Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 11

    Uploaded by

    kwame
    19 views38 pages
    linux

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    linux

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    19 views38 pages

    Chapter 11

    Uploaded by

    kwame
    linux

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 38
    Content TPva Fundamentals TCPIUD? Fundamentals ux Newrork Interfaces Ethemet Hardware Tools ‘Network Canfiguation with ip Command Configuring Routing Tables IP to MAC Aderess Mapping with ARP Starting and Stopping Interisces NetworkManager DNS Gients| DHCP lions syatenv-conlignetwerk (tema! Network Diagnostics Infomation from netstat and ss ‘Managing Network Wide Timo Continual Time Sync with NTP Configuring NTP Clans Useful NTP Commands Lab Taske 1, Network Discovery 2, Basic Client Networking 3. NTP Chent Contiguration Chapter 11 BASIC NETWORKING Understanding IP Addresses ‘The Internet Protocol (IP) uses IP addresses to identiy individual dvices on a network. IP addresses consist of a 32 bit number that is ‘commonly expressed in dotted quad notation (break the bits into ‘octets, convert each octet to decimal, and separate the four octets by periods). Like most network protocols, IP groups hosts that reside ‘within a'common broadcast domain into a logieal network. Each IP ‘dares within a given IP network will have the same prefix. Uniike most other network protocols, the IP protocol allows for vatiable network prefix lengths. This means that to properly intorrot ‘an IP address, you must also know what subnet mask is associated ‘ith the address. Subnet masks indicate the division between network bits, and the host bits. Subnet masks are also 32 bits in length and each set bit (binary one) inicates thatthe bitin the same relative position n the associated IP address is part of the network prefix. Subnet masks are commonly represented in either dotted ‘quad notation (or example 258.255,0.0, or the more elegant ‘prix length format popularized by CIDRMVLSM (for example 6). ‘The host bits of a normal node IP address always consist of @ mixture ‘of binary ones and zeros, The case where all host bits in an IP ‘address are set to binary one i used as the broadcast address (ll hosts) for that network prefix. Conversely, the ease where all host Dits are set to binary zero is used to represent the network ise. IPv4 Fundamentals (v4 addresses ie 1 Contain 2 pices networdhost Special addresses network adress 1 broadeast address ‘Address Clastes = Clossod addresses 1 Classless scdresses - CIDR Recorved addresses SAFC 1918. Address Allocation Historically, al alocation of IP addresses was done by assigning an ‘organization one or more class A, B, or C networks as defined in the following table. (Note that ‘Class D multicast” and “Class E ‘xperimenta are shown in the table for completeness, but ther use 'S not described here.) [Class [First Octot value Dafault Netmas |a__ [28 [ass.0.00 ip _|ize197 255.255.00 ic [eames 255-255 2550 iD [220230 255.258 256.256 iE _ [200264 The ad-hoc allocation of IP addresses strictly by classes often led to reat ineficiencies (particularly In route aggregation) Today, address Allocation is done in'a much more controled and flexible fashion ‘now as CIDR and described in RFC 1518 and RFC 1518. Private Addresses To.ease deployments of private IP networks and to prevent address Collisions, the folowing IP netblocks (which are not globally routed) ate reserved for private use 10.0.0.08, 172.16.0.0/12, 192.168.0.076, RFC 1918 describes the use of these netblocks, AR ARR RRR RRR RRR RAR AAA RAAT vwwwwwowwUwweVUVEUwuUrYYowwYTuYWEd ‘Transport Protocols Very few applications transmit data in bare IP packets. Instead, most applications rey on one of the transport layer protocols. Many {Wansport layer protocols have been implemented to run over the IP. ‘The two mast common are TCP and UDP. ‘TO? provides 9 connection oriented rile connection. TCP is useful ‘when data integry is important, because packets ore acknowledged ‘and any dropped oF missing packets are re-transmitted. Several popular application layer protocols such as FTP, HTTP, and SMTP use ‘TCP as their anspor. UDP is a lightweight, connectionsess protocol useful for situations ‘whore data integrty ist required atthe transport layer. Application layer protocols may sil provide reliable data delivery over UDP, oF ‘may not require reliable delivery at all for their operation. Application layer protocols that make use of UDP include TFTP, NTP, and DHCP. ‘Multiple TCP/IP Connections To allow multiplexing more than one TCPIUDP connection per source/destination IP address pair, both TCP and UDP use port ‘humbers to provide a transport layer address that defines the idpoint for each connection. Ports are 16 bit numbers usuelly ‘expressed in decimal Certain ports are reserve for specific application protocols. Linux systems have the /ete/ services fle that will help identify most of the commonly used ports. A UNIX triton is that these reserved ‘TCP/UDP Fundamentals ‘TCP basics * Connection ovionted 1 Retabie 1 20 byte hoader UDP bales, * Connection less 1 Stateless 4 ighteiaht 2 Bbytohoader Sritem Serces yetelservices ports are only usable by the root or superuser The following table shows a few of the reserved ports and their corresponding services: ProtocovPon Service Prep 20 |FTP-Data Frc 21_|FTPConwor frop22 [ssh frop23__| Telnet FTCP 25, 465 [SMTP SSMITP (emai [UDPE3 [DNS (name resolution) FTCP 80, 443, |TTP, HTTPS (web) FTCP 110, 685 | POPS, POPSS (eral) TP 119 _ [NNTP (news) [UDP 139 __|NetBios FTCP 143, 693] IMAP, IMAPS feral juoP 161 __ [SNMP 13 Linux Network interfaces ‘The Linux operating system (and other Unix variants as well handlas networking through virtual devices called interfaces. For most practical purposes, an interface is a network connection, such 2s a ‘connection to an Ethernet network, or a medem connection, such as ‘one negotiated using PPP or SLIP. Keep in mind that sever interfaces can be bound to any single physical networking device. This is done through the creation of Virtua interfaces." ‘Virtual Interfaces are useful in many situations. For exemple, if @ system is hosting several websites, each with its own IP address, the system can be configured with several virus interfaces all accepting trafic destined for different IP addresses, The system can accomplish this with only one physical network connection and several network interiaces bound to the Ethernet connection. Linux Network Interface Naming Interface devices are assigned names based on the type of network ‘connection with which they are associated. Ethemet interface names agin with eth and are followed with a number, staring rom zero, Which represents the instance of that device in the machine. Thus, {thd is the name of the first Ethemet interface, ethl isthe name of the second Ethernet interface, ppp3 is the name of the fourth PPP interface, sLip@ is the fst SLIP interface, isdn! isthe second ISDN Interface, tr isthe frst Token Ring adapter, and tdi isthe first FOO! adapter. 