network configuration in linux spring 2012 network administration, fordham university
TRANSCRIPT
Network Configuration in Linux
Spring 2012Network Administration,Fordham University
Outline Understand iptables
Last class: to allow SSH traffic into your host iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Setting up Firewall, NAT, Gateway on Linux machine Last class: a wireless router capable of
serving as all these (Firewall, NAT, gateway) This class: configure a Linux host to do all of
these
Note on service
Last class: service sshd start service (daemon): a program that starts
automatically at boot, and runs in background Web server, DNS server, NFS, …
to manage services, use GUI tool or use command line tool, service: service servicename status|start|stop|restarte.g. service sshd stop service iptables restartsuch changes are made to current run only.
Service configuration
Make permanent change: configure which services to start in different runlevels: ntsysv //change current run level ntsysv –level 3 //configure runlevel 3
Runlevels & their meanings 0: shuts down all processes and halt system 1: single-user mode, for admin. to perform
maintenance 2: special multi-user mode, no support for file sharing 3: full multi-user mode, NFS file sharing 4: unused 5: dedicated X windows terminal 6: shuts down all processes and reboots
Linux host as gateway/firewall/NAT router: forward packets destined for other
machines, or to appropriate next hop gateway: connect all computers on a private
network to Internet, with one external IP address, so called “sharing Internet connection”
firewall: Primary task is to filter packets What we need:
• Linux computer with at least two NICs• iptables
Packet forwarding Linux machine can be configured to run as end
host or router Turn on or off packet forwarding
Writing 0 in file below to disable packet forwarding, 1 to enable packet forwarding.
/proc/sys/net/ipv4/conf/<device_name>/forwarding
Note: /proc: a virtual file system (not real disk files) provides a peek into Linux kernel Read or write a proc file => invoke kernel function call to
read/write kernel parameters => monitor, control networking stack
Linux networking stack provides many virtual files inside /proc
Netfilter architecture & iptables command Netfilter architecture: whole software
enabled packet filtering, NAT, … iptables: command line tool provided by
netfilter architecture in Linux 2.4.x and 2.6.x kernel
re-designed and heavily improved successor of Linux 2.2.x ipchains and 2.0.x ipfwadm
What can I do with iptables?
Build firewalls based on stateless and stateful packet filtering
use NAT and masquerading for sharing internet access
use NAT to implement transparent proxies Aid tc and iproute2 systems to build
sophisticated QoS and policy routers further packet manipulation (mangling) like
altering TOS/DSCP/ECN bits of IP header
Netfilter: how does it work? A series of chains in Linux
network protocol stack (Oval shapes in figure)
register rules with a chain Registered rules are
checked/executed for every pkt that traverses the chain
e.g., to add a rule to drop all TCP pkts with dest port # 80 at filter/INPUT chain
iptables -A INPUT -p tcp --dport 80 -j DROP
Chain (and tables it belongs to)
packet
chain rules
Each chain has a sequence of rules, checked/executed in order, e.g., filter/INPUT chain on my laptop
$ sudo iptables -LChain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhereACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ….
Each chain has a sequence of rules, checked/executed in order target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED …
Each rule: specify criteria for matching pkts, and target (i.e., what to do for with matching pkts) If pkt does not match, check next rule in chain if pkt match criteria, target decides next action:
• maybe go to next chain (user-defined one)• ACCEPT,DROP, QUEUE or RETURN
Rule: criteria & target
Default policy of chain
$ sudo iptables -LChain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED….
