: LOCAL, myhost.athome.org.au # Allow finger to anyone but keep a record of who they are. fingerd: ALL: (finger @%h | mail -s "finger from %h" root) |
The /etc/hosts.deny file is a configuration file of the /usr/sbin/tcpd program. The hosts.deny file contains rules describing which hosts are disallowed access to a service on your machine.
A simple sample would look something like this:
# /etc/hosts.deny # # Disallow all hosts with suspect hostnames ALL: PARANOID # # Disallow all hosts. ALL: ALL |
The PARANOID entry is redundant because the other entry traps everything in any case. Either of these entries would make a reasonable default (depending on your particular requirement).
Having an ALL: ALL default in the /etc/hosts.deny and then specifically enabling on those services and hosts that you want in the /etc/hosts.allow file is the safest configuration.
The hosts.equiv file is used to grant certain hosts and users access rights to accounts on your machine without having to supply a password. This is useful in a secure environment where you control all machines, but is otherwise a security hazard . Your machine is only as secure as the least secure of the trusted hosts. To maximize security, don't use this mechanism. Encourage your users not to use the .rhosts file as well.
Many sites will be interested in running an anonymous ftp server to allow other people to upload and download files without requiring a specific userid. If you decide to offer this facility, make sure you configure the ftp daemon properly for anonymous access. Most man pages for ftpd(8) describe in some length the proper procedures. You should always ensure that you follow these instructions. An important tip is to not use a copy of your /etc/passwd file in the anonymous account /etc directory. Make sure you strip out all account details (except those that you must have), otherwise you will be vulnerable to brute force password cracking techniques.
Not allowing datagrams to even reach your machine (or servers) is an excellent means of security. This is covered in depth in the Firewall-HOWTO, and (more concisely) in a later section of this document.
Here are some other (potentially religious) suggestions for you to consider:
Despite its popularity, the sendmail daemon appears with frightening regularity on security warning announcements. My recommendation is not to run it.
Be wary of these services. There are all sorts of possible exploits for them. It is difficult finding an option to services like NFS. If you configure them, make sure you are careful to whom you allow mount rights.
This section covers information specific to Ethernet, and it also covers the configuring of Ethernet Cards.
3Com 3c501 - `Avoid like the plague!'' (3c501 driver)
3Com 3c503 (3c503 driver), 3c505 (3c505 driver), 3c507 (3c507 driver), 3c509/3c509B (ISA) / 3c579 (EISA)
3Com Etherlink III Vortex Ethercards (3c590, 3c592, 3c595, 3c597) (PCI), 3Com Etherlink XL Boomerang (3c900, 3c905) (PCI) and Cyclone (3c905B, 3c980) Ethercards (3c59x driver) and 3Com Fast EtherLink Ethercard (3c515) (ISA) (3c515 driver)
3Com 3ccfe575 Cyclone Cardbus (3c59x driver)
3Com 3c575 series Cardbus (3c59x driver) (ALL PCMCIA ??)
AMD LANCE (79C960) / PCnet-ISA/PCI (AT1500, HP J2405A, NE1500/NE2100)
ATT GIS WaveLAN
Allied Telesis AT1700
Allied Telesis LA100PCI-T
Allied Telesyn AT2400T/BT ("ne" module)
Ansel Communications AC3200 (EISA)
Apricot Xen-II / 82596
Danpex EN-9400
DEC DE425 (EISA) / DE434/DE435 (PCI) / DE450/DE500 (DE4x5 driver)
DEC DE450/DE500-XA (dc21x4x) (Tulip driver)
DEC DEPCA and EtherWORKS
DEC EtherWORKS 3 (DE203, DE204, DE205)
DECchip DC21x4x "Tulip"
DEC QSilver's (Tulip driver)
Digi International RightSwitch
DLink DE-220P, DE-528CT, DE-530+, DFE-500TX, DFE-530TX
Fujitsu FMV-181/182/183/184
HP PCLAN (27245 and 27xxx series)
HP PCLAN PLUS (27247B and 27252A)
HP 10/100VG PCLAN (J2577, J2573, 27248B, J2585) (ISA/EISA/PCI)
ICL EtherTeam 16i / 32 (EISA)
Intel EtherExpress
Intel EtherExpress Pro
KTI ET16/P-D2, ET16/P-DC ISA (work jumperless andjumper lessware-configuration options)
Macromate MN-220P (PnP or NE2000 mode)
NCR WaveLAN
NE2000/NE1000 (be careful with clones)
Netgear FA-310TX (Tulip chip)
New Media Ethernet
PureData PDUC8028, PDI8023
SEEQ 8005
SMC Ultra / EtherEZ (ISA)
SMC 9000 series
SMC PCI EtherPower 10/100 (DEC Tulip driver)
SMC EtherPower II (epic100.c driver)
Sun LANCE adapters (kernel 2.2 and newer)
Sun Intel adapters (kernel 2.2 and newer)
Schneider and Koch G16
Western Digital WD80x3
Zenith Z-Note / IBM ThinkPad 300 built-in adapter
Znyx 312 etherarray (Tulip driver)
Ethernet devices names are `eth0', `eth1', `eth2' etc. The first card detected by the kernel is assigned `eth0', and the rest are assigned sequentially in the order in which they are detected.
