لطفا منتظر باشید ...
4.1. Understanding the /proc Filesystem
Linux 2.4 distributions rely on the
/proc filesystem for communicating with the
kernel, 2.6 uses the new sysfs. Both interfaces permit access to
kernel runtime information through a filesystem-like mechanism. For
purposes of this chapter, we'll focus more on the
/proc filesystem, as it is currently more widely
used. This filesystem, when mounted, can list files like any other
filesystem, or display their contents. Typical items include the
loadavg file, which contains the system load
average, and meminfo, which shows current core
memory and swap usage.To this, the networking code adds the
net directory. It contains a number of files
that show things such as the kernel ARP tables, the state of TCP
connections, and the routing tables. Most network administration
tools get their information from these files.The proc filesystem
(or procfs, as it is also known) is usually
mounted on /proc at system boot time. The best
method is to add the following line to
/etc/fstab:
# procfs mount point:Then execute mount /proc from your
none /proc proc defaults
/etc/rc script.The procfs is now configured into most kernels
by default.
4.1.1. Installing the Tools
Prepackaged Linux distributions contain the major networking
applications and utilities along with a coherent set of sample files.
The only case in which you might have to obtain and install new
utilities is when you install a new kernel release. Because they
occasionally involve changes in the kernel networking layer, you will
need to update the basic configuration tools. This update at least
involves recompiling, but sometimes you may also be required to
obtain the latest set of binaries. These binaries are available at
their official home site at
4.1.2. Setting the Hostname
Most,
if not all, network applications rely on you to set the local
host's name to some reasonable value. This setting
is usually made during the boot procedure by executing the hostname
command. To set the hostname to name,
enter:
# hostname name
It is common practice to
use the unqualified hostname without specifying the domain name. For
instance, if we had a site called the Virtual Brewery (an imaginary
but typical small network used in several chapters of this book) a
host might be called vale.vbrew.com
or vlager.vbrew.com. These are their
official fully qualified
domain names (FQDNs). Their
local hostnames would be the first component of the name, such as
vale. However, because the local
hostname is frequently used to look up the host's IP
address, you have to make sure that the resolver library is able to
look up the host's IP address. This usually means
that you have to enter the name in /etc/hosts.
Some people suggest using the
domainname command to set the
kernel's idea of a domain name to the remaining part
of the FQDN. This way you could combine the output from
hostname and domainname to
get the FQDN again. However, this is at best only half correct.
domainname is generally used to set the
host's NIS domain, which may be entirely different
from the DNS domain to which your host belongs. Instead, to ensure
that the short form of your hostname is resolvable with all recent
versions of the hostname command, either add it
as an entry in your local Domain Name Server or place the fully
qualified domain name in the /etc/hosts file.
You may then use the --fqdn argument to the
hostname command, and it will print the fully
qualified domain name.
4.1.3. Assigning IP Addresses
If you configure the networking software
on your host for standalone operation, you can safely skip this
section, because the only IP address you will need is for the
loopback interface, which is always 127.0.0.1. Things are a little more complicated
with real networks such as Ethernets. If you want to connect your
host to an existing network, you have to ask its administrators to
give you an IP address on this network, though this is not always the
case. Many networks now have a system of dynamically assigned IPs
called Dynamic Host Configuration Protocol
(DHCP), which we will discuss in the next section. When setting up a
network all by yourself, you have to assign IP addresses by hand or
by configuring a DHCP server. If you have a machine connected
directly to the Internet, you will need to obtain an IP address from
your ISP, DSL provider, or cable network.Hosts within a local network usually share
addresses from the same logical IP network, meaning that the first
octets of their IP addresses are usually the same. If you have
several physical networks, you have to either assign them different
network numbers, or use subnetting to split your IP address range
into several subnetworks. Subnetting will be revisited in the
"Creating Subnets" section later in
this chapter.
If your network is not connected to the
Internet or will use network address translation to connect, you are
free to choose any legal network address. Just make sure no packets
from your internal network escape to the real Internet. To make sure
no harm can be done even if packets do escape,
you should use one of the network numbers reserved for private use.
The Internet Assigned Numbers Authority (IANA)
has set aside several network numbers from classes A, B, and C that
you can use without registering. These addresses are valid only
within your private network and are not routed between real Internet
sites. The numbers are defined by RFC 1918 and are listed in Table 2-1 in Chapter 2. Note that
the second and third blocks contain 16 and 256 networks,
respectively.Picking your
addresses from one of these network numbers is not only useful for
networks completely unconnected to the Internet; you can still
implement restricted access to the Internet using a single host as a
gateway. To your local network, the gateway is accessible by its
internal IP address, while the outside world knows it by an
officially registered address (assigned to you by your provider). We
come back to this concept in connection with the IP masquerade
facility in Chapter 9. Throughout
the remainder of the book, we will assume that the
brewery's network manager uses a class B network
number, say 172.16.0.0. Of course, a
class C network number would definitely suffice to accommodate both
the brewery's and the winery's
networks. We'll use a class B network here for the
sake of simplicity; it will make the subnetting examples in the next
section of this chapter a little more intuitive.
4.1.4. Using DHCP to Obtain an IP Address
Many
networks now use the Dynamic Host Configuration
Protocol (DHCP). This protocol runs on network layer two
and listens for DHCP requests. The DHCP server has a predefined
listing of IP address assigned by the network administrator, which
can be assigned to users. When the DHCP receives a request for an IP
address, it replies by issuing a DHCP lease. The lease means that the
IP address is assigned to the requesting client for a predetermined
amount of time. Busy networks often set the lease for a fixed number
of hours to prevent the use of an address by an idle machine. Some
networks set the threshold as low as two hours. Smaller networks may
wish to set the DHCP lease times to a longer value, perhaps a day, or
even a week. The value is entirely up to the network administrator
and should be based on network usage.To request a
DHCP lease on a network, you will need to have the
dhcpcd software. The latest version of the
software can be obtained by visiting its home site http://www.phystech.com/download/dhcpcdl.
