TCP/IP Sections: 13.7, 13.8, 13.11, 13.12
13.7 Adding A Machine to a Network
13.8 Distribution-Specific Network Configuration
13.11 Security Issues
13.12 Linux NAT (IP MASQUERADING)
Adding A Machine to a Network
The Basic steps to add a new machine to a local network are:
Assign a unique IP Address and Hostname. Set up the new host to configure its network interfaces at
boot time Set up a default route Point to a DNS name server, to allow access to the rest of
the internet. Reboot the system each time you make changes that
might affect the reboot to make sure that the machine comes up correctly
Adding a mechine to a network
Each distribution has established its own configuration files for automating network configuration at boot time as summarized in the following table
System File What's set there
Red Hat /etc/sysconfig/network network-scripts/ifcfg-ifname
Hostname, default route Ip address,netmask,broadcast address
SuSE /etc/rc.config /etc/route.conf
Hostname, IP address, netmask, and more Default route
Debian /etc/hostname /etc/network/interfaces
Hostname IP address, netmask, default route
Assigning hostnames and IP addresses
Mapping from hostnames to IP addresses can be maintained through
Hosts file (/etc/hosts) NIS = Network Information Service DNS = Domain Name Service some combination of above sources
Renumbering Issue
Renumbering = Assigning new IP addresses Using Hostnames in the configuration files and
making the hostname-to-IP address translation be done through DNS help overcoming the problem of changing IP addresses.
However, Using IP addresses in configuration files reduces
dependencies during bootup when all services are not available.
/etc/hosts example
127.0.0.1 localhost192.108.21.48 lollipop.xor.com lollipop loghost192.108.21.254 chimchim-gw.xor.com chimchim-gw192.108.21.1 ns.xor.com ns192.225.33.5 licenses.xor.com license-server
Because hosts file contains local mappings only. Most mapping systems use it for mappings that are needed at boot time.
Can be used for mappings that u don’t want others to know about it.
Minimal data are mappings for loopback address and the host itself.
/etc/hosts (cont.)
Some put all their really important hosts, servers and gateways.• Debian – only localhost
• Red Hat – localhost and the machine itself
• SuSE – local host, the machine itself, and a few special IPv6 names.
The hostname command assigns a hostname to a machine. It typically run at boot time from one of the startup scripts, which obtains the name to be assigned from a configuration file.
ifconfig: configure network interfaces
Enables/disables a network interface Sets IP address and subnet mask Sets various other parameters
Ifconfig interface address options Interface: identifies the hardware interface to which
the command applies Address: the IP address of the interface, many
versions of ifconfig accept hostname for this parameter.
ifconfig Examples Ifconfig eth0 128.138.240.1 netmask 255.255.255.0 upIfconfig interfaceIfconfig –a Netstat –I
Options:
• Up: turns the interface on (default)• Down : turns the interface off• Netmask: set the subnet mask for the network, used if subnetting
isused , the network part is set to ones , the host part is set to zero• Broadcast : IP broadcast address for the interface, expressed in
either hex or dotted quad notation. Broadcast address is, in most systems, found by setting host part to all
1s. Most systems used the netmask and ip address to calculate the
broadcast address.
ifconfig Examples Red Hat% /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:02:b3:19:C8:86 inet addr:192.168.1.13 Bcast:192.168.1.255 UP BRADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets 206983 errors:0 dropped:0 overruns:0 frame:0 TX packets 218292 errors:0 dropped:0 overruns:0 frame:0 collisions:0 txqueuelen:100 interrupt:7 Base address:0xef00
Ifconfig eth0 128.138.243.151 netmask 255.255.255.192 broadcast 128.138.243.191 up
Mii-tool: configure autonegotiation and other media-specific options
Autonegotiation mode: both the card and its upstream connection (usually a switch port) try to guess what the other wants to use.
Problem: high packet loss
It is better to lock the interface speed and duplex both on servers and on the switch ports they are connected to.