Each chain has a default policy: pkts that does not match with any rule ACCEPT – Let packet through DROP – Drop packet, no notification REJECT – Reject packet, with an error message. REDIRECT – Send packet else where.
iptable: tables & chainsChains are organized into tables:
filter – default table, INPUT, OUTPUT, and FORWARD
nat: PREROUTING, output,POSTROUTING
mangle: PREROUTING,INPUT,OUTPUT, FORWARD, POSTROUTING
Packet traversing: 1
pkt destined for own local host: 1. Arrives at interface (e.g., eth0)2. mangle/PREROUTING: normally used for mangling pkts,
i.e., changing TOS and so on.3. nat/PREROUTING: used for DNAT mainly. Avoid filtering in
this chain since it will be bypassed in certain cases.4. Routing decision: destined for local host or to be
forwarded?5. mangle/INPUT: used to mangle pkts, after they have been
routed, but before being sent to process6. filter/INPUT: do filtering for all incoming traffic destined
for our local host. All incoming pkts destined for this host pass through this chain
7. Local process/app. (i.e., server/client program)
Packet Traversing: 2
outgoing pkts from our own local host1. Generated at local process/app2. Routing decision: what src addr. to use, what outgoing
interface to use, and other needed info.
3. mangle/OUTPUT: mangle pkts, do not filter to avoid side effects
4. nat/OUTPUT: NAT outgoing pkts from firewall itself.5. filter/OUTPUT: filter pkts going out from local host6. mangle/POSTROUTING: used to mangle pkts before they
leave our host, but after routing decisions7. nat/POSTROUTING: where we do SNAT, don't do filtering
(side effects, certain pkts might slip through even though you set a default policy of DROP)
8. Goes out on some interface (e.g., eth0)
Packet Traversing: 3
Pkt destined for another host on another network
1. Comes in on the interface (i.e., eth0)2. mangle/PREROUTING: used to mangle pkts, i.e.,
changing TOS etc3. nat/PREROUTING: used for DNAT, avoid filtering here
since it will be bypassed in certain cases.4. Routing decision: destined for our local host or to be
forwarded ?5. mangle/FORWARD: used to mangle pkts after initial
routing decision, but before last routing decision made just before pkt is sent out
Packet Traversing: 3
Pkt destined for another host on another network
6. filter/FORWARD: only forwarded pkts go through here, and all filtering shall be done here
7. mangle/POSTROUTING: used to mangle pkts after all routing decisions has been done, but still on this machine
8. nat/POSTROUTING: used for SNAT and masquerade. Avoid filtering here, since certain packets might pass this chain without ever hitting it
9. Goes out on outgoing interface (i.e., eth1)10. Out on the wire again (i.e., LAN).
Example: regular host Disable access to web server running on local
host: Such pkts are destined to local host => check chains
traversed by such pkts => find appropriate chain to set up rules, INPUT
iptables -A INPUT -p tcp --dport 80 -j DROP
I don’t want user to use telnet from local host: Such pkts are originated from local host => chains
they traversed => appropriate chain to set up filtering
iptables -A OUTPUT -p tcp --dport 23 -j DROP
Example: gateway In a gateway, I will allow outside host to ssh
to a host within my LAN Such pkts are type 3 => chains such pkts traverse
=> chain to perform filtering: filter table’s FORWARD chain
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
Example: gateway/NAT Machine acts as gateway/NAT
to allow internal hosts to access Internet with private ips => change src IP addr of outgoing pkts to be public IP
Such pkts are type 3 => chain to change src IP: nat/POSTROUTING
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 42.42.42.42
To allow incoming access to HTTP server => change dest IP addr to private IP of server
Such pkts are type 3 => chain to change dest IP: nat/PREROUTING
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.15
iptables command
Userspace command line program requires a kernel that features ip_tables
packet filter (2.4.x and 2.6.x kernel) List, add/remove/modify rules from
kernel’s packet filtering table, … Kernel’s filtering table is located in memory=> Changes will be lost if reboot (unless you
save in file) GUIs for iptables, like XFWall, Firewall
Builder
iptable: usage
iptables [-t <table_name>] <cmd> <chain> <plist> -t table_name
• specify table to work on • Default table: filter
chain: specify the chain to work on cmd:
• -A: append rule to end or specific location in chain• -D: Delete a specific rule in a chain• -F: Flush a chain, i.e., delete rules one by one.• -L: List a chain• -N: Create a new user-specified chain• Replace a rule, …
iptables command
-A, --append: append rule to end of chain iptables -A INPUT ... i.e., last in rule-set and hence be checked last
-D, --delete: delete a rule in a chain iptables -D INPUT --dport 80 -j DROP iptables -D INPUT 1 Either entering whole rule to match, or by
specifying rule number that you want to match. rules are numbered from top of each chain,
starting with 1.