There you will find the latest versions of the software as well as
supporting documentation. Many modern Linux distributions will come
with this software preinstalled and will even allow you to configure
your interfaces with DHCP during the initial setup and configuration
of the system.Obtaining an IP address via DHCP is simple and is accomplished by
issuing the following command:
vlager# dhcpcd eth0The daemon
vlager#
will at this point, reconfigure your eth0
interface, not only assigning an IP address, but also properly
configuring the subnetting. Many DHCP servers will also provide
default route and DNS information. In the case of the latter, your
/etc/resolv.conf file will be rewritten with the
updated DNS server information. If for some reason you do not want
the daemon to rewrite your resolv.conf file, you
can specify -R on the command line. There are a
number of additional command-line options available for
dhcpcd, which may be needed in some
environments. For a list of these, please contact the
dhcpcd manpage. The resolv.conf
file will be discussed in greater detail in the chapter on
DNS.
4.1.4.1 Running a DHCP server
With larger, more dynamic networks, DHCP
is essential. However, in order for this service to be offered, the
clients must receive their IP address from a DHCP server. While a
number of routers, firewalls, and other network devices will offer
this functionality, a network administrator may wish to consider
using a Linux machine to provide it. Linux DHCP servers tend to
provide a greater flexibility with their configuration options. There
are a number of DHCP servers available, but one of the more popular
and better recommended offerings comes from the ISC and can be found
at First, though, you need to make sure
that your network interfaces are configured for multicast support.
This is most easily checked by using the ifconfig command:
ticktock root # ifconfigIf you don't see
eth0 Link encap:Ethernet HWaddr C0:FF:EE:C0:FF:EE
inet addr:172.16.1.1 Bcast:172.16.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:80272 errors:0 dropped:0 overruns:0 frame:0
TX packets:55339 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:8522502 (8.1 Mb) TX bytes:9203192 (8.7 Mb)
Interrupt:10 Base address:0x4000
MULTICAST specified in the output, you need to
reconfigure your kernel to support network multicast. The likelihood
of this is slim because most kernel configurations contain this as a
default option.
Now
you're ready to write a
dhcpd.conf file. A sample
dhcpd.conf file looks like this:
# Sample DHCP Server Configuration
option domain-name "vbrew.com";
option domain-name-servers ns1.vbrew.com, ns2.vbrew.com;
default-lease-time 1600;
max-lease-time 7200;
log-facility local7;
# This is a very basic subnet declaration.
subnet 172.16.1.0 netmask 255.255.255.0 {
range 172.16.1.10 172.16.1.50;
option routers router1.vbrew.com;
}
This configuration will create which
will assign addresses on the 172.16.1.0 network. It can assign a total of
40 IP addresses from 172.16.1.10 to
172.16.1.50. The option
routers and domain-name-servers
commands allow you to set the default router and DNS servers for the
clients.Here's a brief listing of some of the more useful
DHCP server configuration options:option domain-name
Between quotes,
you have the ability to specify the domain name for your network.
This isn't necessary, but may be useful to speed up
local name lookups.option domain-name-servers
While considered optional, in most cases
it is not. This is where the IP addresses or the FQDN domain name
servers are listed.default-lease-time
When a host asks for a lease and does not
request a specific amount of time, this value, in seconds, is
assigned.max-lease-time
This option specifies the maximum amount of time that will be
assigned as a lease.fixed-address
The fixed
address option lets you assign a fixed IP address to specific
clients. This option is generally paired with the MAC address
filtering options.hardware Ethernet
With this option, network administrators can specify which MAC
addresses will receive IP address allocations. This can be used to
secure a DHCP range, or can be used to pair MAC addresses with
specific IP addresses.The DHCP server can use the client
MAC address as a method to restrict or assign IP addresses. This type
of configuration might be necessary in higher security environments
where only known machines are to be assigned addresses. The following
example shows how the DHCP server can assign a specific address to a
host based on its MAC address, also important to note is that the
range directive can be used here as well:
host vale {
hardware ethernet 0:0f:d0:ee:ag:4e;
fixed-address 172.16.1.55;
}Make sure that your DHCP address pool ranges do not containstatically assigned addresses, otherwise IP address conflict problems
are sure to follow.
4.1.5. Creating Subnets
To operate
several Ethernets, you have to split your network into subnets. Note
that subnetting is required only if you have more than one broadcast
networkpoint-to-point links don't count. For
instance, if you have one Ethernet, and one or more PPP links to the
outside world, you don't need to subnet your
network. This is explained in more detail in Chapter 6.To accommodate the two Ethernets, the brewery's
network manager decides to use 8 bits of the host part as additional
subnet bits. This leaves another 8 bits for the host part, allowing
for 254 hosts on each of the subnets. She then assigns subnet number
1 to the brewery and gives the winery number 2. Their respective
network addresses are thus 172.16.1.0 and 172.16.2.0. The subnet mask is 255.255.255.0.vlager, which is the gateway between
the two networks, is assigned a host number of 1 on both of them,
which gives it the IP addresses 172.16.1.1 and 172.16.2.1, respectively. Note that in this example we are using a
class B network to keep things simple, but a class C network would be
more realistic. With the new networking code, subnetting is not
limited to byte boundaries, so even a class C network may be split
into several subnets. For instance, you could use two bits of the
host part for the netmask, giving you 4 possible subnets with 64
hosts on each.[1][1] The first number on each subnet is the
subnetwork address, and the last number on each subnet, is reserved
as the broadcast address, so it's actually 62 hosts
per subnet.
