Linux TCP/IP Network Configuration Files

Linux TCP/IP Network Configuration Files:
FileDescription
/etc/resolve.conf List DNS servers for internet domain name resolution.
Manual page for: /etc/resolv.conf
/etc/hosts Lists hosts to be resolved locally (not by DNS).
Manual page for: /etc/hosts
/etc/nsswitch.conf List order of host name search. Typically look at local files, then NIS server, then DNS server.
Manual page for: /etc/nsswitch.conf
Red Hat/Fedora/CentOS: /etc/sysconfig/network Specify network configuration. eg. Static IP, DHCP, NIS, etc.
Red Hat/Fedora/CentOS: /etc/sysconfig/network-scripts/ifcfg-device Specify TCP network information.
Ubuntu/Debian: /etc/network/interfaces Specify network configuration and devices. eg. Static IP and info, DHCP, etc.
Domain Resolution Configuration Files:
  • File: /etc/resolv.conf - host name resolver configuration file
    search name-of-domain.com  - Name of your domain or ISP's domain if using their name server
nameserver XXX.XXX.XXX.XXX - IP address of primary name server
nameserver XXX.XXX.XXX.XXX - IP address of secondary name server
    This configures Linux so that it knows which DNS server will be resolving domain names into IP addresses. If using DHCP client, this will automatically be sent to you by the ISP and loaded into this file as part of the DHCP protocol. If using a static IP address, ask the ISP or check another machine on your network.
    Red Hat/Fedora GUI: /usr/sbin/system-config-network (select tab "DNS").
  • File: /etc/hosts - locally resolve node names to IP addresses
    127.0.0.1         your-node-name.your-domain.com  localhost.localdomain  localhost 
XXX.XXX.XXX.XXX   node-name
    Note when adding hosts to this file, place the fully qualified name first. (It helps sendmail identify your server correctly) i.e.: 
        XXX.XXX.XXX.XXX  superserver.yolinux.com  superserver
    This informs Linux of local systems on the network which are not handled by the DNS server. (or for all systems in your LAN if you are not using DNS or NIS)

    The file format for the hosts file is specified by RFC 952.

    Red Hat/Fedora configuration GUI: /usr/sbin/system-config-network (select tab "Hosts").

  • File: /etc/nsswitch.conf - System Databases and Name Service Switch configuration file
    hosts:   files dns nisplus nis
    This example tells Linux to first resolve a host name by looking at the local hosts file(/etc/hosts), then if the name is not found look to your DNS server as defined by /etc/resolv.conf and if not found there look to your NIS server.

    In the past this file has had the following names: /etc/nsswitch.conf, /etc/svc.conf, /etc/netsvc.conf, ... depending on the distribution.

Fedora / Red Hat Network Configuration Files:
  • /etc/sysconfig/network

    Red Hat network configuration file used by the system during the boot process.

  • File: /etc/sysconfig/network-scripts/ifcfg-eth0
    Configuration settings for your first ethernet port (0). Your second port is eth1.
  • File:
    • /etc/modprobe.conf (kernel 2.6)
    • /etc/modules.conf (kernel 2.4)
    • (or for older systems: /etc/conf.modules)
    Example statement for Intel ethernet card:
    alias eth0 eepro100
    Modules for other devices on the system will also be listed. This tells the kernel which device driver to use if configured as a loadable module. (default for Red Hat)
Fedora / Red Hat Network GUI Configuration Tools:

The following GUI tools edit the system configuration files. There is no difference in the configuration developed with the GUI tools and that developed by editing system configuration files directly.

TCP/IP ethernet configuration:
  • Network configuration:
    /usr/sbin/system-config-network (FC-2/3) GUI shown here --->
    /usr/bin/redhat-config-network (/usr/bin/neat) (RH 7.2+ FC-1)
  • Text console configuration tool:
    /usr/sbin/system-config-network-tui (Text User Interface (TUI) for Fedora Core 2/3)
    /usr/bin/redhat-config-network-tui (RH 9.0 - FC-1)
  • Text console network configuration tool.
    First interface only - eth0: /usr/sbin/netconfig
  • /usr/bin/netcfg (GUI) (last available with RH 7.1)
Gnome Desktop:
  • Gnome Desktop Network Configuration
    /usr/bin/gnome-network-preferences (RH 9.0 - FC-3)
    Proxy configuration. Choose one of three options:
    1. Direct internet connection
    2. Manual proxy configuration (specify proxy and port)
    3. Automatic proxy configuration (give URL)
 Linux TCP/IP Network Configuration Files
Assigning an IP address:

Computers may be assiged a static IP address or assigned one dynamically. Typically a server will require a static IP while a workstation will use DHCP (dynamic IP assignment). The Linux server requires a static IP so that those who wish to use its resources can find the system. It is more easily found if the IP address does not change and is static. This is not important for the Linux client workstation and thus it is easier to use an automated Dynamic Host Configuration Protocol (DHCP) for IP address assignment.