iptables command (cont’d)
-I, --insert: insert a rule in a chain iptables -I INPUT 1 --dport 80 -j ACCEPT rule is inserted as actual number that we
specify -L, --list: list rules in a table, or
chain iptables -L INPUT
• lists all entries in filter/INPUT chain
iptables –L• List all entries in a table (default table is filter)
iptables command (default policy) -P, --policy: set a specified default target, or
policy, on a chain iptables -P INPUT DROP All packets that don't match any rule will then
be forced to use this policy of the chain. Legal targets are DROP and ACCEPT
iptables command (cont’d)
-R, --replace: replace old rule at specified line iptables -R INPUT 1 -s 192.168.0.1 -j
DROP replace first rule in filter/INPUT chain with a
new rule
iptables command (cont’d)
-F, --flush: flush all rules from specified chain iptables -F INPUT equivalent to deleting each rule one by one
(faster) when used without specifying a chain,
delete all rules in all chains in specified table.
iptables command (cont’d)
-N, --new-chain:create a new chain of specified name in specified table iptables -N allowed Note: there must not already be a chain or
target of same name -X, --delete-chain, delete specified
chain from table iptables -X allowed there must be no rules that refer to the chain iptables –X delete all chains except those
built in to specified table
1. Chain INPUT (policy ACCEPT) 2. target prot opt source destination 3. ACCEPT all -- anywhere anywhere state RELATED,
ESTABLISHED 4. ACCEPT icmp -- anywhere anywhere 5. ACCEPT all -- anywhere anywhere 6. ACCEPT all -- anywhere anywhere7. ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 8. REJECT all -- anywhere anywhere reject-with icmp-host-
prohibited
sudo iptables -L
Sample settings: filter table
9. Chain FORWARD (policy ACCEPT) 10. target prot opt source destination 11. ACCEPT all -- anywhere anywhere state RELATED,
ESTABLISHED 12. ACCEPT icmp -- anywhere anywhere 13. ACCEPT all -- anywhere anywhere 14. ACCEPT all -- anywhere anywhere15. ACCEPT all -- anywhere anywhere16. REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
17. Chain OUTPUT (policy ACCEPT) 18. target prot opt source destination
$ sudo iptables –t nat -L1. chain PREROUTING (policy ACCEPT) 2. target prot opt source destination
3. Chain INPUT (policy ACCEPT) 4. target prot opt source destination
5. Chain OUTPUT (policy ACCEPT) 6. target prot opt source destination
7. Chain POSTROUTING (policy ACCEPT) 8. target prot opt source destination 9. MASQUERADE all -- anywhere anywhere
Sample settings: nat table
Default settings on ubuntu
$iptables –L1. Chain INPUT (policy ACCEPT) 2. target prot opt source destination
3. Chain FORWARD (policy ACCEPT) 4. target prot opt source destination
5. Chain OUTPUT (policy ACCEPT) 6. target prot opt source destination
Default settings on ubuntu
$ iptables –t nat –L 1. Chain PREROUTING (policy ACCEPT) 2. target prot opt source destination
3. Chain POSTROUTING (policy ACCEPT) 4. target prot opt source destination
5. Chain OUTPUT (policy ACCEPT) 6. target prot opt source destination
HOW TO CREATE A RULE
Rule: match (criteria) and targetiptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 42.42.42.42 iptables -A INPUT -p tcp --dport 80 -j DROP
Match: overview
iptables -A INPUT -p tcp --dport 80 -j DROP Specifying matching criteria using:
generic matches can be used in all rules. TCP matches: can only be applied to TCP pkts UDP matches: can only be applied to UDP pkts,
e.g., sport, dportiptables -A INPUT -p udp --sport 53
ICMP matches: can only be used on ICMP pkts special matches: such as state, owner and limit
matches
Generic matches
-p, --protocol iptables -A INPUT -p tcp
-s, --src, --source iptables -A INPUT -s 192.168.1.1 192.168.0.0/24: all pkts with source IP
192.168.0.x --source ! 192.168.0.0/24, match all pkts
with a src IP not within 192.168.0.x range -d, --dst, --destination
iptables -A INPUT -d 192.168.1.1
Generic matches (2)
-i, --in-interface iptables -A INPUT -i eth0 eth+ (match eth0, eth1,..), ! eth0 (match all
interfaces except eth0) -o, --out-interface
iptables -A FORWARD -o eth0 -f, --fragment
iptables -A INPUT –f Match second and third part of a fragmented
packet. For fragmented packets, there is no way to tell source or destination ports, nor ICMP types, among other things.