14 Local Loopback Interface The loopback interface (1o) is 8 special network interface that points Deck to the machine itsall. This interface is useful for testing that basic network is working, without actually testing physical Connections to remote networks. Its also often usefUl when testing clkent-server IP applications (such as a web server, since means ‘he test machine wil always have an IP address which can be used ‘or testing. Some applications also regulaty use the localhost address (on the loopback interface) to talk to other applications on the local systam. ne common example is when @ daemon wants to send email and connects to the MTA through the loopback interface. The loopback interface is assigned all IP addresses in the 127.6.8.8/8 netblock, though typically i is represented as having the host address, 127.8.8.1. Some other non-Linux operating systems ‘only bind 127.8,8.1 to the loopback interface, though the relevant RFCs mandate that all of the 127.8.8.8/8 netblock be bound to ‘bopbeck ARR RAR RR ARR RRR RAMA RAR AMARA AAG YerwwwwwwwwwwwewrwwewwNwewwoUwuyUs Ethtoot ‘Tho main Ethernet configuration tool, ethtoot, displays and configures network card sottings. Commonly configured options include speed, duplex, and flow contol. etktoal iso supports many ‘advanced settings such es auto-negotiation, TCP Segmentation Ottioading, and Wake-or-LAN. A ist of avaliable options is available by running ethtool without any parameters ‘To display current settings on an interface, execute ethtcol with the name of the intrface: 4 othtoot othe Settings for ethe) ‘Supported ports: | TP MZx 1] ‘Supported link nodes: 18baset/Half 18basot/Pull LeGbaseT/Half LeGbaseT/FULt ‘Supports avto-negotiation: Yes ‘Advertised Link modes: 18baseT/¥alf 19baset/Full Io9baseT/Hal£ 168baseT/Fult Advertised auto-negotiation: Yes Speed: 184Hb/s Duplex: Full eee nip... Wake-on: 9 Current message level: Link detected: yes Ethernet Hardware Tools cexnteot 1 Replaces legacy niictoot 1 Enhanced funclonaty specific to Ethemet hardware 1 Display and configure Ethernet interface settings Displey Avalsbe Options: ethtool (with no paramaters) Display Satings On interface: ethtool eth {= Configure Baste Stings: ethtool “x tht option valve Setting Speed and Duplex Basic changes are made using the s option. The folowing configures the interface's speed to 100 Mb full duplex end turns off autonegotation, F ethtool -s tho speod 108 duplex full autoneg off Settings wil be lost when the interface is reloaded. {’thtool options can be made persistent by using the BTHTOOL. OPTS Setting in the interface configuration fie, Driver information ‘Another interesting ethtool option is diver is handling an interface # ethtoot ~i ethe driver: ©1608 version: 7. This is used to show which Physically locating a NIC ‘On multnomed systems, it can be dificult to map Ethemet devices. to their physical pots. The ethtool command has the =p option, which wil cause the link ight of the Ethernet device to Bink However, use caution with this option: it may cause the NIC to disconnect from the network while ethtoot is running, 15 Examining and Controlling Ethernet Hardware Propertios ‘The more powertul athtoot replaces the older Inid-tool, Some older network cards have betier support in rali-tool, but most divers have now been ported to ethtoot al-toot eth: negotiated 1eebasetx-FD, Link ok fethl: negotiated 18ébasetx-FD, Link ok feth2 negotiated 188sbaserx-F0 Floy-control, Link ok 116 1nd unmanned, ARR RRR RRA RRR RRA RRA AAA ARRAN The ip Command ‘The iproute? package provides utlites to facilitate advanced netwerk configuration. The Sp command isthe primary tool, lowing ‘adminisatrs to configure network inks, network interfaces, routing tables, outing polices, ARP tables, and network tunnels. Camarehensive dacumentation on using this power too! can be found st Betpe//ines pol leyrout lag.org/iprouke2-ice.hital, Also the Linux Acvanced Routing HOWTO shows many cookbook examples, avaliable a http://arte.ore/. ifconfig, route, and other networking commands provided by the legacy net-toals package are being replaced by the 3p command in most network management serpts, because ip is fer more powerful tnd lexibe. ‘A PostScript version of the IP Command Reference ipeett ile can bee found at: Jusr/share/doc! iproute-version/ip-cref.ps Configuring Network Interfaces ‘To view currant state and basic configuration of al iterfaces, run: § ip addr show ‘This is similar 10 ifconfig ~a. Add the interface neme es a final ‘argument to get a specie interface’s information. I only the link state ff ethe fs desired, run § ip Link shov etna Network Configuration fh ip Command + Itriace configuation (places Sfeontis) “ip adae + outing tables Wepinces route) ip route Cn configure outing oles os wo “ARP tables (opacos ap) ip neigh + Can Bente GRE IP tunels ond configure multicasting ratte Contr engine 1 Controls bandit uizaion vis oS ‘Traditionally, configuring on interface with the ifeontig command required the device asthe first argument, followed by the IP address, ‘and gationally the netmask. The fllewing configures the interface, then brings it down again. ifconfig othe 10. # ifconfig eth@ doun 2.4 netmask 255.255.255, The current way to define IP properties and activate the network interface iste use the ip command, For example: ip Link set ethe up ip addr add dev oth8 10,706.2.4 notmask 255.255.255.0 Ifthe netmask is net specified, the natural mask is used. The te Command ‘The te command provides the ability to implement