Static IP address assignment:

Choose one of the following methods:

  • Command Line: 
        /sbin/ifconfig eth0 192.168.10.12 netmask 255.255.255.0 broadcast 192.168.10.255
    Network address by convention would be the lowest: 192.168.10.0
    Broadcast address by convention would be the highest: 192.168.10.255
    The gateway can be anything, but following convention: 192.168.10.1

    Note: the highest and lowest addresses are based on the netmask. The previous example is based on a netmask of 255.255.255.0

  • Red Hat / Fedora GUI tools:
    • /usr/bin/neat Gnome GUI network administration tool. Handles all interfaces. Configure for Static IP or DHCP client.
      (First available with Red Hat 7.2.)
    • /usr/bin/netcfg (Handles all interfaces) (last available in Red Hat 7.1)
  • Red Hat / Fedora Console tools:
    • /usr/sbin/system-config-network-tui (Text User Interface)
    • /usr/sbin/netconfig (Only seems to work for the first network interface eth0 but not eth1,...)
  • Directly edit configuration files/scripts. See format below.

The ifconfig command does NOT store this information permanently. Upon reboot this information is lost. Manually add the network configuration to /etc/sysconfig/network-scripts/ifcfg-eth0 (Red Hat/Fedora/CentOS) for the first NIC, ifcfg-eth1 for the second, etc, or /etc/network/interfaces (Ubuntu) as shown below. Any other commands you may want to add to the system boot sequence can be added to the end of the file /etc/rc.d/rc.local. The commands netcfg and netconfig make permanent changes to system network configuration files located in /etc/sysconfig/network-scripts/, so that this information is retained and used upon system boot.

The IANA has allocated IP addresses in the range of 192.168.0.0 to 192.168.255.255 for private networks.

Helpful tools:

Command line IP Configuration: ifconfig

ifconfig interface [aftype] options | address ...

where:
  • interface: eth0, eth1, eth2 represent the computer ethernet interfaces
  • aftype: inet (TCP/IP, default), inet6 (IPv6), ax25 (AMPR Packet Radio), ddp (Appletalk Phase 2), ipx (Novell IPX) or netrom (AMPR Packet radio)
Options:
OptionDescription
up Activate the interface. Implied if IP addresses are specified.
down Shut down interface
arp Enable ARP protocol on this interface. Allow ARP to detect the addresses of computer hosts attached to the network.
-arp Disable ARP protocol on this interface
promisc Enable promiscuous mode. Receive all packets on the network not just those destined for this interface.
-promisc Disable promiscuous mode.
mtu ## Specify the Maximum Transfer Unit (MTU) of the interface. The MTU is the maximum number of octets the interface is able to handle in a single transaction. Defaults: Ethernet: 1500 SLIP: 296
broadcast XXX.XXX.XXX.XXX Set the network broadcast address for this interface.
netmask XXX.XXX.XXX.XXX Set the IP network mask for this interface.
Man page: ifconfig
Ubuntu / Debian IP Configuration Files:

File: /etc/network/interfaces

Static IP example: 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 208.88.34.106
        netmask 255.255.255.248
        broadcast 208.88.34.111
        network 208.88.34.104
        gateway 208.88.34.110

Dynamic IP (DHCP) example:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet dhcp

auto eth2
iface eth2 inet dhcp

auto ath0
iface ath0 inet dhcp

auto wlan0
iface wlan0 inet dhcp
Interfaces:
  • lo: Loopback interface (network within your system without slowing down for the real ethernet based network)
  • eth0: First ethernet interface card
  • wlan0: First wireless network interface

Also see "man interfaces"

Ubuntu GUI Network Tools:
  • /usr/bin/gnome-nettool (apt-get install gnome-nettool)
    Linux TCP/IP Network Configuration Files
  • /usr/bin/network-admin (apt-get install gnome-network-admin)
    Linux TCP/IP Network Configuration Files
Red Hat / Fedora Core IP Configuration Files:

The Red Hat configuration tools store the configuration information in the file /etc/sysconfig/network.
They will also allow one to configure routing information.