4.1.6. Writing Hosts and Networks Files
After you
have subnetted your network, you should prepare for some simple sort
of hostname resolution using the /etc/hosts
file. If you are not going to use DNS or NIS for address resolution,
you have to put all hosts in the hosts file.Even if you want to run DNS during normal operation, you should have
some subset of all hostnames in /etc/hosts. You
should have some sort of name resolution, even when no network
interfaces are running, for example, during boot time. This is not
only a matter of convenience, but it allows you to use symbolic
hostnames in your network rc scripts. Thus, when
changing IP addresses, you only have to copy an updated
hosts file to all machines and reboot, rather
than edit a large number of rc files separately.
Usually you put all local hostnames and addresses in
hosts, adding those of any gateways and NIS
servers used.You should make sure that your resolver uses information from the
hosts file only during initial testing. Sample
files that come with your DNS software may produce strange results.
To make all applications use /etc/hosts
exclusively when looking up the IP address of a host, you have to
edit the /etc/host.conf file. Comment out any
lines that begin with the keyword order by
preceding them with a hash sign, and insert the line:
order hostsThe configuration of the resolver library is covered in detail in
Chapter 6.The hosts file contains one entry per line,
consisting of an IP address, a hostname, and an optional list of
aliases for the hostname. The fields are separated by spaces or tabs,
and the address field must begin in the first column. Anything
following a hash sign (#) is regarded as a comment and is ignored.Hostnames can be either fully qualified or relative to the local
domain. For vale, you would usually
enter the fully qualified name, vale.vbrew.com, and vale by itself in the
hosts file, so that it is known by both its
official name and the shorter local name.This is an example how a hosts file at the
Virtual Brewery might look. Two special names are included, vlager-if1 and vlager-if2, which give the addresses for both
interfaces used on vlager:
#Just as with a
# Hosts file for Virtual Brewery/Virtual Winery
#
# IP FQDN aliases
#
127.0.0.1 localhost
#
172.16.1.1 vlager.vbrew.com vlager vlager-if1
172.16.1.2 vstout.vbrew.com vstout
172.16.1.3 vale.vbrew.com vale
#
172.16.2.1 vlager-if2
172.16.2.2 vbeaujolais.vbrew.com vbeaujolais
172.16.2.3 vbardolino.vbrew.com vbardolino
172.16.2.4 vchianti.vbrew.com vchianti
host's IP address, you should sometimes use a
symbolic name for network numbers, too. Therefore, the
hosts file has a companion called
/etc/networks that maps network names to network
numbers, and vice versa. At the Virtual Brewery, we might install a
networks file as shown in the
following.[2] [2] Note that names in
networks must not collide with hostnames from
the hosts file, or else some programs may
produce strange results.
# /etc/networks for the Virtual Brewery
brew-net 172.16.1.0
wine-net 172.16.2.0
4.1.7. Interface Configuration for IP
After setting up your hardware as
explained in Chapter 3, you have to make these
devices known to the kernel networking software. A couple of commands
are used to configure the network interfaces and initialize the
routing table. These tasks are usually performed from the network
initialization script each time you boot the system. The basic tools
for this process are called ifconfig (where
"if" stands for interface) and
route.ifconfig is used to make an interface
accessible to the kernel networking layer. This involves the
assignment of an IP address and other parameters, and activation of
the interface, also known as "bringing
up" the interface. Being active here means that the
kernel will send and receive IP datagrams through the interface. The
simplest way to invoke it is with:
ifconfig interface ip-addressThis command assigns ip-address to
interface and activates it. All other
parameters are set to default values. For instance, the default
network mask is derived from the network class of the IP address,
such as 255.255.0.0 for a class B
address. ifconfig is described in detail later
in this chapter.route allows you to add or remove routes from
the kernel routing table. It can be invoked as:
route [add|del] [-net|-host] target [if]The add and
del arguments determine whether to add or delete
the route to target. The
-net and -host arguments tell
the route command whether the target is a network or a host. The
if argument is again optional, and allows
you to specify to which network interface the route should be
directedthe Linux kernel makes a sensible guess if you
don't supply this information. This topic will be
explained in more detail in succeeding sections.
4.1.8. The Loopback Interface
Almost always, the very first interface
to be activated is the loopback interface:
# ifconfig lo 127.0.0.1
Occasionally,
you will see the dummy hostname localhost being used instead of the IP
address. ifconfig will look up the name in the
hosts file, where an entry should declare it as
the hostname for 127.0.0.1:
# Sample /etc/hosts entry for localhostTo view the configuration of an interface, you invoke ifconfig, giving it only the interface name as
localhost 127.0.0.1
argument:
$ ifconfig loAs you can see, the loopback interface has been assigned a netmask of
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
255.0.0.0, since 127.0.0.1 is a class A address.Now you can almost start playing with your mini-network. What is
still missing is an entry in the routing table that tells IP that it
may use this interface as a route to destination 127.0.0.1. This is accomplished by using:
# route add 127.0.0.1Again, you can use localhost instead of the IP
address, provided you've entered it into your
/etc/hosts.Next, you
should check that everything works fine, for example, by using
ping. ping is the
networking equivalent of a sonar device. The command is used to
verify that a given address is actually reachable, and to measure the
delay that occurs when sending a datagram to it and back again. The
time required for this process is often referred to as the
"round-trip time":
# ping localhostWhen you invoke ping as shown here, it will
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.4 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=0.4 ms
^C
--- localhost ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.4 ms
#
continue emitting packets forever, unless interrupted by the user.