bandwieth management policies on Linux routers. For example, its possible to set up class-based queuing ICBO), where bandwidth can be allocated to trafic based on criteria such asthe source or type of traffic, or the packet TOS flags. te makes it possible for Linux routers to implement RED (Random Early Detection). an algorithm designed to essen ‘congestion on backbone inks, Configuring Routing Tables Routing tables determine which network interlace and next hop ‘network packets will use to get to thelr destination. On a typical Linux system, for example, @ default route would be set up forthe ethd Interface so that al outgoing network trafic destined for other hosts ‘would be handled by a gateway system on the local Ether retwork 4 ip route add default via 192.168.1.1 ‘Tho route argument to the ip command is especially useful if a Linux system has multiple physical network connections and is ecting as @ ‘outer. However, most hosts raly on a default gateway. {p route command syntax is similar to the legacy route command, ‘and is typically used by other configuration facilities and scripts in ‘modern Linux distributions, {All enties in the routing table can be listed by running the ip route, Similarly, the netstat ~r command can be used to display the ‘current routing table. The =a option is often used to tum off name resolution and just display IP addresses. For exemple: Configuring Routing Tables oute - tool fr runtime management of network routing tables ‘= Adding routes ip route add 192.1 4 ip route add 10.10 + Deleting routes 1 ip route det default «= List routes Vip roxte ‘netstat ma § netstat -n Kernel 1P routing table Destination Gateway Genmask Flags SS Window face 8.8 255.255.255.8 U othe 255.255.8.8° 0 190.0.254 8.8.8. 5'4p route te.n 198.8.254 dev eth® proto static The previous example output shows that the keme! will route trafic 4estined for 10.100.0.0/24 network through interface ethé, all atic ‘destined forthe 182.168.0.0/16 network wil be rejected, and all other unmatched trafic will be sont through interface ethl to the gateway at 10.70.11 Setting the Default Gateway on Red Hat Enterprise Linux The file for specifying a persistent default gateway is the {ete/syscontig/netvork fle. The default gateway can be specified by adding a line tothe fe. Tayscontig/network eloarmmrene re) Replacing ¥.X.¥.2 with the IP address of the default gateway. ARR ORR RRR RRR RAR RRR ARRAN wwwwwwwwwwvwvwwwwrwvwwuvwwwwvwwwwvwvwd orsistont Static Routes on Red Hat Enterprise Linux ‘To define static routes that persist across a reboot, create a separate file for each network interface: Jete/syscontig/network-scripts/route-interfacenare ‘One of two alternative syntaxes can be used inthis fle, The preferred ‘syntax uses the format ADDRESSa=netvork where n starts at zero and ig incremented for each additional route. For example, the following edit wil creates route to the 192.168.2.0/24 network via the next hop 102.3200 reachable vi the ethé interface: Tete/ayacontig/network=seripts/route-eth@ + [ADDRESEO=192.168.2.6 + |nemnasne=255.255.255, + |ourenavo=t0.2.3.200 ‘Alteraively, a deprecated syntax can be used where each line should be the arguments that are passed to the /sbin/ip route ada command, To setup a static route equivalent to the previous example, the deprecated syntax would be: (Fis: Ietc/syecontig/network=scripts/route-eth® TF[IST.I68.2-0780 via 16.2.3.268 For mre information, soe the fle Jose/share/doe/ initscripts-*/syscontig. txt. 119 Examining and Manipulating the ARP Cache Neatly all P-enabied operating systems have methods for examining the ARP table. On Windows and Linux, one method is to use the arp ‘command at a shell prompt, To view the contents of a host's ARP table, use the =a option. Oniy hosts contacted recenty wil be inthe table. By defaut 8 ap -a station19.example.com (18.189,0.16) at 68:1b:21 ether] on ethe je Ub:21:24:£9:35 STALE :254 dev ethe Uladdr 68:1b:21:5arearee REACHABLE With the 4p command, i name resolution is desited, use the - option, otherwise resuts are unresolved. This shows manually removing 10.100.03 and adding 10,100.07 2 7 09:61:03:D8:57:09, frp -€ 1 Harp -s 1 4 arp stations example-con ( station’ example.con ( 11410 IP to MAC Address Mapping with ARP IP packets are routed to destinations based on IP network address Delivery of Ethernet frames is done by datatink or media access, ‘control (MAC) address ‘AR maps network addresses to hardware addresses IP addrastos ~ Ethomet MAC FRARP maps hardware addrosses to network oddresses ‘Ethernet MAC = IP address [ARP Normal Operation: ‘ hostA sends a notwork broadcast ARP request fo host 1 hostB sends a unicast ARP roply answer back to hosiA 1 Both hosts then maintain local ARP caches with lesned. sapoings| igh del 1.100.0.3 dev othe igh add 10.100.8.7 Uaddr 00:61:03:0:57:09 dev othe ARP mappings can also be stored in a fle and loaded using ‘option. The default file used is /etc/ethers, but an alternate filename can be used if desired | axp -£ arp nappiogs_tite ARR RRR RRR RRR RRR RRR RAR AR AAA ANY ywwwYwUwoWwwwTWVUUUWevwUwywwYTwVUs Controlling Linux Network Interfaces Taking network interfaces up and down is 3 common system ‘éminisvation ask. As described previously, the ip (or ifconfig ‘command, where available) can be used to do this in Linux. One ‘drawback 1 using ip is that it requires knowledge ofall the specific parameters, such as the IP address and subnet mask, with which that Interface was first configured. Modern Linux uistibutions include Sf4p end Sfdoun scripts which ‘automate most of the initial configuration roquirad betore bringing an interface up. These scripts read tho system configuration fils in Jetc/syscontig/ to determine preset parameters such 2s the imerfaces IP address(es). Once these configuration files exist, ierfaces can be enabled by ifup interface-nane, and disabled by fdowm interface-nane. {fup and ifdowm are shell scripts which look ‘at the system configuration fies and carry out appropriate ip Commands based on the contents of those configuration files, User Control of Network Interfaces on RHELS Systems lt the ifefg-x2 le contains the entry USERCTL-yes then normal ‘users willbe able (ose the ifup and ifdown commands on that intertace, RHELS Interface Configuration Files ‘The /ete/syscontig/network-seripts