  • File: /etc/sysconfig/network

    Static IP address Configuration: (Configure gateway address)

    NETWORKING=yes
    HOSTNAME 
    =my-hostname      - Hostname is defined here and by command hostname
FORWARD_IPV4=true         - True for NAT firewall gateways and linux routers. 
                            False for everyone else - desktops and servers.
GATEWAY="XXX.XXX.XXX.YYY" - Used if your network is connected to another network or the internet. 
                            Static IP configuration. Gateway not defined here for DHCP client.
    OR for DHCP client configuration:
    NETWORKING=yes
    HOSTNAME 
    =my-hostname      - Hostname is defined here and by command hostname
    (Gateway is assigned by DHCP server.)
    OR for NIS client configuration:
    NETWORKING=yes
    HOSTNAME 
    =my-hostname      - Hostname is defined here and by command hostname
NISDOMAIN=NISProject1     - NIS domain to attach
  • File (Red Hat/Fedora): /etc/sysconfig/network-scripts/ifcfg-eth0
    (S.u.s.e.: /etc/sysconfig/network/ifcfg-eth-id-XX:XX:XX:XX:XX)
    This file used by the command scripts ifup and ifdown

    Static IP address configuration:

    DEVICE=eth0
BOOTPROTO=static
BROADCAST=XXX.XXX.XXX.255
IPADDR=XXX.XXX.XXX.XXX
NETMASK=255.255.255.0
NETWORK=XXX.XXX.XXX.0
ONBOOT=yes                       - Will activate upon system boot
    RHEL4/FC3 additions:
    • TYPE=Ethernet
    • HWADDR=XX:XX:XX:XX:XX:XX
    • GATEWAY=XXX.XXX.XXX.XXX

    OR for DHCP client configuration:

    DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
    RHEL4/FC3 additions:
    • IPV6INIT=no
    • USERCTL=no
    • PEERDNS=yes
    • TYPE=Ethernet
    • HWADDR=XX:XX:XX:XX:XX:XX
(Used by script /etc/sysconfig/network-scripts/ifup to bring the various network interfaces on-line)
To disable DHCP change BOOTPROTO=dhcp to BOOTPROTO=none

In order for updated information in any of these files to take effect, one must issue the command: service network restart (or: /etc/init.d/network restart)

Network IP aliasing:

Assign more than one IP address to one ethernet card:

ifconfig eth0   XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast XXX.XXX.XXX.255
ifconfig eth0:0 192.168.10.12   netmask 255.255.255.0 broadcast 192.168.10.255
ifconfig eth0:1 192.168.10.14   netmask 255.255.255.0 broadcast 192.168.10.255
 
route add -host XXX.XXX.XXX.XXX dev eth0
route add -host 192.168.10.12 dev eth0
route add -host 192.168.10.14 dev eth0
In this example 0 and 1 are aliases in addition to the regular eth0. The result of the ifconfig command: eth0 Link encap:Ethernet HWaddr 00:10:4C:25:7A:3F inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14218 errors:0 dropped:0 overruns:0 frame:0 TX packets:1362 errors:0 dropped:0 overruns:0 carrier:0 collisions:1 txqueuelen:100 Interrupt:5 Base address:0xe400 eth0:0 Link encap:Ethernet HWaddr 00:10:4C:25:7A:3F inet addr:192.168.10.12 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:5 Base address:0xe400 eth0:1 Link encap:Ethernet HWaddr 00:10:4C:25:7A:3F inet addr:192.168.10.14 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:5 Base address:0xe400

Config file: /etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
ONBOOT=yes
BOOTPROTO=static
BROADCAST=192.168.10.255
IPADDR=192.168.10.12
NETMASK=255.255.255.0
NETWORK=192.168.10.0
ONBOOT=yes
Aliases can also be shut down independently. i.e.: ifdown eth0:0

The option during kernel compile is: CONFIG_IP_ALIAS=y (Enabled by default in Redhat)

Note: The Apache web server can be configured so that different IP addresses can be assigned to specific domains being hosted. See Apache configuration and "configuring an IP based virtual host" in the YoLinux Web site configuration tutorial.

DHCP Linux Client: get connection info: /sbin/pump -i eth0 --status
(Red Hat Linux 7.1 and older)

Device eth0
IP: 4.XXX.XXX.XXX
Netmask: 255.255.252.0
Broadcast: 4.XXX.XXX.255
Network: 4.XXX.XXX.0
Boot server 131.XXX.XXX.4
Next server 0.0.0.0
Gateway: 4.XXX.XXX.1
Domain: vz.dsl.genuity.net
Nameservers: 4.XXX.XXX.1 4.XXX.XXX.2 4.XXX.XXX.3
Renewal time: Sat Aug 11 08:28:55 2001
Expiration time: Sat Aug 11 11:28:55 2001
Changing the host name:

This is a three step process:

  1. Issue the command: hostname new-host-name
  2. Change network configuration file: /etc/sysconfig/network
    Edit entry: HOSTNAME=new-host-name
  3. Restart systems which relied on the hostname (or reboot):
    • Restart network services: service network restart
      (or: /etc/init.d/network restart)
    • Restart desktop:
      • Bring down system to console mode: init 3
      • Bring up X-Windows: init 5
One may also want to check the file /etc/hosts for an entry using the system name which allows the system to be self aware.