Once you have your kernel properly built to support your ethernet card, configuration of the card is easy.
Typically you would use something like (which most distributions already do for you, if you configured them to support your ethernet):
root# ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up root# route add -net 192.168.0.0 netmask 255.255.255.0 eth0 |
Most of the ethernet drivers were developed by Donald Becker Was this section helpful? Why not Donate $2.50?
The module will typically can detect all of the installed cards.
Information from the detection is stored in the file:
/etc/conf.modules.
Consider that a user has 3 NE2000 cards, one at 0x300 one at 0x240, and one at 0x220. You would add the following lines to the /etc/conf.modules file:
alias eth0 ne
alias eth1 ne
alias eth2 ne
options ne io=0x220,0x240,0x300 |
What this does is tell the program modprobe to look for 3 NE based cards at the following addresses. It also states in which order they should be found and the device they should be assigned.
Most ISA modules can take multiple comma separated I/O values. For example:
alias eth0 3c501
alias eth1 3c501
options eth0 -o 3c501-0 io=0x280 irq=5
options eth1 -o 3c501-1 io=0x300 irq=7 |
The -o option allows for a unique name to be assigned to each module. The reason for this is that you can not have two copies of the same module loaded.
The irq= option is used to specify the hardware IRQ, and the io= to specify the different io ports.
By default, the Linux kernel only probes for one Ethernet device. You need to pass command line arguments to the kernel in order to force detection of furter boards.
To learn how furthere your ethernet card(s) work under Linux, you should refer to the Ethernet-HOWTO.
This section covers information specific to IP.
This section includes information on setting IP options within the kernel at boot time. An example of these options are ip_forward or ip_bootp_agent. These options are used by setting the value to a file in the
/proc/sys/net/ipv4/ |
For example, to set ip_forward enabled, you would type
echo 1 > /proc/sys/net/ipv4/ip_forward |
ip_forward
If ip_forward is set to 0 it is disabled. If it is sforwardany other number it is enabled. This option is used in conjunction with technologies such as routing between interfaces with IP Masquerading. .
ip_default_ttl
This is the time to live for an IP Packet. The default is 64 milliseconds.
ip_addrmask_agent - BOOLEAN
Reply to ICMP ADDRESS MASK requests. default TRUE (router) FALSE (host)
ip_bootp_agent
- BOOLEAN Accept packets with source address of sort 0.b.c.d and destined to this host, broadcast or multicast. Such packets are silently ignored otherwise. default FALSE
ip_no_pmtu_disc
- BOOLEAN Disable Path MTU Discovery. default FALSE
ip_fib_model - INTEGER
0 - (DEFAULT) Standard model. All routes are in class MAIN. 1 - default routes go to class DEFAULT. This mode should be very convenient for small ISPs making policy routing. 2 - RFC1812 compliant model. Interface routes are in class MAIN. Gateway routes are in class DEFAULT.
The EQL device name is `eql'. With the standard kernel source, you may have only one EQL device per machine. EQL provides a means of utilizing multiple Point-to-Point lines such as PPP, slip, or plip as a single logical link to carry tcp/ip. Often it is cheaper to use multiple lower speed lines than to have one high speed line installed.
Kernel Compile Options:
Network device support ---> [*] Network device support <*> EQL (serial line load balancing) support |
To support this mechanism, the machine at the other end of the lines must also support EQL. Linux, Livingstone Portmasters and newer dial-in servers support compatible facilities.
To configure EQL you will need the eql tools which are available from: metalab.unc.edu.
Configuration is fairly straightforward. You start by configuring the eql interface. The eql interface is just like any other network device. You configure the IP address and mtu using the ifconfig utility. Here is an example:
root# ifconfig eql 192.168.10.1 mtu 1006 |
Next, you need to manually initiate each of the lines you will use. These may be any combination of Point-to-Point network devices. How you initiate the connections will depend on what sort of link they are. Refer to the appropriate sections for further information.