Mii-tool sets Media specific parameters such as link speed and duplex
Mii-tool –force=100BaseTx-FD eth0
Route: configure static routes If a packet is destined for some host on a directly connected network,
the “next-hop gateway” address in the routing table will be one of the local host’s own interfaces.
If no route matches the destination address, the default route is invoked if one exists, otherwise, an ICMP “netrwork unreachable” or “host unreachable”.
route [op] [type] destination gw gateway [metric] [dev interface]
Op:• Add: add a route• Del : remove a route
Route (cont.) Destination : host address (type – host) or a network address
(type –net) Gateway: the machine to which packets should be forwarded.it
must be on a directly connected network. Dev is optional and can be ommited
Metric: the number of forwardings (the hop count) required to reach the destinaction.
Type: optional “-net” or “-host”. If not specified then check the host part (is it all zeros), route may also check the /etc/networks
Route examples Route –f ,or route –flush : completely flushes the routing tables and
starts over. Netstat –nr : inspect existing routes netstat –r : see names instead of numbers.
redhat% netstat -nrKernel IP routing table
Destination Gateway Genmask Flags MSS Window irrt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 UG 0 0 0 eth0
Route examplesredhat% netstat -rKernel IP routing table
Destination Gateway Genmask Flags MSS Window irrt Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * U 0 0 0 lo
0.0.0.0 Sprint-gw UG 0 0 0 eth0
Genmask: the netmask associated with the destination
Flags: status of the route, how is was learned and other parameters
Iface: the interface through which the packets using the route are sent.
Default routes All packets whose destination network is not found in
the kernels routing table are sent to the default route. route add default gw gateway-ip-address How to set default route
System File to change Variable to change
Red Hat /etc/sysconfig/network GATEWAY
SuSE /etc/route.conf Add line: default IP-addr mask interface
Debian /etc/network/interfaces gateway
Configuring DNS
To configure a machine as a DNS client: Modify /etc/resolv.conf,
• this file lists the domains that should be searched to resolve names that are incomplete(not fully qualified)
• It lists the IP addresses of the name servers to contact for name lookups.
Some requires modification of “service switch” file
Modify /etc/resolv.conf
Search cs.clorado.edu colorado.eduNameserver 128.138.242.1Nameserver 128.138.234.151Nameserver 192.108.21.1
Domain is sometimes used instead of search in ancient resolve,conf file.
Search is preferred, but Red Hat defaults tp resolv.conf file that uses domain instead of search
service switch
Some systems have a “service switch” file that determines which mechanism will be used to resolve hostname-to-IP-address mappings. See page 498 for prioritization .
Allow specification of the order in which DNS, NIS, and /etc/hosts should be consulted.
Service switch files by system
System Switch file Default for hostname lookups
Red Hat /etc/nsswitch.conf
/etc/hosts.conf
Files nisplus nis dns
Hosts, bind
SuSE and
Debian
/etc/nsswitch.conf
/etc/hosts.conf
Files dns
Hosts, bind
The Linux networking stack
Includes support for virtual network interfaces, selective acknowledgments as well as a new IP feature , Explicit Congestion Notification (NCF)
ECN marks TCP packets to notify the sender of congestion. It is a good thing for both bulk transfers of data and transactional data such as web requests and responses.
Distributed-Specific Network Configuration
Linuxconf: module-based utility that provides a simple interface for managing a number of system administration tasks, including most network-related configuration.