The hostname may be changed at runtime using the command: sysctl -w kernel.hostname="superserver"

Note that hostnames may only contain alphanumeric characters, minus signs ("-"), and periods ("."). They must begin with an alphabetic character and end with an alphanumeric character.

Change the host name using GUI tool: /usr/sbin/system-config-network
(Red Hat / Fedora / CentOS)

Hostname entries are made in two places:

system-config-network system-config-network
Select the "DNS" tab. Select the "Devices" tab + "Edit" + the "General" tab.

 

Activating and De-Activating your NIC:
Commands for starting and stopping TCP/IP network services on a Network Interface Card (NIC):
  • Activate: /sbin/ifup eth0
    (Also: ifconfig eth0 up - Note: Even if no IP address is assigned you can listen.)
  • De-Activate: /sbin/ifdown eth0
    (Also: ifconfig eth0 down)
These scripts use the scripts and NIC config
files in /etc/sysconfig/network-scripts/

GUI Interface control/configuration:

  • Start/Stop network interfaces
    /usr/bin/system-control-network (Fedora Core 2/3)
    /usr/bin/redhat-control-network (RH 9.0 - FC-1)
  • Configure Ethernet, ISDN, modem, token Ring, Wireless or DSL network connection:
    /usr/sbin/system-config-network-druid (FC2/3)
    /usr/sbin/redhat-config-network-druid (RH 9 - FC-1)
 Linux TCP/IP Network Configuration Files

 

Subnets:
M
A
S
K		# OF
SUB
NETS		Slash
Fmt		CLASS A
HOSTS		CLASS A
MASK		CLASS B
HOSTS		CLASS B
MASK		CLASS C
HOSTS		CLASS C
MASK		CLASS C SUB
HOSTS		CLASS C SUB
MASK
255 1
or
256		 /32 16,777,214 255.0.0.0 65,534 255.255.0.0 254 255.255.255.0 Invalid
1 address		 255.255.255.255
254 128 /31 33,554,430 254.0.0.0 131,070 255.254.0.0 510 255.255.254.0 Invalid
2 addresses		 255.255.255.254
252 64 /30 67,108,862 252.0.0.0 262,142 255.252.0.0 1,022 255.255.252.0 2 hosts
4 addresses		 255.255.255.252
248 32 /29 134,217,726 248.0.0.0 524,286 255.248.0.0 2,046 255.255.248.0 6 hosts
8 addresses		 255.255.255.248
240 16 /28 268,435,454 240.0.0.0 1,048,574 255.240.0.0 4,094 255.255.240.0 14 hosts
16 addresses		 255.255.255.240
224 8 /27 536,870,910 224.0.0.0 2,097,150 255.224.0.0 8,190 255.255.224.0 30 hosts
32 addresses		 255.255.255.224
192 4 /26 1,073,741,822 192.0.0.0 4,194,302 255.192.0.0 16,382 255.255.192.0 62 hosts
64 addresses		 255.255.255.192
128 2 /25 2,147,483,646 128.0.0.0 8,388,606 255.128.0.0 32,766 255.255.128.0 126 hosts
128 addresses		 255.255.255.128
Binary position 8 7 6 5 4 3 2 1
Value 128 64 32 16 8 4 2 1
Example: 192 1 1 0 0 0 0 0 0

Example 192=128+64

Some addresses are reserved and outside this scope. Loopback (127.0.0.1), reserved class C 192.168.XXX.XXX, reserved class B 172.31.XXX.XXX and reserved class A 10.XXX.XXX.XXX.

Subnet Example:

Your ISP assigns you a subnet mask of 255.255.255.248 for your office.
  • 208.88.34.104 Network Base address
  • 208.88.34.105 Computer 1
  • 208.88.34.106 Computer 2
  • 208.88.34.107 Computer 3
  • 208.88.34.108 Computer 4
  • 208.88.34.109 Computer 5
  • 208.88.34.110 DSL router/Gateway
  • 208.88.34.111 Broadcast address
Of the eight addresses, there are six assigned to hardware systems and ultimately only five usable addresses.

