You are on page 1of 20

Chapter – 12

Network Management
Objectives:

At the end of this module, you would have


gained fair knowledge on:

•Basic Network Configuration


•TCP Wrappers
•Configuring Xinetd service
Configuring the Network
In Red Hat, basic network configuration is
generally done at installation time, when configuring
the base system, but network interfaces may be
added or deleted at any time. As with other UNIX
systems, all configuration data is stored in text files in
the /etc directory tree.

An important thing to consider is that Linux can


be reconfigured on-the-fly. In other words, almost any
parameter can be changed while the system is
operating, without rebooting. This make it easy to
experiment and correct configuration problems.
TCP/IP Services
All primary Linux network services are TCP/IP services –
that is, services based on the TCP/IP family of protocols. A
TCP/IP service has an associated number known as a port;
which are numbered from 0 to 65535. A single computer may
host several services and the port number is used to distinguish
one service from the next. Some well-Known port numbers are
given bellow:

25/tcp smtp
53/udp dns
80/tcp www
110/tcp POP3
The complete list of port used in TCP/IP is available in
/etc/services file.
Network Scripts
Using Red Hat Linux, all network
communications occur between configured
interfaces and physical networking devices
connected to the system. The different types of
interfaces that exist are as varied as the physical
devices they support.

The configuration files for network


interfaces and the scripts to activate and
deactivate them are located in the
/etc/sysconfig/network-scripts/ directory.
Network Configuration Files
The primary network configuration files are as follows:

/etc/hosts — The main purpose of this file is to resolve hostnames that cannot
be resolved any other way. It can also be used on resolve hostnames on small
networks with no DNS server. Regardless of the type of network the computer
is on, this file should contain a line specifying the IP address of the loopback
device (127.0.0.1) as localhost.localdomain.

/etc/resolv.conf — This file specifies the IP addresses of DNS servers and the
search domain. Unless configured to do otherwise, the network initialization
scripts populate this file.

/etc/sysconfig/network — Specifies routing and host information for all


network interfaces.

/etc/sysconfig/network-scripts/ifcfg-<interface-name> — For each network


interface on a Red Hat Linux system, there is a corresponding interface
configuration script. Each of these files provide information specific to a
particular network interface
Ethernet Interfaces
One of the most common interface files is
ifcfg-eth0, which controls the first network interface card or
NIC in the system. In a system with multiple NICs, you will
also have multiple ifcfg-eth files, each one with a unique
number at the end of the file name. Because each device
has its own configuration file, you can control how each
interface functions individually

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
NETWORK=10.0.1.0
NETMASK=255.255.255.0
IPADDR=10.0.1.27
USERCTL=no
Ethernet Interfaces
The values required in an interface
configuration file can change based on other
values. For example, the ifcfg-eth0 file for an
interface using DHCP looks quite a bit different,
because the DHCP server provides IP
information
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
Activating & Deactivating Network Interfaces

The interface control scripts activate and


deactivated system interfaces. There are two primary interface
control scripts, /sbin/ifdown and /sbin/ifup, that call on control
scripts located in the /etc/sysconfig/network-scripts/ directory.

The two interface control scripts are ifdown and


ifup and are symbolic links to scripts in the /sbin/ directory.
When either of these scripts are called, they require a value of
the interface to be specified, such as:

ifup eth0Determining IP information for eth0... done.

At that point, the /etc/rc.d/init.d/functions and


/etc/sysconfig/network-scripts/network-functions files are used
to perform a variety of tasks.
The following interface control scripts are the most common:

ifup-aliases — Configures IP aliases from interface configuration


files when more than one IP address is associated with an
interface.
ifdown-ipv6 and ifup-ipv6 — Contains IPv6-related function calls
using environment variables in various interface configuration files
and /etc/sysconfig/network.
ifup-plusb — Used to bring up a USB interface for network
connections.
ifdown-post and ifup-post — Contains commands to be
executed after an interface is brought up or down.
ifdown-ppp and ifup-ppp — Used to bring a PPP interface up or
down.
ifup-routes — Adds static routes for a device as its interface is
brought up.
ifdown-sit and ifup-sit — Contains function calls related to
bringing up and down an IPv6 tunnel within an IPv4 connection.
Network Functions

Red Hat Linux makes use of several files that


contain important functions that are used in various ways to bring
interfaces up and down. Rather than forcing each interface control
file to contain the same functions as another, these functions are
grouped together in a few files that can be sourced when needed.