The ^C marks the place where we pressed Ctrl-C.The previous example shows that packets for 127.0.0.1 are properly delivered and a reply
is returned to ping almost instantaneously. This
shows that you have successfully set up your first network interface. If the output you get from
ping does not resemble that shown in the
previous example, you are in trouble. Check any errors if they
indicate that some file hasn't been installed
properly. Check that the ifconfig
and route binaries you use are compatible with
the kernel release you run, and above all, that the kernel has been
compiled with networking enabled (you see this from the presence of
the /proc/net directory). If you get an error
message saying "Network
unreachable," you probably got the route command wrong. Make sure you use the
same address that you gave to ifconfig.The steps previously described are enough to use networking
applications on a standalone host. After adding the lines mentioned
earlier to your network initialization script and making sure it will
be executed at boot time, you may reboot your machine and try out
various applications. For instance, ssh
localhost should establish an ssh
connection to your host, giving you an SSH login
prompt.
However, the loopback interface is useful not only as an example in
networking books, or as a test bed during development, but is
actually used by some applications during normal operation.[3] Therefore, you always have to
configure it, regardless of whether your machine is attached to a
network or not. [3] For example, all applications based on RPC use the loopback
interface to register themselves with the
portmapper daemon at startup. These applications
include NIS and NFS.
4.1.9. Ethernet Interfaces
Configuring
an Ethernet interface is pretty much the same as the loopback
interface; it just requires a few more parameters when you are using
subnetting.At the Virtual Brewery, we have subnetted the IP network, which was
originally a class B network, into class C subnetworks. To make the
interface recognize this, the ifconfig
incantation would look like this:
# ifconfig eth0 vstout netmask 255.255.255.0This command assigns the eth0 interface the IP
address of vstout (172.16.1.2). If we omitted the netmask,
ifconfig would deduce the netmask
from the IP network class, which would result in an incorrect netmask
of 255.255.0.0. Now a quick check
shows:
# ifconfig eth0You can see that ifconfig automatically sets the broadcast
eth0 Link encap 10Mps Ethernet HWaddr 00:00:C0:90:B3:42
inet addr 172.16.1.2 Bcast 172.16.1.255 Mask 255.255.255.0
UP BROADCAST RUNNING MTU 1500 Metric 1
RX packets 0 errors 0 dropped 0 overrun 0
TX packets 0 errors 0 dropped 0 overrun 0
address (the Bcast field) to the usual value,
which is the host's network number with all the host
bits set. Also, the maximum transmission unit (the maximum size of IP
datagrams the kernel will generate for this interface) has been set
to the maximum size of Ethernet packets: 1,500 bytes. The defaults
are usually what you will use, but all these values can be overidden
if required, with special options that will be described under later
in this chapter.Just as for the loopback interface, you
now have to install a routing entry that informs the kernel about the
network that can be reached through eth0. For
the Virtual Brewery, you might invoke route as:
# route add -net 172.16.1.0At first this looks a little like magic, because
it's not really clear how route detects which
interface to route through. However, the trick is rather simple: the
kernel checks all interfaces that have been configured so far and
compares the destination address (172.16.1.0 in this case) to the network part
of the interface address (that is, the bitwise AND of the interface
address and the netmask). The only interface that matches is
eth0. Now, what's that
-net option for? This is used because route can handle both routes to networks and
routes to single hosts (as you saw before with
localhost). When given an address in dotted quad
notation, route attempts to guess
whether it is a network or a hostname by looking at the host part
bits. If the address's host part is zero, route assumes it denotes a network; otherwise,
route takes it as a host address.
Therefore, route would think that
172.16.1.0 is a host address rather
than a network number because it cannot know that we use subnetting.
We have to tell route explicitly
that it denotes a network, so we give it the -net
flag.Of course, the
route command is a little tedious to
type, and it's prone to spelling mistakes. A more
convenient approach is to use the network names we defined in
/etc/networks. This approach makes the command
much more readable; even the -net flag can be
omitted because route knows that
172.16.1.0 denotes a network:
# route add brew-netNow that you've finished the basic configuration
steps, we want to make sure that your Ethernet interface is indeed
running happily. Choose a host from your Ethernet, for instance
vlager, and type:
# ping vlagerIf you don't
PING vlager: 64 byte packets
64 bytes from 172.16.1.1: icmp_seq=0. time=11. ms
64 bytes from 172.16.1.1: icmp_seq=1. time=7. ms
64 bytes from 172.16.1.1: icmp_seq=2. time=12. ms
64 bytes from 172.16.1.1: icmp_seq=3. time=3. ms
^C
----vstout.vbrew.com PING Statistics----
4 packets transmitted, 4 packets received, 0
round-trip (ms) min/avg/max = 3/8/12
see similar output, something is broken. If you encounter unusual
packet loss rates, this hints at a hardware problem, such as bad or
missing terminators. If you don't receive any
replies at all, you should check the interface configuration with
netstat, described later in the chapter. The
packet statistics displayed by ifconfig should tell you whether any
packets have been sent out on the interface at all. If you have
access to the remote host too, you should go over to that machine and
check the interface statistics. This way you can determine exactly
where the packets got dropped. In addition, you should display the
routing information with route to see whether both hosts have the
correct routing entry. route prints out the
complete kernel routing table when invoked without any arguments
(-n just makes it print addresses as dotted quad
instead of using the hostname):
# route -nThe detailed meaning of these fields is explained later in the
Kernel routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
127.0.0.1 * 255.255.255.255 UH 1 0 112 lo
172.16.1.0 * 255.255.255.0 U 1 0 10 eth0
chapter. The Flags column contains a list of flags
set for each interface. U is always set for active
interfaces, and H says the destination address
denotes a host. If the H flag is set for a route
that you meant to be a network route, you have to reissue the route
command with the -net option. To check whether a
route you have entered is used at all, check to see if the
Use field in the second to last column increases
between two invocations of ping.