Links:

 

Network Classes:

The concept of network classes is a little obsolete as subnets are now used to define smaller networks using CIDR (Classless Inter-Domain Routing) as detailed above. These subnets may be part of a class A, B, C, etc network. For historical reference the network classes are defined as follows:

  • Class A: Defined by the first 8 bits with a range of 0 - 127.
    First number (8 bits) is defined by Internic i.e. 77.XXX.XXX.XXX
    One class A network can define 16,777,214 hosts.
    Range: 0.0.0.0 - 127.255.255.255
  • Class B: Defined by the first 8 bits with a range from 128 - 191
    First two numbers (16 bits) are defined by Internic i.e. 182.56.XXX.XXX
    One class B network can define 65,534 hosts.
    Range: 128.0.0.0 - 191.255.255.255
  • Class C: Defined by the first 8 bits with a range from 192 - 223
    First three numbers (24 bits) are defined by Internic i.e. 220.56.222.XXX
    One class B network can define 254 hosts.
    Range: 192.0.0.0 - 223.255.255.255
  • Class D: Defined by the first 8 bits with a range from 224 - 239
    This is reserved for multicast networks (RFC988)
    Range: 224.0.0.0 - 239.255.255.255
  • Class E: Defined by the first 8 bits with a range from 240 - 255
    This is reserved for experimental use.
    Range: 240.0.0.0 - 247.255.255.255

 

Enable Forwarding:
Forwarding allows the network packets on one network interface (i.e. eth0) to be forwarded to another network interface (i.e. eth1). This will allow the Linux computer to conect ("ethernet bridge") or route network traffic.

The bridge configuration will merge two (or several) networks into one single network topology. IpTables firewall rules can be used to filter traffic.

A router configuration can support multicast and basic IP routing using the "route" command. IP masquerading (NAT) can be used to connect private local area networks (LAN) to the internet or load balance servers.

  • Turn on IP forwarding to allow Linux computer to act as a gateway or router.
    echo 1 > /proc/sys/net/ipv4/ip_forward
    Default is 0. One can add firewall rules by using ipchains.

    Another method is to alter the Linux kernel config file: /etc/sysctl.conf Set the following value:

    net.ipv4.ip_forward = 1

    See file /etc/sysconfig/network for storing this configuration.

    FORWARD_IPV4=true
    Change the default "false" to "true".

All methods will result in a proc file value of "1". Test: cat /proc/sys/net/ipv4/ip_forward

The TCP Man page - Linux Programmer's Manual and /usr/src/linux/Documentation/proc.txt (Kernel 2.2 RH 7.0-) cover /proc/sys/net/ipv4accept_redirects do echo 1 > $f done

Command to view Kernel IP routing cache: /sbin/route -Cn

NOTE: This may leave you vulnerable to hackers as attackers may alter your routes.

Blocking ICMP and look invisible to ping:

The following firewall rules will drop ICMP requests.

Iptables: 
iptables -A OUTPUT -p icmp -d 0/0 -j DROP
Ipchains: 
ipchains -A output -p icmp -d 0/0 -j DENY
OR drop all incomming pings:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This is sometimes necessary to look invisible to DOS (Denial Of Service) attackers who use ping to watch your machine and launch an attack when it's pressence is detected

 

Network Monitoring Tools:
  • tcpdump - dump traffic on a network. See discussion below.
    Command line optionDescription
    -c Exit after receiving count packets.
    -C Specify size of output dump files.
    -i Specify interface if multiple exist. Lowest used by default. i.e. eth0
    -w file-name Write the raw packets to file rather than parsing and printing them out.
    They can later be printed with the -r option.
    -n Improve speed by not performing DNS lookups. Report IP addresses.
    -t Don't print a timestamp on each dump line.

    Filter expressions:
    primitiveDescription
    host host-name If host has multiple IP's, all will be checked.
    net network-number Network number.
    net network-number mask mask Network number and netmask specified.
    port port-number Port number specified.
    tcp Sniff TCP packets.
    udp Sniff UDP packets.
    icmp Sniff icmp packets.

    Examples:

    • tcpdump tcp port 80 and host server-1
    • tcpdump ip host server-1 and not server-2
  • iptraf - Interactive Colorful IP LAN Monitor
  • nmap - Network exploration tool and security scanner
    • List pingable nodes on network: nmap -sP 192.168.0.0/24
      Scans network for IP addresses 192.168.0.0 to 192.168.0.255 using ping.
  • Ethereal - Network protocol analyzer. Examine data from a live network.
    RPM's required:
    • ethereal-0.8.15-2.i386.rpm - Red Hat 7.1 Powertools CD RPM
    • ucd-snmp-4.2-12.i386.rpm - Red Hat 7.1 binary CD 1
    • ucd-snmp-utils-4.2-12.i386.rpm - Red Hat 7.1 binary CD 1
    • Also: gtk+, glib, glibc, XFree86-libs-4.0.3-5 (base install)
    There is an error in the ethereal package because it does not show the snmp libraries as a dependancies, but you can deduce this from the errors that you get if the ucd-snmp libraries are not installed.
  • EtherApe - Graphical network monitor for Unix modeled after etherman. This is a great network discovery program with cool graphics. (Red Hat Powertools CD 7.1)
  • Gkrellm - Network and system monitor. Good for monitoring your workstation. (Red Hat Powertools CD)
  • IPTraf - ncurses-based IP LAN monitor. (Red Hat Powertools CD)
  • Cheops - Network discovery, location, diagnosis and management. Cheops can identify all of the computers that are on your network, their IP address, their DNS name, the operating system they are running. Cheops can run a port scan on any system on your network. (Red Hat Powertools CD)
  • ntop - Shows network usage in a way similar to what top does for processes. Monitors how much data is being sent and received on your network. (Red Hat Powertools CD)
  • MRTG - Multi Router Traffic Grapher - Monitor network traffic load using SNMP and generate an HTML/GIF report. (See sample output)
  • dnsad - IP traffic capture. Export to Cisco Netflow for network analysis reporting.
  • Big Brother - Monitoring ans services availablility.
  • OpenNMS.org - Network Management using SNMP.
  • Nagios - host, service and network monitoring
  • Angel network monitor

 

Using tcpdump to monitor the network:

[root]# ifconfig eth0 promisc          - Put nic into promiscuous mode to sniff traffic.
[root]# tcpdump -n host not XXX.XXX.XXX.XXX | more    - Sniff net but ignore IP which is your remote session.
[root]# ifconfig eth0 -promisc         - Pull nic out of promiscuous mode.

 

Network Intrusion and Hacker Detection Systems:

SNORT: Monitor the network, performing real-time traffic analysis and packet logging on IP networks for the detection of an attack or probe.

  • InterSect Alliance - Intrusiuon analysis. Identifies malicious or unauthorized access attempts.

 

ARP: Address Resolution Protocol

Ethernet hosts use the Address Resolution Protocol (ARP) to convert a 32-bit internet IP addresses into a 48-bit Ethernet MAC address used by network hardware. (See: RFC 826) ARP broadcasts are sent to all hosts on the subnet by the data transmitting host to see who replies. The broadcast is ignored by all except the intended receiver which recognizes the IP address as its own. The MAC addresses are remembered (APR cache) for future network communications. Computers on the subnet typically keep a cache of ARP responses. ARP broadcasts are passed on by hubs and switches but are blocked by routers.

Reverse ARP (See: RFC 903) is a bootstrap protocol which allows a client to broadcast requesting a server to reply with its IP address.

View ARP tables:
  • Shows other systems on your network (including IP address conflicts): /sbin/arp -a
  • Show ARP table Linux style: /sbin/arp -e
  • List ARP table: cat /proc/net/arp
Note that the use of a switch instead of a hub will limit your view of other hosts. Typically all you will see in the arp table is your router or gateway. Set/Configure ARP tables:
  • Add a host's IP address: /sbin/arp -s hostname XX:XX:XX:XX:XX:XX pub
  • Delete a host from the table: /sbin/arp -d hostname
    This can be used to remove a duplicate IP or force a new interface to provide info.
Man pages:

ARP is something that simply works. No Linux system configuration is necessary. It's all part of the ethernet and IP protocol. The aforementioned information is just part of the Linux culture of full visibility into what is going on.

 

Configuring Linux For Network Multicast:

Regular network exchanges of data are peer to peer unicast transactions. An HTTP request to a web server (TCP/IP), email SNMP (TCP/IP), DNS (UDP), FTP (TCP/IP), ... are all peer to peer unicast transactions. If one wants to transmit a video, audio or data stream to multiple nodes with one transmission stream instead of multiple individual peer to peer connections, one for each node, one may use multicasting to reduce network load. Note that multicast and a network broadcast are different. Multicast messages are only "heard" by the nodes on the network that have "joined the multicast group" which are those that are interested in the information.

The Linux kernel is Level-2 Multicast-Compliant. It meets all requirements to send, receive and act as a router for multicast datagrams. For a process to receive multicast datagrams it has to request the kernel to join the multicast group and bind the port receiving the datagrams. When a process is no longer interested in the multicast group, a request is made to the kernel to leave the group. It is the kernel/host which joins the multicast group and not the process. Kernel configuration requires "CONFIG_IP_MULTICAST=y". In order for the Linux kernel to support multicast routing, set the following in the kernel config:

  • CONFIG_IP_MULTICAST=y
  • CONFIG_IP_ROUTER=y
  • CONFIG_IP_MROUTE=y
  • CONFIG_NET_IPIP=y

The default Red Hat / Fedora kernels are compiled to support multicast.