The most common network functions file is network-


functions, located in the /etc/sysconfig/network-scripts/ directory.
This file contains a variety of common IPv4 functions useful to
many interface control scripts, such as contacting running
programs that have requested information about changes in an
interface's status, setting host names, finding a gateway device,
seeing if a particular device is down or not, and adding a default
route.
TCP Wrappers
Controlling access to network
services can be a challenge. Firewalls are useful for
controlling access in and out of a particular network, but they
can be difficult to configure. TCP wrappers and xinetd
control access to services by hostname and IP addresses.
In addition, these tools also include logging and utilization
management capabilities that are easy to configure

What Are TCP Wrappers?


TCP wrappers is installed by default
with a server-class installation of Red Hat Linux 8.0, and
provides access control to a variety of services. Most
modern network services, such as SSH, Telnet, and FTP,
make use of TCP wrappers, a program that is designed to
stand guard between an incoming request and the
requested service.
TCP Wrapper Advantages
When a user attempts to gain
client access to a network service that is using
TCP wrappers, a small wrapper program reports
the name of the service requested and the
client's host information.

The wrapper program does not directly send


any information back to the client, and after the
access control directives are satisfied, the
wrapper is unloaded and frees up its resources.
The client and the server can then resume
actions without further wrapper intervention.
TCP wrappers provide two basic advantages over
other network service control techniques:

1. The connecting client is unaware that TCP


wrappers are in use. — Legitimate users will not
notice anything different, and attackers never
receive any additional information about why their
attempted connections have failed.

2. TCP wrappers operate separately from the


applications the wrapper program protects. —
This allows many server applications to share a
common set of configuration files for simpler
management.
Host-Based Access Control Lists
Host-based access for services that use TCP
wrappers is controlled by two files: /etc/hosts.allow and
/etc/hosts.deny. These file use a simple format to control
access to services on a server.

If no rules are specified in either hosts.allow or


hosts.deny, then the default rule is to allow anyone to access to
the services.

Order is important since rules in hosts.allow take


precedence over rules specified in hosts.deny. Even if a rule
specifically denying all access to a particular service is defined
in hosts.deny, hosts specifically given access to the service in
hosts.allow are allowed to access the service. Any changes to
these files take effect immediately, so restarting services is
not required.
Formatting Rules
All access control rules are placed on lines within
hosts.allow and hosts.deny, and any blank lines or lines
that start with the comment character (#) are ignored.
Each rule needs to be on its own line.
The rules must be formatted in the following manner:
<daemon_list>: <client_list>[: spawn
<shell_command> ]
daemon_list — A collection of one or more process names or special wildcards,
separated by whitespace.
client_list — One or more hostnames, host addresses, patterns, or wildcards,
separated by whitespace, to use when a particular process name matches a
requested service.
shell_command — An optional component that specifies something to be done in
the event a rule is utilized.
Access Control Using xinetd

The benefits offered by TCP wrappers are


enhanced when the libwrap.a library is used in
conjunction with xinetd, a super-daemon that provides
additional access, logging, binding, redirection and
resource utilization control.

Red Hat Linux configures a variety of


popular network services to be used with xinetd,
including FTP, IMAP, POP, and Telnet. When any of
these services are accessed via their port numbers in
/etc/services, the xinetd daemon handles the request.
xinetd Configuration Files
The xinetd service is controlled by the /etc/xinetd.conf file, as well as the
various service-specific files in the /etc/xinetd.d/ directory.

/etc/xinetd.conf

The xinetd.conf file is the parent of all xinetd-controlled service configuration


files, as the service-specific files are also parsed every time xinetd starts. By
default, xinetd.conf contains some basic configuration settings that apply to
every service. Below is an example of a typical xinetd.conf:
Defaults
{ instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30}includedir
/etc/xinetd.d
Binding and Port Redirection
The service configuration files for xinetd also support
binding the service to an IP address and redirecting incoming
requests for that service to another IP address, hostname, or port.
Binding is controlled with the bind option in the
service configuration files and links the service to one IP address
on the system. When used, the bind option only allows requests
for the proper IP address to access the service.
The redirect option accepts an IP address or
hostname followed by a port number. It tells the service to redirect
any requests for this service to the specified host and port
number.
The xinetd daemon is able to accomplish this
redirection by spawning a process that stays alive for the duration
of the connection between the requesting client machine and the
host actually providing the service, transferring data between the
The ifconfig Command
The ifconfig command can be used to configure the network interfaces. The
general format of the command is given bellow.

ifconfig interface options


# ifconfig eth0 down
# ifconfig eth0 up

The commands can be used to activate and deactivate the Ethernet interface
eth0

# ifconfig eth0 10.10.10.1 netmask 255.0.0.0 broadcast 10.10.10.255


The above command will set the IP address, subnetmask and broad cast
address for the Ethernet interface eth0

# ifconfig eth0
The above command will give information about the Ethernet interface eth0

# ifconfig –a
The above command will display all information about all the interfaces.