directory contains network interface configuration files named after their corresponding interfaces such as: ifcfg-eth6, ifefo-ethl, ifcig-ppp®. ‘Starting and Stopping Interfaces ‘Manually + Using 3p ‘ip link sot et dom Using persistent configuration les N/etef init d/mabwork: global rit script RHELS Interface settings fe ‘/ete/syscontig/netverk-scripts/itetg-etht ‘An intertace (in tis example, eth) under DHCP control will have configuration file with the contents: {An example interface that is statically configured and turing off Ethernet auto-negotiation would have the following contents: Fle: Jote/ayacontig/network-scripts/itetg-oth® bevTou=ethe pooreRoTo=static JoxBoot=yes TPADDRE19.18 8 duplex full autoneg off With the configuration fle created, the intorface can be activated using ifup interface-nane and deactivated with ifdown ‘nterface-nane ‘The HUADOR variable is what binds that configuration to the NIC. It will ‘also cause the interface to be renamed to what is set in the DEVICE ‘variable itt iter. 1" NetworkManager Networllanager was introduced by GNOME to dynamically detect land configure network connections. The capabity is especially useful {o wireless and laptop users. NetworkManager works in GNOME by loading n-apptet. With Red Hat Enterprise Linux, the use of NetworkManager conficts with the traditional interface configuration scripts. Disable Networllanager with chkcoafig NetworkManager off. The networkseripts can be disabled with chkconfig network off. ‘Alternatively, Networkanager can be disabled on @ per interface basis by using adding 1YLCONTROLLED= "no" to the appropriate ifetg-Laaer. ‘A GUI networking tool can configure individual connections with the ‘ma-connection-editor. Typically accessed through the Systen, Preferences menu of the GNOME panel, the au-connection-editor GUI too! can be used for everyting from defining DNS settings and. PP connections to IPSec VPN tunnels and WiFi settings m-toot "NetworkMnger includes the mn-tool command which wil print information about each of the managed network interfaces and Visible wiceless APS: § ma-toot 1412 NetworkManager Tools na-applet S amtool 1 RHELE GUL me-comnection-editar nie " Jtcint NetworkManager ‘NetworkManagerDispetchor # Fete/Metworksanager dispatcher. Wetworkalanager Toot State: connected = device: etn@ (system ethe] - Type: Wired Driver: ele88e state: connected Default: yee HW Address: a Capabilities: Carrier Detect: Speed: Wired Properties carrier: on 192.168.32.19 24 (255.255.285.0) 192.160.32.254 "NetworkManager Dispatcher NetworkManager supports an interface that allows a script to be placed in /etc/Networkianager/dispatcherd to configure. ‘environmental settings when an interface is brought up, or down, Two positional arguments are pessed to the script: (1) name of the AAR RR RRR RAR RRR RAR ARR AAA MAA AAD vwwwwwwwwwwwwwwowwwwYYwUYwwwwyNwes ‘network interface and ($2) the action, either up or down. The folowing ‘ll signal Postix to attempt immediate redelivery of mail when any inerface comes up: 113 Configuring the DNS Resolver Users of GNU/Linux systems on a network can use IP addresses {uch as 182.168.5.55) to interact with other network systems, but ‘enerally people work better when they can associate nammes with Retwork nodes. To establish associations between hostnames and ‘aw IP addresses, a network domain name server (ONS) can be Used, fF hosts databases can be used. 1-2 name server is used, then a domain database is set up on the fname server, and network cents query the name server for information about hostnames. The clients know which systems are ‘name servers by settings in the /etc/resolv.conf fl. ‘There can be a maximum of three naneserver entries defined in the file. Extra entries are ignored. {A simpler way of setting up relationships between hostnames and IP ‘addresses is to build a system hosts flo on every machine which ‘contain listings of IP addresses, their associated hostnames and ‘aliases, This approach works wel, but keeping hosts files Synchronized on all clients on the network can become tedious as the Retwork grows. On Linux, this host file is called /ete/hosts and typically looks something like: 4 cat Jete/nosts Vocathost Localdomain localhost. stationd.erample.con station ‘Jete/hosts lists IP addresses and associated host names and 114 DNS Clients Jetelresolv.coxt * Hdntties namo servers and name resolution options ‘earch gurulabs.con exanple.con rmeserver 192. 160.2-12, ‘uneserver 192°160-2.13, Tersthosts * Ionties hostnames and aliases with IP adresses 1 Ke not propagated te other machines "92-168.2.5 fun-gurvlabs.con fun mail 192:168.2°6 pleard.gurulabescon_picard aliases; for example, this hosts fle associates the host name station exanple.com and the alas stationt withthe IP address 10.100.0.4, DHCP interaction Normally, when using DHCP on a network interface, the Jete/resolv..cont fle is rewritten using the name servers specified in tho OHCP response, To prevent the DHCP server from updating the /ete/zesolv.conf, ‘add the line PEERDNSeno to the interface configuration file as shown in this example fe File: Tete/ayscontig/network-soripta/itely athe pec BooreRoTo=shep loxsoot=yes + |peenous=n0 Its also possible to prevent the system's NTP servers and NIS servers & domains from being changed by DHCP: [Fite: ete/syscnatig/network-scripts/itetg-otne _] | PEERITP=no + [Peeaurs=no olalalalelaiaiotatatalataieiaieiaiaiatieeteteoe ewwwwwwwwwwwwwwwuVUUUUwwewuwwwwe”d 8c DHCP Cliont Historically, DHCP has been a slightly non-standard protocol ‘although DHCP is thoroughly specified in relevant RFCs. many vendor implementations of OHCP hava been quite buggy, and have been ‘potty regarding the client cards which they support. Furthermore, ‘ferent vendor DHCP servers have failed to work with different ‘Shent NICS and client software, making deployment of DHCP in the ‘enterprise much trickier than necessary. Intaly the only open-source DHCP Unix client available was éheped, produced by the Intemet Software Consortium Internet Software Consortium rewrote their DHCP client to support more hardware and offer mare features. The dhclient command is the new DHCP reference cent ‘The dheLient utility can optionally use a configuration fie. n the Configuration fle, mers can be adjusted, and other aspects of the DHCP