See the YoLinux tutorial on optimization and rebuilding the Linux kernal.

Note that on multihomed systems (more than one IP address/network card), only one device can be configured to handle multicast.

Class D networks with a range of IP addresses from 224.0.0.0 to 239.255.255.255 (See Network Classes above) have typically been reserved for multicast.

Usefull commands:

CommandDescription
cat /proc/net/igmp List multicast group to which the host is subscribed. Use "Internet Group Management Protocol".
(See /usr/src/linux/net/core/igmp.c)
cat /proc/net/dev_mcast List multicast interfaces.
(See /usr/src/linux/net/core/dev_mcast.c)
ping 224.0.0.1 All hosts configured for multicast will respond with their IP addresses
ping 224.0.0.2 All routers configured for multicast will respond
ping 224.0.0.3 All PIM routers configured for multicast will respond
ping 224.0.0.4 All DVMRP routers configured for multicast will respond
ping 224.0.0.5 All OSPF routers configured for multicast will respond

Multicast transmissions are achieved through proper routing, router configuration (if communicating through subnets) and programatically with the use of the following "C" function library calls:

Function CallDescription
setsockopt() Pass information to the Kernel.
getsockopt() Retrieve information broadcast using multicast.
For more on multicast programming see: Multicast Howto.

The multicast application will specify the multicast loopback interface, TTL (network time to live), network interface and the multicast group to add or drop.

Add route to support multicast:
  • route add 224.0.0.0 netmask 240.0.0.0 dev eth0
Note that if adding a route to forward packets through a router, that the router MUST be configured to forward multicast packets. Many routers do not support forwarding of multicast packets or have a default configuration which does not. The internet by default does not forward multicast packets.

 

Serial Line IP:

Linux can support IP protocol over serial device interfaces. Over long distances this is typically supported using a modem over telephone lines (POTS: Plain Old Telephone Service) or satellite communications.

PPP: Point-to-Point Protocol

This is the most common form of IP over serial line and is the most common technique used by telephone dial-up ISPs. The following tutorials use a Hayes command set compatible modem.

PPTP: Point-to-Point Tunneling Protocol
SLIP: Serial Line IP (older than PPP and less capable)

Devices:

InterfacesDescription
sl0 sl1 sl2 sl3 SLIP interfaces. Linux kernel supports up to four.
COM1 COM2 COM3 COM4 Serial Ports (RS-232 hardware)
/dev/ttyS0 /dev/ttyS1 /dev/ttyS2 /dev/ttyS3 Serial devices (dial in)
(virtual terminal consoles)
/dev/cua0 /dev/cua1 /dev/cua2 /dev/cua3 Serial devices (dial out)
4 4 4 4 Interface major numbers (dial in)
5 5 5 5 Interface major numbers (dial out)
64 65 66 67 Interface minor numbers
The command ls -l /dev/ttyS* /dev/cua* will show the device major and minor numbers. The major and minor numbers are used when creating a SPLIP interface:
Example:
  • mknod -m 666 /dev/cua1 c 5 65
  • chown root.uucp /dev/cua1
SLIP configuration:
  • Configure /etc/resolve.conf
    (See notes above in this tutorial)
  • Attach network interface to serial line on COM2: /sbin/slattach -p slip -s 19200 /dev/ttyS1 &
  • Assign local and remote IP: /sbin/ifconfig sl0 192.168.1.10 pointopoint 192.168.1.40 up
    Assign local IP (192.168.1.10) and connect to remote server (192.168.1.40)
    Alternate example: /sbin/route add plip1 192.168.1.10 pointopoint 192.168.1.40
  • Add route: /sbin/route add default dev sl0 &
Also see Dialup IP (DIP)
PLIP: Parallel Line IP

Point to point serial links (rather than broadcast networks line ethernet), can alsobe supported over parallel printer ports.