TCP matches
--sport, --source-port iptables -A INPUT -p tcp --sport 22 --source-port 22:80 --source-port :80: from 0 to 80 --source-port 22: from 22 to 65535 --source-port ! 22 means that you want to
match all ports but port 22 --dport, --destination-port
iptables -A INPUT -p tcp --dport 22
TCP Matches (cont’d)
--tcp-flags match TCP flags in a pkt iptables -p tcp --tcp-flags SYN,FIN,ACK
SYN Takes a list of flags to compare (a mask), no space in
comma delimitation list flags: SYN, ACK, FIN, RST, URG, PSH
--tcp-flags ALL NONE match if none of the flags are set
--tcp-flags ! SYN,FIN,ACK SYN, match pkts that had ACK and FIN bits set, but not SYN bit
ICMP match
ICMP protocol: used for error reporting and for connection controlling Headers of ICMP packets are very similar to
those of IP headers, but differ in a number of ways.
type header: tells us what the packet is for. E.g., if we try to access an unaccessible IP
address, we would normally get an ICMP host unreachable in return.
a complete listing of ICMP types, see the ICMP types appendix.
ICMP match
--icmp-type: specify ICMP type to match iptables -A INPUT -p icmp --icmp-type 8 ICMP types specified either by numeric
values or by names Numerical values are specified in RFC 792. For a complete listing of ICMP name values: iptables --protocol icmp --help, --icmp-type ! 8, matches ICMP packets
with type not 8
Special Matches
All special matches need to be turned on with –m option -m mac, -m multiport, …
--mac-source iptables -A INPUT -m mac --mac-source
00:00:00:00:00:01 match packets based on their MAC source
address. reversed with an ! , e.g., --mac-source ! 00:00:00:00:00:01
Special match (Multiport)
matches multiple (up to 15) ports, may only be used with -p tcp or -p udp iptables -A INPUT -p tcp -m multiport --
source-port 22,53,80,110iptables -A INPUT -p tcp -m multiport --
port 22,53,80,110 match packets based both on their
destination port and their source port
Special match (owner)
-m owner: to match pkts based on identity of the process that created themonly works for OUTPUT chain
impossible to find out owner of packets generated by other hosts
certain packets may not have an owner, e.g., ICMP responses
Owner: specified as process ID, user ID, group ID, session ID
Owner match
iptables -A OUTPUT -m owner --uid-owner 500 Match pkts created by given User ID (UID E.g., to block users other than root from opening new
connections block everyone but http user from sending packets
from HTTP port iptables -A OUTPUT -m owner --gid-owner
0 Match based on what group the user creating pkts
are in E.g., block all but users in a network group from
getting out onto Internet
Owner match
iptables -A OUTPUT -m owner --pid-owner 78 match pkts based on Process ID (PID) that
was responsible for them E.g., only allow PID 94 to send packets from
HTTP port Alternatively we could write a small script
that grabs the PIDfrom a ps output for a specific daemon and then adds a rule for it. For an example, you could have a rule as shown in the Pid-owner.txt
Special match (State)
iptables -A INPUT -m state --state RELATED,ESTABLISHED –j accept
what states pkts must be in to be matched four possible states: NEW: first pkt seen within a specific connection E.g., a TCP SYN pkt, a first UDP pkt with a certain (src_ip,
dest_ip, src_port, dest_port) tuple NEW state change to ESTABLISHED state, upon receipt
of reply packet ESTABLISHED: has seen traffic in both
directions, i.e., one host sends a packet, and gets a reply from the other host
Packet state (2)
RELATED: A connection that is related to another already ESTABLISHED connection e.g., a ESTABLISHED connection spawns a connection
outside of its main connection, the new connection will be considered RELATED
Ex: FTP-data connections are considered RELATED to FTP control port
Related connections often require special helper modules to be correctly understood by netfilter
INVALID: pkt state can not be identified E.g., ICMP error messages that do not respond to any
known connections Generally, it is a good idea to DROP everything in this
state.