handshake, inluging Dynamic ONS setings Fed Hat Enterprise Linux does not include the éheped command. Lease Files (Once a lease has been obtained, the dhep client stores the lease information in a filo on the filesystem. (On Red Hat Enterprise Linux. the leas file is stored in Ivar /\ib/dbelient/dhclient-othY. leases ‘The dhclient daeman also provides the ability to script actions to be DHCP Cli DHCP Client choice varies between distributions. = On Red Hot Enterprise Lina, dbeLient is provided by the dhelient package + The installer for FHELS usos pump anclient - DHCP cll on RHELS Tntemet Software Consortium reference OHCP cle + Supports Dynamic DNS updates executed when a ease has been obtained. This is used to do things like automatically POP email whenever @ network connection becomes available, or launch VPN establishment septs For example, the following script ensures that gurutabs..com is always in the ONS search domain. [Fie Feta/anop/dhe Rentmenit-hooks TI TbinT ah grep search /etc/resolv.cont | grep -q gurulabs.com ff ( $2 -ne @ 1; then ‘sed =i 's/search /search gurulabs.com /9" \ Tete/resolv.cont fs On Red Hat Enterprise Linux, the files ‘etc! éhep/ahc iententer-hooks and ‘/etc/hep/dhcientoxit-hooks can be used to run scripts before and after address lease and renewal Tor exra processing, 11418 system-config-network{tui,emd} systen-config-nebwork = Configures basic networking + Setpiable method with systen-config-network-ent for network configuration + Gofout ncurses interface Network Configuration Red Hat Enterprise Linux 6 defaults to using Network Manager for its network configuration. However, the system-config-network tools can Sill be used to maintain many of the network configuration files. A GUI interface is no longer supported: systen-config-network defaults to its TU! nourses interface, ‘The system-config-network-«med Too! ‘Tho systen-contig-network-cad command is a nominteractve utility {or configuring networking settings. It can also be used to create and switch between network profes. Because of is non-interactive nature, it is most useful for scripting configuration of networking SMPFILE 1 echo "DeviceList.tebernet.oth@.Netaaske255.255.255.0" >> SDOPILE 4 echo "DevicaList Ethernet oth@.1P=10,100.6.77° >> SEWPFILE 4 systen-config-network-ond “ind -£ SINPFILE feof Sp0rnLa ‘You must restart the interface for changes to take effect. 11416 AAR RRR RRR RRR RRR RAR MAAR AMAA AAA VewwwewwuowowwoVvowowrYYeoUYwUeVIGD Network Diagnostics 1Pv4 connectivity testing lon traceovt,traceath mtr pings, tracaroutes, tacepaths Hostrame and DNS testing di ost aston Probing for eased addresses ‘ping 1Pv4 Connectivity Testing ‘The ping ullity is useful for sending ICMP echo request packets to hosts. Any host which receives an ICMP echo request wal normally reply with an ICMP echo response. This fact makes ping useful fr testing connectivity between hosts. In addition, the time elapsed between echo Tequest, and echo reply, can be used to gauge the speed of the connection between the two hosts, ‘The traceroute utlty generstes UDP probe packets, to hopefully unused ports, with increasingly larger TTL values. The goal is that each probe packet will be discarded by intermediate routers as the TTL decrements to zero. The resulting "ICMP time exceeded in-ransit’ err Eotagrams will identity the I of each intermeate router in tuen. The output show the name, IP. and amount of time it took each reply message amie, The times can help identily where network problems are occurring by revealing route hops with excessive latency. The following example shows typical traceroute output § traceroute ww.google.com traceroute to wiv. google.com (74.125.19.147), 38 hops max, 48 byte packets 1 fvedevnetdnz.gurvtabs.com (18.2.13.1) 4.278 ms 4.266 ns 4.273 ms 2 fveint.gueulabs.con (18-1.8.1) 8.251 ns "8.256 ms "0.243 as 3 tr gurulabs.com (64.245.157.1) 8.879 ms 1.639 as 1.613 ms ses ship es ie” 209.85.249.34 (289.05.249.38) 44.734 ms_ 62.953 as 46.366 ns LI ugGés6l-in-£147.1e168.net (74.125.19.147) 47.394 ms 41.763 ms 58.814 ms tracepath is a similar, but simpler, uly available on some hosts that also displays the path MTU, tris 0 specialized traceroute like utlty that sends ICMP Echo messeges encapsulated in IP packots with increasing TTLs. As with traceroute, the ICMP time exceeded messages sent 9s packets are dropped are used to identity and measure latency to all intermediate outers. abe can output results in many formats including @ realtime updating display (default). The following example shows generating a simple report: f mtr ~-report -c 5 google.com wa7 ‘station15.exanple.com Smt: 5 Lost ast server .exanple.con classes-fv.gurulabs.con ‘vrint, gurulabs.com ee aap. 299,05.251.94 rnugits81-in-£99, 1e188.net Hostname and DNS Testing ‘The host and DNS domsin name associated with the system can be seen with the hostname command. Common options include: Fully Qualified Domain Name (FODN); for example Loki.gurulabs.com snort name eniy; for example Lok “a ONS domain name only; for example gurulabs.con Use dig and host to query domain name servers about hostnames (and IP addresses). dig retums information in BIND zone file syntax by default making it more friendly to BIND ONS administrators. It uses internal resolver routines and does not honor any donain or search options that may be configure in the /ete/resolv.conf fle. The end ofthe output shows additonal info such as what server responded tothe query, ‘when the query was made (datetime), and how long it took forthe response to aviv, ‘The host commend is designed to be more end-user friendly. By default it can make several queries in an attempt to return al information that ‘may be related or relevant to the actual query made. It does honor setting found in the /ete/zesolv.cont file and retuins results in’ much simpler and more terse format by default rasleokup is depreceted in favor of the other two, mor 4 dig wev.google.con curate, commands, and may not be included in the futur. 1 <> DiG 9.3,6-PI-Redsat-9.3. .Pl.elS <> wv. google.com global options: printcnd ‘Got answer: Fy SD>HEADERCe opcode: QUERY, status: NOERROR, idl Elage: qe rd ra; QUERY: 1, ANSWER! 5, AUTHOR 34 QUESTION SECTION: 18198 4, ADDITIONAL: 4 wwe. google.coa. moa 14 ANSWER SECTION: Vwav.google.con. $588 TH CAME wa. L.goosle.com, war L.googie.con, 287 INA 74.25.1910 wav. Legooglencos. 