4.1.10. Routing Through a Gateway
In the previous section, we covered only
the case of setting up a host on a single Ethernet. Quite frequently,
however, one encounters networks connected to one another by
gateways. These gateways may simply link two or more Ethernets but
may also provide a link to the outside world, such as the Internet.
In order to use a gateway, you have to provide additional routing
information to the networking layer.The Ethernets of the Virtual Brewery and the Virtual Winery are
linked through such a gateway, namely the host vlager. Assuming that vlager has already been configured, we just
have to add another entry to vstout's routing table that
tells the kernel it can reach all hosts on the
winery's network through vlager. The appropriate incantation of
route is shown below; the
gw keyword tells it that the next argument denotes
a gateway:
# route add wine-net gw vlagerOf course, any host on the winery network you wish to talk to must
have a routing entry for the brewery's network.
Otherwise you would only be able to send data to the winery network
from the brewery network, but the hosts on the winery would be unable
to reply.This example describes only a gateway that
switches packets between two isolated Ethernets. Now assume that
vlager also has a connection to the
Internet (say, through an additional SLIP link). Then we would want
datagrams to any destination network other than
the brewery to be handed to vlager.
This action can be accomplished by making it the default gateway for
vstout:
# route add default gw vlagerThe network name default is
shorthand for 0.0.0.0, which denotes
the default route. The default route matches every destination and
will be used if there is no more specific route that matches. You do
not have to add this name to /etc/networks
because it is built into route.If you see high packet loss rates
when pinging a host behind one or more gateways, this may hint at a
very congested network. Packet loss is not so much due to technical
deficiencies as to temporary excess loads on forwarding hosts, which
makes them delay or even drop incoming datagrams.
4.1.11. Configuring a Gateway
Configuring
a machine to switch packets between two Ethernets is pretty
straightforward. Assume we're back at vlager, which is equipped with two Ethernet
cards, each connected to one of the two networks. All you have to do
is configure both interfaces separately, giving them their respective
IP addresses and matching routes, and that's it.It is quite useful to add
information on the two interfaces to the hosts
file as shown in the following example, so we have handy names for
them, too:
172.16.1.1 vlager.vbrew.com vlager vlager-if1The sequence of commands to set up the two interfaces is then:
172.16.2.1 vlager-if2
# ifconfig eth0 vlager-if1
# route add brew-net
# ifconfig eth1 vlager-if2
# route add wine-net
If this sequence doesn't
work, make sure your kernel has been compiled with support for IP
forwarding enabled. One good way to do this is to ensure that the
first number on the second line of
/proc/net/snmp is set to 1.
4.1.12. The Point-to-Point Interface
A PLIP
link used to connect two machines is a little different from an
Ethernet. PLIP links are an example of what are called
point-to-point links, meaning that there is a
single host at each end of the link. Networks like Ethernet are
called broadcast networks. Configuration of
point-to-point links is different because unlike broadcast networks,
point-to-point links don't support a network of
their own.PLIP provides very cheap and portable links between computers. As an
example, we'll consider the laptop computer of an
employee at the Virtual Brewery that is connected to vlager via PLIP. The laptop itself is called
vlite and has only one parallel
port. At boot time, this port will be registered as
plip1. To activate the link, you have to
configure the plip1 interface using the
following commands:[4][4] Note that pointopoint is not a typo. It really is
spelled like this.
# ifconfig plip1 vlite pointopoint vlagerThe first command configures the interface, telling the kernel that
# route add default gw vlager
this is a point-to-point link, with the remote side having the
address of vlager. The second
installs the default route, using vlager as gateway. On vlager, a similar ifconfig command is necessary to activate the
link (a route invocation is not
needed):
# ifconfig plip1 vlager pointopoint vliteNote that the plip1 interface on vlager does not need a separate IP address,
but may also be given the address 172.16.1.1. Point-to-point networks
don't support a network directly, so the interfaces
don't require an address on any supported network.
The kernel uses the interface information in the routing table to
avoid any possible confusion.[5] Now we have configured
routing from the laptop to the brewery's network;
what's still missing is a way to route from any of
the brewery's hosts to vlite. One particularly cumbersome way is to
add a specific route to every host's routing table
that names vlager as a gateway to
vlite:[5] As a matter of caution,
you should configure a PLIP link only after you have completely set
up the routing table entries for your Ethernets. With some older
kernels, your network route might otherwise end up pointing at the
point-to-point link.
# route add vlite gw vlager
Dynamic
routing offers a much better option for temporary routes. You could
use gated, a routing daemon, which you would
have to install on each host in the network in order to distribute
routing information dynamically. The easiest option, however, is to
use proxy ARP (Address
Resolution Protocol). With proxy ARP, vlager will respond to any ARP query for
vlite by sending its own Ethernet
address. All packets for vlite will
wind up at vlager, which then
forwards them to the laptop. We will come back to proxy ARP in the
section "Checking the ARP Tables,"
later in the chapter.
Current
net-tools releases contain a tool called
plipconfig, which allows you to set certain PLIP
timing parameters. The IRQ to be used for the printer port can be set
using the ifconfig command.