State matech & Stateful firewall State match enable stateful firewalls
More secure than stateless firewalls With --state match we can easily control
who or what is allowed to initiate new sessions.
1. Chain INPUT (policy ACCEPT) 2. target prot opt source destination 3. ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED 4. ACCEPT icmp -- anywhere anywhere 5. ACCEPT all -- anywhere anywhere 6. ACCEPT all -- anywhere anywhere7. ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 8. REJECT all -- anywhere anywhere reject-with icmp-host-
prohibited
sudo iptables -L
9. Chain FORWARD (policy ACCEPT) 10. target prot opt source destination 11. ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED 12. ACCEPT icmp -- anywhere anywhere 13. ACCEPT all -- anywhere anywhere 14. ACCEPT all -- anywhere anywhere15. ACCEPT all -- anywhere anywhere16. REJECT all -- anywhere anywhere reject-with icmp-
host-prohibited
17. Chain OUTPUT (policy ACCEPT) 18. target prot opt source destination
conntrack entries /proc/net/ip_conntrack: info about all
connections: tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9
sport=32775 \ dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 \ dport=32775 use=2
a protocol, in this case is tcp same value in normal decimal coding TTL: timeout value for the entry actual state of connection src IP add, dest IP addr, src port and dest port UNREPLIED: no return traffic seen Expected return pkts: src/dest IP and port
Special match (other) iptables -A INPUT -p tcp -m string --algo
bm --string ‘exe’ matches pkts containing string ‘exe’
iptables -A INPUT -p tcp -m length --length 10:100 matches pkts with length between 10 and 100
bytes Also, can specify ‘greater than 10’ by 10:
There are many others …
HOW TO CREATE A RULE: TARGET
Rule: match (criteria) and targetiptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 42.42.42.42 iptables -A INPUT -p tcp --dport 80 -j DROP
target/jump
target/jumps: what to do with a matching Jump: to a specific chain
iptables -N tcp_packets //create a chain iptables -A INPUT -p tcp -j tcp_packets // add a jump target All TCP pkts traversing filter/INPUT will jump
to tcp_packets (sub chain) (check and execute rules within)
When reach end of tcp_packets, return to INPUT (super chain), check/execute next rule
targets: -j Target: what to do with matching pkts
ACCEPT: let pkt through, pkt will not continue traversing current chain or other ones in same table (can still travel chains in other tables, and be dropped there)
DROP: drop pkt on the floor, will not carry out any further processing (in any other chains)
• No error mesg sent
REJECT: drop pkts and send error msg RETURN: SNAT, DNAT, MASQUARADE QUEUE, LOG …
REJECT target
Matching pkt is dropped dead (similarly to DROP), an error msg is sent to src host only valid in INPUT, FORWARD and OUTPUT chains or
their sub chains, chains use REJECT target may only be called by INPUT, FORWARD, and OUTPUT chains
e.g., iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
tcp-reset, only for TCP, send an TCP RST pkt to sending host (to close open TCP connections gracefully)
Other possible error msgs icmp-net-unreachable, icmp-host-unreachable,icmp-
port-unreachable, icmp-proto-unreachable, icmp-net-prohibited and icmp-host-prohibited …
Default: port-unreachable
RETURN target matching pkt stop traveling through current
chain, return to super chain or take default policy
For example: a packet enters INPUT chain, and matches a rule
with target --jump EXAMPLE_CHAIN. It then starts traversing EXAMPLE_CHAIN, matches