Lastly you need to associate the serial link with the EQL device. This is called `enslaving' : it is done with the eql_enslave command as shown:
root# eql_enslave eql sl0 28800 root# eql_enslave eql ppp0 14400 |
The `estimated speed' parameter you supply eql_enslave doesn't do anything directly. It is used by the EQL driver to determine what share of the datagrams that device should receive. You can then fine tune the balancing of the lines by playing with this value.
To disassociate a line from an EQL device, use the eql_emancipate command as shown:
root# eql_emancipate eql sl0 |
You add routing as you would for any other Point-to-Point link, except that your routes should refer to the eql device rather than the actual serial devices. You would typically use:
root# route addthemselveseql |
The EQL driver was developed by Simon Janes simon@ncm.com.
The IP accounting features of the Linux kernel allow you to collect and analyze some network usage data. The data collected comprises the number of packets and the number of bytes accumulated since the figures were last reset. You may specify a variety of rules to categorize the figures to suit your purpose. This option has been removed in kernel 2.1.102 because the old ipfwadm-based firewalling was replaced by ``ipfwchains''.
Kernel Compile Options:
Networking options ---> [*] IP: accounting |
After you have compiled and installed the kernel, you need to use the ipfwadm command to configure IP accounting. There are many different ways of breaking down the accounting information. I've picked a simple example of what might be useful. You should read the ipfwadm man page for more information.
Scenario: You have a ethernet network that is linked to the Internet via a PPP link. On the ethernet, you have a machine that offers a number of services. You are interested in knowing how much traffic is generated by each of ftp (and world wide web traffic), as well as total tcp and udp traffic.
You might use a command set that looks like the following (shown as a shell script):
#!/bin/sh # # Flush the accounting rules ipfwadm -A -f # # Set shortcuts localnet=44.136.8.96/29 any=0/0 # Add rules for local ethernet segment ipfwadm -A in -a -P tcp -D $localnet ftp-data ipfwadm -A out -a -P tcp -S $localnet ftp-data ipfwadm -A in -a -P tcp -D $localnet www ipfwadm -A out -a -P tcp -S $localnet www ipfwadm -A in -a -P tcp -D $localnet ipfwadm -A out -a -P tcp -S $localnet ipfwadm -A in -a -P udp -D $localnet ipfwadm -A out -a -P udp -S $localnet # # Rules for default ipfwadm -A in -a -P tcp -D $any ftp-data ipfwadm -A out -a -P tcp -S $any ftp-data ipfwadm -A in -a -P tcp -D $any www ipfwadm -A out -a -P tcp -S $any www ipfwadm -A in -a -P tcp -D $any ipfwadm -A out -a -P tcp -S $any ipfwadm -A in -a -P udp -D $any ipfwadm -A out -a -P udp -S $any # # List the rules ipfwadm -A -l -n # |
The names ``ftp-data'' and ``www'' refer to lines in /etc/services. The last command lists each of the Accounting rules and displays the collected totals.
An important point to note when analyzing IP accounting is that totals for all rules that match will be incremented. To obtain differential figures, you need to perform appropriate maths. For example, if I wanted to know how much data was not ftp or www, I would subtract the individual totals from the rule that matches all ports.
root# ipfwadm -A -l -n
IP accounting rules
pkts bytes dir prot source destination ports
0 0 in tcp 0.0.0.0/0 44.136.8.96/29 * -> 20
0 0 out tcp 44.136.8.96/29 0.0.0.0/0 20 -> *
10 1166 in tcp 0.0.0.0/0 44.136.8.96/29 * -> 80
10 572 out tcp 44.136.8.96/29 0.0.0.0/0 80 -> *
252 10943 in tcp 0.0.0.0/0 44.136.8.96/29 * -> *
231 18831 out tcp 44.136.8.96/29 0.0.0.0/0 * -> *
0 0 in udp 0.0.0.0/0 44.136.8.96/29 * -> *
0 0 out undp 44.136.8.96/29 0.0.0.0/0 * -> *
0 0 in tcp 0.0.0.0/0 0.0.0.0/0 * -> 20
0 0 out tcp 0.0.0.0/0 0.0.0.0/0 20 -> *
10 1166 in tcp 0.0.0.0/0 0.0.0.0/0 * -> 80
10 572 out tcp 0.0.0.0/0 0.0.0.0/0 80 -> *
253 10983 in tcp 0.0.0.0/0 0.0.0.0/0 * -> *
231 18831 out tcp 0.0.0.0/0 0.0.0.0/0 * -> *
0 0 in udp 0.0.0.0/0 0.0.0.0/0 * -> *
0 0 out udp 0.0.0.0/0 0.0.0.0/0 * -> * |
The new accounting code is accessed via ``IP Firewall Chains''. See the IP chains home page for more information. You'll now need to use ipchains instead of ipfwadm to configure your filters. (From Documentation/Changes in the latest kernel sources).