787 THR 742128.19.147 a a wav. google.con, 287 IN 742125.19.99 twov.ligoogle.con, 287 IN 74:125.19.1063, aormorrry secrroN: 118 AAR RRR RR RRR RRR AMAA AMARA RAR AAAS WOW UEUWWEWweWWwoWUWVUwwYoWTwYUVwved google.com. 1e4a2s TN NS_—_ns google.com. ‘eogle.con- 194825 TNS ns google.com. google.con. 194825 TH—MS_—_ns2.google.com. {google.com 194825 HHS s3.google-con. 14, ADDITIONAL SECTION él.google.con. 97922, TMA (216,239.32 ne2.google.com, «97922, HA 216. 039.34 ns3.google.com, «97922, THA 216. 239.36 fst.google.con, «97922, A216, 239.38. 34 Query tine: 1 aseo } SERVER: 16,166.8.254453(18.190. WHEN: Hon Apr i9”16:22:35 2816 1-MSG SIZE. rovd: 252 host inee-google.con vwar.google.con is an alias for was.t.google.con. thaw. googie.con has address 74.125.18.147 ‘wav. Lgoogle.con has address 74.125.19.99 ‘wiv. Lgoogle.con has address 74.125.19.103 twav.lgoogle.con has address 74.125.19.104 Probing for Froe Addresses ‘A variety of commends exist that can probe @ network segment so that you can determine what addresses are currently in use. This can be helpful if you have to temporary bring up @ host on a network segment, that doesrit use DHCP, and where you dont have easy access to the current IP allocation information. One procedure that could be used is 2s follows: 2To start, bring up your network interface without any address. x Select an address that you thnk i ftee and use. arping -D w.x.y-2 0 vetly that no other hosts are currently using the address. Repeat until a free address is found. Initialize your network interface with the discovered address. Use naap -sP to send ICMP echo-request probes and discover the full ist of addresses in use. (Remember that some hosts may not respond to ping probes). Example netstat Usage 4 netstat -rm Kernel IP routing table Destination Gateway ‘Gennask 2881771410 6.0.0.8 255. 255.255. 208.177.181.8 8.9.8. 255.255.255. 255. 255.255. 10.268.1.6 +1 255.255.255. 192.168.32.8 255.255.2551 esnips se f netstat -ape Active Internet connections (servers and est Information from netstat and ss netstat can be used to print network connections, routing tables, Interface static, and manquersded connections en vow to fourng tabla Blow pect ste 2 Testa TCP connections ond stoi {7 Ista UDP ‘connections and stoning pots 1 Tape ist TCP. UDP. and UNDC socket connections and ther dtodd sate, user and program Bo / name isan altemative from the ipcoute? package * Syax's dacovebie to detstat eos 1 Sow the doaut route inom) 1 Seresove names, Flags MSS Window irtt face v ° wo 8 the eu 8 ipsece uw 8 tht we 8 ipsece ewe © etna ablished) Proto Recv-9 Send-Q Local Address Foreign Address State User Inode PID/Progran nane 6 32768 #332768 9838 Saysql snip... 4H netstat -s Ipt 313098712 total packets received 219 inconing packets discarded 278382563 incoming packets delivered 392232156 requests sent out vamip. 11-20 LISTEN rpcuser 1292, 791/rpe.statd Listen root 1584 1887/rpo.mountd LISTEN root 1568 1882/rpe.rquotad EXSTEN root 1664 1161/mysqla ARR RR RRR RRR RRR RAR AA RRA RRMA 0 Yew www wuwwwwwwwowuwewYwwVYITVOWOUY Example ss Usage basa State Recv-9 Send-Q a er) 4 ss ape State Recv-Q Sond-0 ust 18 usta 18 ust 818 ustee 6818 usTeR 848 usres 8148 127.8. LsRep uss 828 127.84 uses 8128 ust 828 ust 8128 STAB 6 vuserss((*eahd",25411,3),(*sshd",25414,3}) ino:131882 ski £4bA bass Total: 487 (kernel 488) Peer Addzess:Port 18.2.3-147:42833 Peer Address: Port, 10.2.3.147242633, users: (("sshd",25101,4)) ino:129878 sk:£4780168 ‘users: (("sshd",25101,3)) ino:129868 sk: £463 ((uaster")3679,12)) ((ssha",28414,8)) uid ((rsshd 25414, 7)) uid: 1088 ino; 131946 sk: £47866 users: ((*xpebind*,3159,11)) ino:7471_sk:£4751686 ((xpebind*/3159,8)) ir ‘ner: (Keepalive, 62nin,8). ep: 11 (estab 1, closed 8, orphaned 8, synrecv @, tinevait 0/8), ports 5 ‘reangport Total IP v6 . ae . nr) ° 8 we 2 1 5 me OL 6 5 iit 23 B ro mc 8 e ‘ 121 Network Time ‘Whenever computers are networked together, their time clocks should be synchronized to agree with each other. Many network protocols are inherently Uime-based, For example, the Remote Procedure Call (APC) protocol uses timestamps to authenticate clont Fequests. Ifthe time clocks on the server and the client are more than a fow seconds out-f-syne with each other, the cient is never ‘authenticated by the RPC server. Having system clocks synchronized ‘so allows correlation of log events across multiple systems, ‘Syncing via the NTP Protocot For more accurate synchronization of networked systems, the NTP ‘protocol can be used. NTP takes into account, end compensates for, things such as network latency and iter. The ntpdate command can 'bo used to synchronize the local system clock to remote system tunning an NTP daemon. Although the tpdate commend supports ‘many options, itis not uneommen to invoke it specitying only the ‘address of tho time server as shown in this exemple: 4 ntpdate tick.usno.navy.ail ‘The ntpdate command will update the local system clock in one of the following two ways: ‘if the local and remote time differ by more than 5 seconds then ‘the local time is changed to match the remote clock. 2e1F the clocks differ by lass than 6 seconds then the local clock {is gradually slewed to match the remote time. This gradual 11-22 Managing Network-Wide Time Importance of managing network-wide time [NTP Protocol Client ipiate ‘Time Protocol Client write ‘adjustment is less disruptive and more accurate than a one time ‘change to the new value. ‘Syncing via the Time Protocol The Time protocol is simple protocol for synchennining a system's clock with a remote system. iis defined in RFC 868 and can operate ‘ver UDP or TCP. Several commands implement the client portion of the Time protocol and must connect to a remote system running @ time server daemon, The time server was historically implamented as ‘an inetd service, however today xineta sorves that role, Enabling a Time Server on RHELS Use the following commands to enable a Time server using TCP and upp: 4 chkcontig tine-dgran on f chkcontig tine-strean on ‘The rdate Command When using réate, the default operation is to show the remote time, uses TCP, unless the =u option is used to specily UDP. The = ‘option must be used to specify the remote system to syne to 4 date -s tineserverl date: [timeserverl] Wed May 11 152 41 2005, ARR RR RRR RRR RR RRMA RAM ARR AAR AY @ PEW CU OW wUUwWOWUWTEYeUHUUYUWwuoVWOY [NTP Operations NTP operates in any of three diferent models. It can be used in @ Client-Server paradigm, such as when a stratum 3 client connects to a stratum 2 server and queries the server for is current time. NTP can ‘also operate in a broadcast model, in which the server periodically ‘broadeasts time signals to all clients on a network broadeast domain To minimize unnecessary network traffic NTP also supports @ multicast operational modal in which the server periodically sends time signals to 9 multicast address. These time signals are received by all multicast clients listening on that address. The address 2240.1. is reserved by Internet Assigned Numbers Authority WANA) fexclusively for use by multicast NTP servers and clients, though other ‘multicast addresses are sometimes used for NTP as wel. ‘Ongoing Synchronization via NTP itp is @ daemon that can also be used to connect to NTP servers. ‘When operating in clantserver mod, it ean pecodicaly connect to a NNTP server, query i forthe current time, then slowly adjust the local time dt necessary, The daemon can also operate as a broadcast or ‘multicast client. I istens for Ue broadcasts or mulcasts from an NIP server and then adjusts the local time if necessary. ‘The daemon can also compensate for hardware frequency errors of the system hardware clock. The running daemon measures the ‘accuracy ofthe oscllations of the hardware clock. Alter the inherent ‘frequency erro of the hardware oscilator is determined the daemon speeds Up ot slows down the system software clock frequency as Continual Time Syne with NTP NTP Operations + broadcast multeast Ongoing synchronization daemon NTP ened ‘appropriate to compensate forthe system's hardware frequency [As a safety preceution the daemon compares the local and remote times before adjusting the local ime. Ifthe local and remote times differ by more than approximately 17 minutes the daemon assumes ‘one of the two is misconigured end does not ty to synchronize the local time. One approach to ensuring accurate time on the client is te: 2 Run the ntpdate application t system boot time to ensure that ‘the system clock is initially accurate. 2 Run the atpd daemon on the running system to ensure tht the system clock remains reliable 23 NTP Server Hierarchy \NTP uses stratum lovels that define the distance from the reference clock, usualy connected with a GPS radio receiver to an atomic ‘lock’ The reference clock is stratun0 A stratum! server is directly ‘connected to the reference clock; a stratum? server is connected ‘over the network to a stratum! server, and so on. There are 15, ‘definable stratum levels. A good reference is ‘The Rules of Engagement.” which can be found at ‘tanto. ora/bin/view/Sé esotn. itpd Configuration ‘The demon /use/shin/ntpd provides both NTP server and client functions. This daemon reads the configuration file /ete/ntp.cont, and configures it to operate as server, ofa cient, or both, based on Configuration parameters listed in the fie. For basic client workstation Contiguraton, only one line containing a remote NTP server name oF IP address is required. t's preferable to use names rather than addresses, since over time the addresses can change, while the rRames seldom change. A simple /etc/ntp.cont should look ike: (Fie: Teta/atp.cont [Ferrer apt foo bah Sox Configuring NTP Clients stp = lete/ntp.cont ‘sver or broadcasumulicast cient + arifttite Instead of explicitly configuring NTP servers to bind, the nt daemon can be configured to listen for broadcest or multicast time ‘data. This can simplify long-term maintenance, To configure 9 system {5a broadcast cian, the following configuration statement is used {do not explicitly list server statements} Fer Teveratp. cont To configure a system as a muleast lent, use the following configuration statement instead of Esti servers to bind File: Tetc/ntp. cont [+ Tanteieastetient Using an NTP dritefile ‘The NTP client can measure, and record to file, the frequency error inherent to the hardware clock in the localhost and compensate for ‘this builtin eror. According to NTP documentation the default le is fete/ntp.drift but this file may vary across different distributions, ‘To activate this behavior, include the following configuration statoment: ‘The NTP server listed should be a stratum 2 or stratum 3 server. Up to thvee servers can be listed (one per line) to provide for ‘redundancy. 424 File: Tetc/ntp. cont [oe [aeiferite [var/b/atpaetre ARR R ARR R RAR RRA RAR AAR AAR RAR AAA POUUUUEEUUuUwWUWUUUUUUwWwUYYYUUwoVNs Ponie Threshold ‘The NTP daemon wil refuse to sync i the offset time is more than 1,000 seconds, (approximately 17 minutes). The configuration directive tinker panic @ instucts NTP not to give up if it sees a large jump in time, This is important for coping with large time drifts and. ‘2130 resuming machines (possibly vival) from their suspended state. ‘The directive tinker panic 8 must be atthe top ofthe ntp.con! fil, For example: 8.861 restrict defautt kod nonodify notrap server 8.pool.ntp.org ver 1:pool atp.org server 2.pool.ntp.0rg larifetile /vac/Uib/ntp/asist ‘The panic valve is set in seconds by the tinkor directive. Any value ther than 8 wal st the allowable offset in seconds. The defaut value is equivalent to tinker panic 1888, See the nt_nise(5} and ntp_ace(5) manuals for details tea, ‘Toe ntpq command is the standard NTP query program. It can be used to query NTP servers (which implement the recommended NTP ‘mode 6 control message format) about its curtent state and to request changes in that state. The program may be run in interactive ‘mode or conttolled mode using command line arguments ‘To obtain 2 ist of current peers of the server, along with a summary ‘of each peer state the following command could be used: 4 tpg -c peers tpde “The ntpde command is @ special NTP query program, It also can be used t0 query NTP servers about its current state and to request changes in that state. The progrem may be run in interactive mode or Controlled mode using command line arguments. Extensive state and Satistics information is available through the atpéc interface. ntpdc uses mode 7 packets to communicate with the NTP server. 