An IP network at 10 to 20 kBps over parallel printer ports lp0 or lp1 are much faster than serial. Linux supports mode 0 PLIP transferring half bytes of data at a time. Requires "NULL Printer" or "Turbo Laplink" printer connection. See kernel source drivers/net/Space.c.
InterfaceI/O PortIRQ
plip0 0x3BC 7
plip1 0x378 7
plip2 0x278 5
PLIP Configuration:
  • ifconfig plip1 192.168.1.10 pointopoint 192.168.1.40
    connect host 192.168.1.10 to remote host 192.168.1.40
  • route add default gw 192.168.1.40
    Specify remote host as the gateway.
On the remote host at the other end of the cable, the opposite must be specified:
  • ifconfig plip1 192.168.1.40 pointopoint 192.168.1.10
  • route add 192.168.1.10 gw 192.168.1.40
Serial port related man pages:
  • setserial - get/set Linux serial port information
    Typical configuration:
    • Interrupt detection: /sbin/setserial -W /dev/cua*
    • Configuration: /sbin/setserial /dev/cua1 auto_irq skip_test autoconfig
      or /sbin/setserial /dev/cua1 auto_irq skip_test autoconfig uart 16550
    • Display Configuration: /sbin/setserial -bg /dev/cua*
    • Enable hardware handshake: stty crtscts < /dev/cua1
      (verify: stty -s < /dev/cua1)
  • stty - change and print terminal line settings
  • tty - print the file name of the terminal connected to standard input
  • pppd - Point-to-Point Protocol Daemon
  • slattach - attach a network interface to a serial line
  • mknod - make block or character special files

 

Living in a MS/Windows World:
  • SMB4k: My favorite MS/Windows file share browser.
  • In Nautilus use the URL "smb:" to view MS/Windows servers. [tutorial]
  • LinNeighborhood: Linux workstation gui tool.

    Make your life simple and use the GUI/File Manager LinNeighborhood. It uses smbmount, samba and smbclient to give you access to MS/Windows servers and printers.

See the YoLinux tutorial on integrating Linux into a Microsoft network.

 

Network Definitions:
  • IPv4: Most of the Internet servers and personal computers use Internet Protocol version 4 (IPv4). This uses 32 bits to assign a network address as defined by the four octets of an IP address up to 255.255.255.255. Which is the representation of four 8 bit numbers thus totaling 32 bits.
  • IPv6: Internet Protocol version 6 (IPv6) uses a 128 bit address and thus billions and billions of potential addresses. The protocol has also been upgraded to include new quality of service features and security. Currently Linux supports IPv6 but IPv4 is used when connecting your computer to the internet.
  • TCP/IP: (Transmission Control Protocol/Internet Protocol) uses a client - server model for communications. The protocol defines the data packets transmitted (packet header, data section), data integrity verification (error detection bytes), connection and acknowledgement protocol, and re-transmission.
  • TCP/IP time to live (TTL): This is a counting mechanism to determine how long a packet is valid before it reaches its destination. Each time a TCP/IP packet passes through a router it will decrement its TTL count. When the count reaches zero the packet is dropped by the router. This ensures that errant routing and looping aimless packets will not flood the network.
  • MAC Address: (media access control) is the network card address used for communication between other network devices on the subnet. This info is not routable. The ARP table maps TCP/IP address (global internet) to the local hardware on the local network. Use the command /sbin/ifconfig to view both the IP address and the MAC address. The MAC address uniquely identifies each node of a network and is used by the Ethernet protocol.
  • Full Duplex: Allows the simultaneous sending and receiving of packets. Most modern modems support full duplex.
  • Half Duplex: Allows the sending and receiving of packets in one direction at a time only.
  • OSI 7 Layer Model: The ISO (International Standards Organization) has defined the OSI (Open Systems Interconnection) model for current networking protocols.
    OSI LayerDescriptionLinux Networking Use
    7 Application Layer.
    The top layer for communications applications like email and the web.    		 telnet, web browser, sendmail
    6 Presentation Layer.
    Syntax and format of data transfer.    		 SMTP, http
    5 Session Layer.  
    4 Transport Layer.
    Connection, acknowledgement and data packet transmission.    		 TCP
    UDP
    3 Network Layer. IP
    ARP
    2 Data Link Layer.
    Error control, timing    		 Ethernet
    1 Physical Layer.
    Electrical characteristics of signal and NIC    		 Ethernet
  • Network Hub: Hardware to connect network devices together. The devices will all be on the same network and/or subnet. All network traffic is shared and can be sniffed by any other node connected to the same hub.
  • Network Switch: Like a hub but creates a private link between any two connected nodes when a network connection is established. This reduces the amount of network collisions and thus improves speed. Broadcast messages are still sent to all nodes.

 

Related Links:

Test Internet Bandwidth:

Man Pages:

  • icmp - Linux IPv4 ICMP kernel module
  • ifport - select the transceiver type for a network interface
  • usernetctl - allow a user to manipulate a network interface if permitted
  • ripquery - query RIP (Routing Information Protocol) gateways
  • gated - gateway routing daemon
posted @ 2012-07-16 16:42  Rabbit Nick  阅读(885)  评论(0编辑  收藏  举报