There are some applications where being able to configure multiple IP addresses to a single network device is useful. Internet Service Providers often use this facility to provide a "customized" feature to their World Wide Web and ftp offerings for their customers. You can refer to the ``IP-Alias mini-HOWTO'' for more information.
Kernel Compile Options:
Networking options ---> .... [*] Network aliasing .... <*> IP: aliasing support |
After compiling and installing your kernel with IP_Alias support, configuration is very simple. The aliases are added to virtual network devices associated with the actual network device. A simple naming convention applies to these devices being <devname>:<virtual dev num>, e.g. eth0:0, ppp0:10 etc. Note that the the ifname:number device can only be configured after the main interface has been set up.
For example, assume you have an ethernet network that supports two different IP subnetworks simultaneously. You also wish your machine to have direct access to both. You could use something like:
root# ifconfig eth0 192.168.1.1 netmask 255.255.255.0 up root# route add -net 192.168.1.0 netmask 255.255.255.0 eth0 root# ifconfig eth0:0 192.168.10.1 netmask 255.255.255.0 up root# route add -net 192.168.10.0 netmask 255.255.255.0 eth0:0 |
To delete an alias, add a `-' to the end of its name, then refer to it. It is as simple as:
root# ifconfig eth0:0- 0 |
All routes associated with that alias will also be deleted automatically. Was this section helpful? Why not Donate $2.50?
IP Firewall and Firewalling issues are covered in more depth in the Firewall-HOWTO. IP Firewalling allows you to secure your machine against unauthorized network access by filtering or allowing datagrams from or to IP addresses that you nominate. There are three different classes of rules; incoming filtering, outgoing filtering, and forwarding filtering. Incoming rules are applied to datagrams that are received by a network device. Outgoing rules are applied to datagrams that are to be transmitted by a network device. Forwarding rules are applied to datagrams that are received and are not for this machine (ie. datagrams that would be routed).
Kernel Compile Options:
Networking options ---> [*] Network firewalls .... [*] IP: forwarding/gatewaying .... [*] IP: firewalling [ ] IP: firewall packet logging |
Configuration of the IP firewall rules is performed using the ipfwadm command. As I mentioned earlier, I am not a security expert. I will present an example you can use. You should, however, do your own research and develop your own rules.
Using your linux machine as a router and firewall gateway to protect your local network from unauthorized access (from outside your network) is probably the most common use of an IP firewall.
The following configuration is based on a contribution from Arnt Gulbrandsen: <agulbra@troll.no>.
The example describes the configuration of the firewall rules on the Linux firewall/router machine illustrated below:
- -
\ | 172.16.37.0
\ | /255.255.255.0
\ --------- |
| 172.16.174.30 | Linux | |
NET =================| f/w |------| ..37.19
| PPP | router| | --------
/ --------- |--| Mail |
/ | | /DNS |
/ | --------
- - |
The following commands would normally be placed in an rc file. They would be automatically started each time the system boots. For maximum security, they would be performed after the network interfaces are configured (but before the interfaces are actually brought up) to prevent anyone gaining access while the firewall machine is rebooting.
#!/bin/sh # Flush the 'Forwarding' rules table # Change the default policy to 'accept' # /sbin/ipfwadm -F -f /sbin/ipfwadm -F -p accept # # .. and for 'Incoming' # /sbin/ipfwadm -I -f /sbin/ipfwadm -I -p accept # First off, seal off the PPP interface # I'd love to use '-a deny' instead of '-a reject -y' but then it # would be impossible to originate connections on that interface too. # The -o causes all rejected datagrams to be logged. This trades # disk space against knowledge of an attack of configuration error. # /sbin/ipfwadm -I -a reject -y -o -P tcp -S 0/0 -D 172.16.174.30 # Throw away certain kinds of obviously forged packets right away: # Nothing should come from multicast/anycast/broadcast addresses # /sbin/ipfwadm -F -a deny -o -S 224.0/3 -D 172.16.37.0/24 # # and nothing coming from the loopback network should ever be # seen on a wire # /sbin/ipfwadm -F -a deny -o -S 127.0/8 -D 172.16.37.0/24 # accept incoming SMTP and DNS connections, but only # to the Mail/Name Server # /sbin/ipfwadm -F -a accept -P tcp -S 0/0 -D 172.16.37.19 25 53 # # DNS uses UDP as well as TCP, so allow that too # for questions to our name server # /sbin/ipfwadm -F -a accept -P udp -S 0/0 -D 172.16.37.19 53 # # but not "answers" coming to dangerous ports like NFS and # Larry McVoy's NFS extension. If you run squid, add its port here. # /sbin/ipfwadm -F -a deny -o - |