Three interfaces: text-based, web, and X windows. Reboot or bring the network interface down or up to
see for a change to a configuration file to take effect.• Red Hat and Debian ifup and ifdown
• SuSE reboot the machine
Network Configuration for Red Hat
File What’s set there
/etc/sysconfig/network Host name, Default route
/etc/sysconfig/static-routes
Static Routes
/etc/sysconfig/network-scripts/ifcfg-ifname
IP address, netmask, broadcast address per interface
etc/sysconfig/network example
NETWORKING=yes
HOSTNAME=redhat.toadranch.com
DOMAINNAME=toadranch.com ###OPTIONAL
GATEWAY=192.168.1.254
/etc/sysconfig/network-scripts/ifcfg-ifnameexamples
DEVICE=eth0IPADD=192.168.1.13NETMASK=255.255.255.0NETWORK=192.168.1.0BROADCAST=192.168.1.255ONBOOT=yes
DEVICE=loIPADD=127.0.0.1NETMASK=255.0.0.0NETWORK=172.0.0.0BROADCAST=127.255.255.255ONBOOT=yesNAME=loopback
Ifcfg-eth0 file
Ifcfg-lo file
Network Configuration for Red Hat(cont.)
Ifup ifname : brings an interface up Ifdown ifname : brings an interface down /etc/rc.d/init.d/network
• script that accepts the argument start, stop, restart, and status
• Manage all the interfaces at once
• Invoked at boot time Any routes added to the file /etc/sysconfig/static-routes
are entered into the routing table at root timeeth0 net 130.255.204.48 netmask 255.255.255.248 gw 130.255.204.49eth1 net 192.38.8.0 netmask 255.255.255.224 gw 192.38.8.9Arguments are provided to route add
Network Configuration for SuSE
/sbin/SuSEconfig: a tool that uses scripts in /sbin/conf.d and /etc/rc.config.d to do configuration stuff.
/etc/rc.config contains all network-related parameters except routing information and DNS information. ExampleSTART_LOOPBACK=“yes”NETCINFIG=“_0”IPADDR_0=“192.168.1.101”NETDEV_0=“eth0”IFCONFIG_0=“192.168.1.101 broadcast 192.168.1.255 netmask 255.255.255.0”FQHOSTNAME=“inura.toadranch.com”DISABLE_ECN=“yes”
File What’s set there
/etc/rc.config Hostname, IP address,netmask, and more
/etc/route.conf Default route, static routes
Dynamic Routing in SuSE
Dynamic routing is also configured in with rc.config
Example
START_ROUTED=“no” ### RIP (Routing Information Protocol) version 1 daemon
START_ZEBRA=“no” ### zebra routing manager
START_BGPD=“no” ### BGB (Border Gateway Protocol)daemon
START_RIPING=“no” ### RIP version 2 daemon
START_OSPFD=“no” ### OSPF (Open Shortest Path First) daemon
START_MRTD=“no” ### Multithreaded routing daemon
Network configuration for Debian
Example of /etc/network/interfaces fileIface lo inet loopback
Iface eth0 inet static
address 192.168.1.102
netmask 255.255.255.0
gateway 192.168.1.254
File What’s set there/etc/hostname Hostname (should be fully qualified)
/etc/network/interfaces IP address, netmask, default route
/etc/network/options Low-level network options (IP forwarding, etc)
The interfaces file is read by ifup and ifdown that prings the interfaces up and down respectively.
The inet keyword in the iface line is the address family, this will always be inet.
static specifies that the IP address and netmask lines are required for static configuration
gatway specifies the address of the default gateway and is used to install default route
The options file allows some network variables to be set at boot time.
Network Configuration with GUI
Red Hat include a tool called neat (Network administration Tool) that can perform Ethernet, modem, ISDN, xDSL, and wireless configuration.
To run • Select Main menu programs system network
configuration
Or
• type neat in a shell
Security Issues
IP forwarding
let the linux box acts as a router. Turn this feature off unless you have multiple
network interfaces and intend to have a the Linux box as router.
Hosts with this feature enabled can compromise security by making external packets appear to have come inside local network which can enables naughty packets evade network scanners and packet filters
Security issues
ICMP redirectors Can be used maliciously to reroute the traffic and
mess with the networking table. Most operating systems listen to them and follow
their instructions It is recommended to configure routers and hosts
acting as routers to ignore and perhaps log ICMP
Security issues
Source routing IP source routing mechanism let the series of gateways for a
packet to transit on the way to its destination.