4.1.13. The PPP Interface
Although
PPP links are only simple point-to-point links like PLIP connections,
there is much more to be said about them. We discuss PPP in detail in
Chapter 6.
4.1.14. IP Alias
The Linux kernel
supports a feature that completely replaces the old dummy interface
and serves other useful functions. IP Alias allows you to configure
multiple IP addresses onto a physical device. In most cases, you
could configure your host to look like many different hosts, each
with its own IP address. This configuration is sometimes called
virtual hosting, although technically it is also
used for a variety of other techniques.[6][6] More
correctly, using IP aliasing is known as network layer virtual
hosting. It is more common in the WWW and STMP worlds to use
application layer virtual hosting, in which the same IP address is
used for each virtual host, but a different hostname is passed with
each application layer request.
To configure an alias for an
interface, you must first ensure that your kernel has been compiled
with support for IP Alias (check that you have a
/proc/net/ip_alias file; if not, you will have
to recompile your kernel). Configuration of an IP alias is virtually
identical to configuring a real network device; you use a special
name to indicate it's an alias that you want. For
example:
# ifconfig eth0:0 172.16.1.1This command would produce an alias for the eth0
interface with the address 172.16.1.1. IP aliases are referred to by
appending :n to the actual network device,
in which "n" is an integer. In our
example, the network device we are creating the alias on is
eth0, and we are creating an alias numbered zero
for it. This way, a single physical device may support a number of
aliases. Each alias may be treated as though it is
a separate device, and as far as the kernel IP software is concerned,
it will be; however, it will be sharing its hardware with another
interface.
4.1.15. All About ifconfig
There are
many more parameters to ifconfig than we have
described so far. Its normal invocation is this:
ifconfig interface [address [parameters]]interface is
the interface name, and address is the IP
address to be assigned to the interface. This may be either an IP
address in dotted quad notation or a name that
ifconfig will look up in
/etc/hosts.If ifconfig is invoked with only the
interface name, it displays that interface's
configuration. When invoked without any parameters, it displays all
interfaces you have configured so far; a -a option
forces it to show the inactive ones as well. A sample invocation for
the Ethernet interface eth0 may look like this:
# ifconfig eth0The MTU and MeTRic fields show
eth0 Link encap 10Mbps Ethernet HWaddr 00:00:C0:90:B3:42
inet addr 172.16.1.2 Bcast 172.16.1.255 Mask 255.255.255.0
UP BROADCAST RUNNING MTU 1500 Metric 0
RX packets 3136 errors 217 dropped 7 overrun 26
TX packets 1752 errors 25 dropped 0 overrun 0
the current maximum transmission unit size and metric value for that
interface. The metric value is traditionally used by some operating
systems to compute the cost of a route.The RX and TX lines show how
many packets have been received or transmitted error free, how many
errors occurred, how many packets were dropped (probably because of
low memory), and how many were lost because of an overrun. Receiver
overruns usually occur when packets come in faster than the kernel
can service the last interrupt. The flag values printed by
ifconfig roughly correspond to the names of its
command-line options; they will be explained later.The following is a list of parameters recognized by
ifconfig, with the corresponding flag names.
Options that simply turn on a feature also allow it to be turned off
again by preceding the option name by a dash
(-).
up
This option makes an interface accessible to the IP layer. This
option is implied when an address is given
on the command line. It may also be used to reenable an interface
that has been taken down temporarily using the
down option.This
option corresponds to the flags UP and
RUNNING.down
This option marks an interface inaccessible to the IP layer. This
effectively disables any IP traffic through the interface. Note that
this option also automatically deletes all routing entries that use
this interface.netmask mask
This option assigns a subnet mask to be used by the interface. It may
be given as either a 32-bit hexadecimal number preceded by 0x, or as
a dotted quad of decimal numbers. While the dotted quad format is
more common, the hexadecimal representation is often easier to work
with. Netmasks are essentially binary, and it is easier to do
binary-to-hexadecimal than binary-to-decimal conversion.pointopoint address
This option is used for
point-to-point IP links that involve only two hosts. This option is
needed to configure SLIP or PLIP interfaces, for example. If a
point-to-point address has been set, ifconfig
displays the POINTOPOINT flag.broadcast address
The broadcast address is usually made
up from the network number by setting all bits of the host part. Some
IP implementations (systems derived from BSD 4.2, for instance) use a
different scheme in which all host part bits are cleared instead. The
broadcast option adapts to these strange
environments. If a broadcast address has been set,
ifconfig displays the
BROADCAST flag.irq
This option allows you to set the IRQ line used by certain devices.
This is especially useful for PLIP, but may also be useful for
certain Ethernet cards.metric number
This option may
be used to assign a metric value to the routing table entry created
for the interface. This metric is used by the RIP to build routing
tables for the network.[7] The default
metric used by ifconfig is zero. If you
don't run a RIP daemon, you don't
need this option at all; if you do, you will rarely need to change
the metric value.[7] RIP chooses the optimal route
to a given host based on the
"length" of the path. It is
computed by summing up the individual metric values of each
host-to-host link. By default, a hop has length 1, but this may be
any positive integer less than 16. (A route length of 16 is equal to
infinity. Such routes are considered unusable.) The metric parameter sets this hop cost, which is
then broadcast by the routing daemon.mtu bytes
This sets the
Maximum Transmission Unit, which is the maximum number of octets the
interface is able to handle in one transaction. For Ethernets, the
MTU defaults to 1,500 (the largest allowable size of an Ethernet
packet); for SLIP interfaces, it is 296. (There is no constraint on
the MTU of SLIP links; this value is a good compromise.)arp
This is an option specific to broadcast
networks such as Ethernets or packet radio. It enables the use of the
ARP to detect the physical addresses of hosts attached to the
network. For broadcast networks, it is on by default. If ARP is
disabled, ifconfig displays the
NOARP flag.-arp
This option disables the use of ARP on
this interface.promisc
This option puts the interface in
promiscuous mode. On a broadcast network, this makes the interface
receive all packets, regardless of whether they were destined for
this host. This allows network traffic analysis using packet filters
and such, also called Ethernet
snooping. Usually, this is a good technique for
hunting down network problems that are otherwise hard to detect.