11-28 Useful NTP Commands KAR RR RRR RRR RRR RRR ARR RRA AA WOW wrwwwwerwwwwwrvwWwwUwwwwvwrwwuved Requirements: & (1 station} ‘Task 2: Basic Client Networking Page: 11:30 Time: § minutes Requirements: (1 station) W (classroom server) ‘Task 3: NTP Client Configuration Page: 11.33 Time: 15 minutes Requirements: £6 (2 stations) (classroom server) Lab 11 ‘Estimated Time: 26 minutes 1.27 Objectives 1 Discover network configurat Requirements (1 station) Determining the current network settings in use on a host is commonly done before making changes, or when troubleshooting network related problems, 1) The following actions require administrative privileges. Switch to @ root login shal Ssu-t Password: makeitso (=I 2 ‘Speed and duplex settings for tho: ethtoo! wil work for most network cards 4 ethtoot ethe | egrep *(Speed| Duplex): 4 ald-toot the Result: 3) MAC eddress for eth: # ifconfig eth | grep wade fF Ap addr List ethé | grep Link/ether Result: 4) IP address and subnet mask for etho: f icontig othe | grep * aéde* 4 ip-adee List othe | grep inet Result: 11-28 Wer un within a vital machine, smetines ony the Tn sau wil be detected. snlictol sometimes has ar dvrs not ound in ethool, ARR RAR RRR RR RRR RAR AAR RAR RAD Sew rwwwTwYwWeVoVUwoWUwwewud 5) Detaut gateway. 4 route | grep “det 6)_DNS name serve IPs: 4 grep “nane /ete/resolv cont Result: 7) Using DHCP: If DHCP client is running, its Healy that youre using DHCP. 1 cat /var/run/ahcliont-oth®. pid # pldof dhctiont Result: 8) DHCP into: Ht you are using DHCP, chock the lease fe. 4 cat /var/lib/dhelient/dhclient-ethr. Leases unane - 4 grep Host /ete/syscontig/network Result: 10) Administrative privteges are no longer required: exit the root shell to return to an Lunprvileged account # exit 1129 Objectives Lab 11 Enable sai configuration of otho Demonstrate persistent network configuration Task 2 Basic Client Networking Requirements Estimated Time: 5 minutes TEA Staion) (classroom server Relevance ‘While DHCP is commonly used to provide IP addresses for workstations, servers and other infrastructure machines are sometimes configured with Static addresses. Being able to pesistently configure core network settings ‘when instaling or moving a system is an essential systems administration stil Notices Bf your systems are already using static IP addresses, then you should skip this lab task Check with your instucter if you are unsure, 1) The following actions require edministrative privileges. Switch toa root login S suet Password: makedtso =) 2) So far, your system has been using DHCP for IP address and network information Examine and record the IP address, subnetmask and router address (default gateway) that have been obtained via OHCP: # cat /var/ ib/ahcliont/dhcliont-othr, leases Result: 3) Use the network SysV init script to stop networking on your system: # service network stop + output onitted » . 1130 ARR RRR RR ARR RRR ARR ARRAN sewwwwwwwrwwwwworwwYUwvwewwowwuws 4) Use the information recorded in Step 2. and switch your networking configuration, ‘over to static IP addressing instead of using DHCP: ee Tete/ayacontig/netorh ccripts/ifotg-ethh ey +|Boorproto=none + | enponere_address + |nemaseenetaask + \carmnar=ze_gatewey 7 Be sure you used the actual values for 1P_adiress, netmask and 1P_gatevay as ‘obtained in Step 2 '5)_ Verily that your ONS resolver information in /etc/resolv.conf matches the Network Manager controled settings defined in the previous ste: [Fie: Fete/resol.cont 7] search exanple.com +|namesecver 1?_nane_server {Be sure you used the actual value ofthe 1P_nane_server as obtained in Step 2 6) Start networking and verify connectivity back to the classroom server: 4 service netvork start s+ output omitted. 4 ping -c 3 server PING server! exanple.con (19.188 6¢ bytes from serveri.exanple.com (1 64 bytes from server! example.com (18.188,8.254) 64 bytes from server] exanple.com (10.180,8.254) 1 this ping is not successful then review the changes that you made inthe previous steps and test again 254) fron 18. 109.8.258): Cleanup 7) Reverse the changes made in Step 2, and retumn your networking configuration to using DHCP: [Fie: JeteTaysconfig/network-scripts/ifefg-eth 7 [BOSRERORO=none ]pooTPROTO=dhep zeaDpRZPeddress | weRSK-notmask 8) Restart the networking on your system: 4 service network restart + + + output omitted 9) ‘Administrative privileges are no longer required; exit the root shel to return to an Unprvleged account; H exit ARR R RRR RR AR RRR RRR RRA RAR AA COU wwTUNOWewWWwUwoUWwuUEwwWwUYYwUYYVOd Objectives Lab 11 2 Configure NTP cient manual Task NTP Client Se Eatimated Timer Requirements "BE (2 stations) W (classroom server) ‘inate: Relevance Having the cortect time set across the network is an important factor of ‘managing networks. The Network Time Protocol (NTP), implemented in the hlpd, 1s used to help keep clocks synchronized on systems across the etwiork Notices ‘The classroom server, server! .exanple.com, is configured to act as NTP time server for the classroom network x The DHCP daemon on server! informs clients that 18.188.8,254 is 3 NTP sever and the Linux DHCP client daemon, dhclient uses that information to automatically configure the system as a NTP client. Because of this, at the start of tis lab you will unconfigure your currently functional NTP client. Do not reboot or restart the network on Your system during this lab as it wll revert your system back to the utoconiigured NTP cont state. 1) The folowing actions require administrative privileges. Switch to a root login shel! $su-t Password: makedtso B=] 2) Stop any running NTP daemon and backup the current configuration fos. 4 service ntpa stop 4 aw /ote/atp.conf. /ete/ntp.cont orig 4 aw /ebe/ntp/step-tickers /etc/atp/step-tickers.orig '3) Create the simplest possible NTP configuration fle that uses network time sou 1133 4) 5) 6) 7 8) 11-34 Tete are more settings that can be entered, but this Mustates that the configuration does not have to be complex. ‘Sat the proper SELinux context on the newly created /ete/ntp.cont by referencing the context from the original configuration fie: f chcon ~-references/ete/ntp.conf.orig /ete/ntp.conf ‘Start the NTP daemon: 4 service ntpd start Starting ntpd: to 1 Using the peers and assoc ntpq command check thatthe time sourcals) that the

    You might also like