It can create security problems because packets are often filtered to their origin
If some one can cleverly route a packet to make it appear to have originated from your network instead of the internet, it might slip through your firewall.
It is recommended to not accept neither forward source routed packets
Security issues
Broadcast pings and other forms of directed broadcast Ping packets addressed to a network’s broadcast address
(instead of to a particular host address).
Can be used in denial of service attacks
Most hosts have a way to diable broadcast pings
The router can also be configured not to filter out broadcast pings
Security issues
IP spoofing If the software creating the packet uses a raw socket, it can fill
in any source address it likes. Te machine identified by the spoofed source address (if it is a
real address) is often the victim in this scheme. Error and return packets can disrupt or flood the victims network connections.
IP spoofing should be denied at border router by blocking outgoing packets whose source address is not within your
address space. If a network uses private address space, addresses escaping
to the internet can be filtered and caught since private addresses are not routable.
Security issues
IP spoofing (cont.) Linux-based firewalls provide a way to implement filtering,
however, most sites prefer to implement this type of filtering at their border routers.
Protect against a hacker forging the source address on external packets to fool the firewall into thinking that they originated on your internal network. Rp_filter kernel parameter (settable in the /proc/sys/net/ipv4/conf/ifname directory) can help detecting these packets. set rp (reversed path) to 1.
If the site has multiple connections to the internet, rp has to be set to 0 if inbound and outbound routes are different (preferred to be different)
Security issues
Host-based firewalls Packet filtering (aka “firewall”) software
Linux security is weak and NT’s security is worse.
It is recommended to buy a dedicated hardware solution to use as a firewall.
Go to page 676 to read more about firewall-related issues.
Security issues
Virtual private networks (VPN) Private networks that include a series secure, encrypted
“tunnels”. These “tunnels” allow using the internet as if it were a private
data line Used to connect several parts of the world as if they are
within a one pig private network Some VPNs use the IPSEC protocol (standarized by the
IETF in 1998. other use proprietary solutions. Examples: Cisco’s 3660 router and the Watchguard FireBox
provide VPN. They provide tunneling and encryption.
Security issues
Security-related kernel variables
Feature Host Gateway
Controlfile(in /proc/sys/net)
IP forwarding off on Ipv4/ip_forward for the whole system
Ipv4/conf/interface/forwarding per interface
ICMP redirects obeys ignores Ipv4/conf/interface/accept_redirects
Source routing ignores obeys Ipv4/conf/interface/accept_source_routes
Broadcasting ping answers snswers Ipv4/icmp_echo_ignore_broadcasts
Security issues
Changing of Security-related kernel variables Red hat :
• Add values to /etc/sysctl.conf, which is read by sysctl command ar boot time.
• Format of sysctl.conf is variable=value• Net.ipv4.ip_forward=0 (turn off IP forwarding)
SuSE• sysctl doesn’t run at boot process
• Edit rc.config(in /etc/init.d/boot) or add a call to the sysctl command somewhere in the startup sequence
Debian• It provides a sample sysctl.conf file nad also calls sysctl during startup
Linux NAT (IP MASQUERADING) Linux provides limited form of NAT (Network Address
Translation) that is more properly called PAT (Port Address Translation) or “IPMASQUERADING”
The predominant Linux software (up to writing of this book) for setting up NAT is called ipchains .However,
A new improved package called iptables uses the “netfilter” feature in linux 2.4 kernel and is the current release of Red Hat.
For IP masquerading to work
• Enable IP forwarding
• Build the kernel with CONFIG_IP_MASQUERADING defined
• It is helpful to set the kernel variable ip_masq_debug
IP MASQUERADING Examples
To disguise the private address space used on the internal network 192.168.1.0/24, you could use the following command
Ipchains –A forward –i ppp0 –s 192.168.1.0/24 –d ! 192.168.1.0 –j MASQ
To map packets from 192.168.1.0/24 network to a range of 10 addresses in the routable network 128.138.198.0 ,
Iptables –A POSTROUTING SNAT –to-source 128.138.198.1-128.138.198.0