Tools such as tcpdump rely on this. On the other hand, this option
allows attackers to do nasty things, such as skim the traffic of your
network for passwords. You can protect against this type of attack by
prohibiting just anyone from plugging their computers into your
Ethernet. You could also use secure authentication protocols, such as
Kerberos or the secure shell login suite.[8] This option corresponds to the PROMISC flag.[8] OpenSSH can
be obtained from -promisc
This option turns promiscuous mode off.allmulti
Multicast addresses are like Ethernet
broadcast addresses, except that instead of automatically including
everybody, the only people who receive packets sent to a multicast
address are those programmed to listen to it. This is useful for
applications such as Ethernet-based video conferencing or network
audio, to which only those interested can listen. Multicast
addressing is supported by most, but not all, Ethernet drivers. When
this option is enabled, the interface receives and passes multicast
packets for processing. This option corresponds to the
ALLMULTI flag.-allmulti
This option turns multicast addresses off.
4.1.16. The netstat Command
netstat
is a useful tool for checking your network configuration and
activity. It is in fact a collection of several tools lumped
together. We discuss each of its functions in the following sections.
4.1.16.1 Displaying the routing table
When you invoke netstat with the
-r flag, it displays the kernel routing table in
the way we've been doing with route. On vstout, it produces:
# netstat -nrThe -n option
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
127.0.0.1 * 255.255.255.255 UH 0 0 0 lo
172.16.1.0 * 255.255.255.0 U 0 0 0 eth0
172.16.2.0 172.16.1.1 255.255.255.0 UG 0 0 0 eth0
makes netstat print addresses as
dotted quad IP numbers rather than the symbolic host and network
names. This option is especially useful when you want to avoid
address lookups over the network (e.g., to a DNS or NIS server). The second column of netstat's output shows the
gateway to which the routing entry points. If no gateway is used, an
asterisk is printed instead. The third column shows the
"generality" of the route, i.e.,
the network mask for this route. When given an IP address to find a
suitable route for, the kernel steps through each of the routing
table entries, taking the bitwise AND of the address and the genmask
before comparing it to the target of the route. The most specific
match is used.The fourth column displays the following flags that describe the
route:G
The route uses a gateway.U
The interface to be used is up.H
Only a single host can be reached through the route. For example,
this is the case for the loopback entry 127.0.0.1.D This route is dynamically created. It is
set if the table entry has been generated by a routing daemon such as
gated or by an ICMP redirect message (see Chapter 2).M
This route is set if the table entry was modified by an ICMP redirect
message.!
The route is a reject route and datagrams will be dropped.The next three columns show the
MSS, Window, and irtt that will be applied to TCP connections
established via this route. The MSS is the Maximum Segment Size and
is the size of the largest datagram the kernel will construct for
transmission via this route. The Window is the maximum amount of data
the system will accept in a single burst from a remote host. The
acronym irtt stands for
"initial round trip time." The TCP
protocol ensures that data is reliably delivered between hosts by
retransmitting a datagram if it has been lost. The TCP protocol keeps
a running count of how long it takes for a datagram to be delivered
to the remote end and an acknowledgement to be received, so that it
knows how long to wait before assuming a datagram needs to
retransmitted; this process is called the round-trip time. The
initial round-trip time is the value that the TCP protocol uses when
a connection is first established. For most network types, the
default value is okay, but for some slow networks, notably certain
types of amateur packet radio networks, the time is too short and
causes unnecessary retransmission. The irtt value can be set using
the route command. Values of zero in these
fields mean that the default is being used.Finally, the last field displays the network interface that this
route will use.
4.1.16.2 Displaying interface statistics
When invoked with the-i flag, netstat displays statistics for the
network interfaces currently configured. If the -a
option is also given, it prints all interfaces
present in the kernel, not only those that have been configured
currently. On vstout, the output
from netstat will look like this:
# netstat -iThe MTU and Met fields show the
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flags
lo 0 0 3185 0 0 0 3185 0 0 0 BLRU
eth0 1500 0 972633 17 20 120 628711 217 0 0 BRU
current MTU and metric values for that interface. The
RX and TX columns show how many
packets have been received or transmitted error-free
(RX-OK/TX-OK) or damaged
(RX-ERR/TX-ERR); how many were
dropped (RX-DRP/TX-DRP); and
how many were lost because of an overrun
(RX-OVR/TX-OVR).The last column shows the flags that have been set for this
interface. These characters are one-character versions of the long
flag names that are printed when you display the interface
configuration with ifconfig:BA broadcast address has been set.LThis interface is a loopback device.MAll packets are received (promiscuous mode).OARP is turned off for this interface.PThis is a point-to-point connection.RInterface is running.UInterface is up.