a rule with --jump RETURN target Pkt jump back to INPUT chain
if pkt hits a --jump RETURN rule in INPUT chain, it would take default policy (no more checking/executing rules)
DNAT target
rewrite Des IP address of matching pkts, and all subsequent pkts in same stream These pkts are then routed on to correct device, host
or network only available
in PREROUTING and nat/OUTPUT chain, and any of the chains called upon from the above chains
E.g., to forward all pkts with dest port 80 on to web server within LAN
DNAT target example
specify a whole range of dest IP addr, and DNAT mechanism choose dest IP addr at random for each stream
iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
send on all packets destined for 15.45.23.67 to a range of IP's, namely 192.168.1.1 through 10
Note: a single stream will always use same dest IP To specify a port or port range to which pkts would be
redirected to. --to-destination 192.168.1.1:80 --to-destination 192.168.1.1:80-100
SNAT target
Rewrite source IP address of matching packets E.g, making all pkts leaving a private
LAN look as if coming from a single IP only valid within nat table, within
POSTROUTING chain. Only first pkt in a connection is mangled
by SNAT, and after that all future packets using same connection will also be SNATted.
SNAT example
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000 which source IP to use 194.236.50.155-194.236.50.160: choose randomly
from these, and a single stream would always use same IP addr
tcp/udp: can specify a range of ports to be used. All source ports would then be confined to range specified.
MASQUERADE target
Change src IP, similar to SNAT target to IP addr. of interface (automatically
identified) only valid in nat/POSTROUTING chainiptables -t nat -A POSTROUTING -p TCP -j
MASQUERADE --to-ports 1024-31000 --to-ports: set src port or ports to use on
outgoing pkts a single port --to-ports 1025
For a static IP, use SNAT (avoid overhead)
Example PING on localhost
ping -c 1 127.0.0.1 Add rule to drop ICMP from local host
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP Try ping, might still get response
Why? Check current settings: is ICMP accepted in an earlier rule ?
Insert the rule as first to check/execute … iptables –I INPUT 1 –s 127.0.0.1 –p icmp –j DROP
Delete the rule and ping again … iptables -D INPUT 1 iptables -D INPUT –s 127.0.0.1 -p icmp -j DROP
Exercise
How to disable ssh access to a host that’s not from LAN? Suppose IP addr used in LAN is: 24.34.45.*…
Examples iptables -A INPUT -s 200.200.200.2 -j ACCEPT iptables -A INPUT -s 200.200.200.1 -j DROP iptables -A INPUT -s 200.200.200.1 -p tcp -j
DROP iptables -A INPUT -s 200.200.200.1 -p tcp –
dport telnet -j DROP iptables -A INPUT -p tcp --destination-port
telnet –i ppp0 -j DROP
Share WiFi Internet connectionMy laptop:
wlan0: connected to FordhamLC eth0: connect to private LAN via wireless router
Steps 1. Enable forwording (su first, or sudo) echo 1 > /proc/sys/net/ipv4/ip_forward2. iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE 3. iptables -A FORWARD -i wlan0 -o eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT //all pkts for established/related conn from outside to
internal host4. iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
//forward all pkts from internal hosts to outside
On host within private LAN
Set default gateway Use same DNS server used by gateway
Linux: store DNS servers in /etc/resolv.conf
Trouble shooting Simplest case first, ping Using wireshark to examine related pkts