4.1.16.3 Displaying connections
netstat supports aset of options to display active or passive sockets. The options
-t, -u, -w,
and -x show active TCP, UDP, RAW, and Unix socket
connections. If you provide the -a flag in
addition, sockets that are waiting for a connection (i.e., listening)
are displayed as well. This display will give you a list of all
servers that are currently running on your system.Invoking netstat -ta on vlager produces this output:
$ netstat -taThis output shows most servers simply waiting for an incoming
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 localhost:webcache *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 0 ::ffff:1.2.3.4:ssh ::ffff:4.5.6.:49152 ESTABLISHED
tcp 0 652 ::ffff:1.2.3.4:ssh ::ffff:4.5.6.:31996 ESTABLISHED
connection. However, the fourth line shows an incoming SMTP
connection from vstout, and the
sixth line tells you there is an outgoing telnet
connection to vbardolino.[9][9] You can tell whether a connection is outgoing from the port
numbers. The port number shown for the calling host will always be a
simple integer. The host being called will use a well-known service
port will be in use for which netstat uses the
symbolic name such as smtp, found in
/etc/services. Of course, it is possible to
specify your source port in a number of applications these days, so
this isn't a guarantee!Using the -a flag by itself will display all
sockets from all families.
4.1.17. Testing Connectivity with traceroute
A very simple way to test
connectivity between hosts, and to verify routing paths is to use the
traceroute tool. traceroute
uses UDP datagrams (or ICMP if the -I option is
specified) to determine the path which packets take over the network.
The command can be invoked as follows:
# traceroute -n www.oreilly.com
traceroute to www.oreilly.com (208.201.239.37), 30 hops max, 40 byte packets
1 22.44.55.23 187.714 ms 178.548 ms 177.132 ms
2 206.171.134.130 186.730 ms 168.750 ms 150.769 ms
3 216.102.176.193 168.499 ms 209.232.130.82 194.629 ms 209.232.130.28 185.999 ms
4 151.164.243.121 212.852 ms 230.590 ms 132.040 ms
5 151.164.240.134 80.049 ms 71.191 ms 53.450 ms
6 151.164.40.150 45.320 ms 44.579 ms 176.651 ms
7 151.164.191.82 168.499 ms 194.864 ms 149.789 ms
8 151.164.248.90 80.065 ms 71.185 ms 88.922 ms
9 69.22.143.178 228.883 ms 222.204 ms 179.093 ms
10 69.22.143.6 131.573 ms 89.394 ms 71.180 ms
.
.
4.1.18. Checking the ARP Tables
On
some occasions, it is useful to view or alter the contents of the
kernel's ARP tables, for example, when you suspect a
duplicate Internet address is the cause for some intermittent network
problem. The arp tool was made for situations
like this. Its command-line options are:
arp [-v] [-t hwtype] -a [hostname]All
arp [-v] [-t hwtype] -s hostname hwaddr
arp [-v] -d hostname [hostname]
hostname arguments may be either symbolic
hostnames or IP addresses in dotted quad notation.The first invocation displays the ARP entry for the IP address or
host specified, or all hosts known if no
hostname is given. For example, invoking
arp on vlager
may yield something similar to:
# arp -ewhich shows the Ethernet addresses of several hosts.The
Address HWtype HWaddress Flags Mask Iface
172.16.0.1 (incomplete) eth0
172.16.0.155 ether 00:11:2F:38:4E:4F C eth0
172.16.0.69 ether 00:90:4B:F1:3A:B5 C eth0
vale.vbrew.com ether 00:10:67:30:C5:7B C eth1
172.16.0.207 ether 00:0B:DB:1A:C7:E2 C eth0
-s option is used to permanently add
hostname's Ethernet
address to the ARP tables. The hwaddr
argument specifies the hardware address, which is by default expected
to be an Ethernet address specified as six hexadecimal bytes
separated by colons. You may also set the hardware address for other
types of hardware, using the -t option.For some reason, ARP queries for the remote host sometimes fail, for
instance, when its ARP driver is buggy or there is another host in
the network that erroneously identifies itself with that
host's IP address; this problem requires you to
manually add an IP address to the ARP table. Hard-wiring IP addresses
in the ARP table is also a (very drastic) measure to protect yourself
from hosts on your Ethernet that pose as someone
else.Invoking arp using
the -d switch deletes all ARP entries relating to
the given host. This switch may be used to force the interface to
reattempt obtaining the Ethernet address for the IP address in
question. This is useful when a misconfigured system has broadcasted
wrong ARP information (of course, you have to reconfigure the broken
host first).
The -s
option may also be used to implement proxy ARP.
This is a special technique through which a host, say gate, acts as a gateway to another host named
fnord by pretending that both
addresses refer to the same host, namely gate. It does so by publishing an ARP entry
for fnord that points to its own
Ethernet interface. Now when a host sends out an ARP query for
fnord, gate will return a reply containing its own
Ethernet address. The querying host will then send all datagrams to
gate, which dutifully forwards them
to fnord.These contortions may be necessary when you want to access fnord from a DOS machine with a broken TCP
implementation that doesn't understand routing too
well. When you use proxy ARP, it will appear to the DOS machine as if
fnord was on the local subnet, so it
doesn't have to know about how to route through a
gateway.Another useful application of proxy ARP is
when one of your hosts acts as a gateway to some other host only
temporarily, for instance, through a dial-up link. In a previous
example, we encountered the laptop vlite, which was connected to vlager through a PLIP link from time to time.
Of course, this application will work only if the address of the host
you want to provide proxy ARP for is on the same IP subnet as your
gateway. vstout could proxy ARP for
any host on the brewery subnet (172.16.1.0), but never for a host on the
winery subnet (172.16.2.0).
The
proper invocation to provide proxy ARP for fnord is given below; of course, the given
Ethernet address must be that of gate:
# arp -s fnord 00:00:c0:a1:42:e0 pubThe proxy ARP
entry may be removed again by invoking:
# arp -d fnord
