TCP/IP Sections: 13.7, 13.8, 13.11, 13.12

13.7 Adding A Machine to a Network

13.8 Distribution-Specific Network Configuration

13.11 Security Issues

13.12 Linux NAT (IP MASQUERADING)

Adding A Machine to a Network

The Basic steps to add a new machine to a local network are:

Assign a unique IP Address and Hostname. Set up the new host to configure its network interfaces at

boot time Set up a default route Point to a DNS name server, to allow access to the rest of

the internet. Reboot the system each time you make changes that

might affect the reboot to make sure that the machine comes up correctly

Adding a mechine to a network

Each distribution has established its own configuration files for automating network configuration at boot time as summarized in the following table

System File What's set there

Red Hat /etc/sysconfig/network network-scripts/ifcfg-ifname

Hostname, default route Ip address,netmask,broadcast address

SuSE /etc/rc.config /etc/route.conf

Hostname, IP address, netmask, and more Default route

Debian /etc/hostname /etc/network/interfaces

Hostname IP address, netmask, default route

Assigning hostnames and IP addresses

Mapping from hostnames to IP addresses can be maintained through

Hosts file (/etc/hosts) NIS = Network Information Service DNS = Domain Name Service some combination of above sources

Renumbering Issue

Renumbering = Assigning new IP addresses Using Hostnames in the configuration files and

making the hostname-to-IP address translation be done through DNS help overcoming the problem of changing IP addresses.

However, Using IP addresses in configuration files reduces

dependencies during bootup when all services are not available.

/etc/hosts example

127.0.0.1 localhost192.108.21.48 lollipop.xor.com lollipop loghost192.108.21.254 chimchim-gw.xor.com chimchim-gw192.108.21.1 ns.xor.com ns192.225.33.5 licenses.xor.com license-server

Because hosts file contains local mappings only. Most mapping systems use it for mappings that are needed at boot time.

Can be used for mappings that u don’t want others to know about it.

Minimal data are mappings for loopback address and the host itself.

/etc/hosts (cont.)

Some put all their really important hosts, servers and gateways.• Debian – only localhost

• Red Hat – localhost and the machine itself

• SuSE – local host, the machine itself, and a few special IPv6 names.

The hostname command assigns a hostname to a machine. It typically run at boot time from one of the startup scripts, which obtains the name to be assigned from a configuration file.

ifconfig: configure network interfaces

Enables/disables a network interface Sets IP address and subnet mask Sets various other parameters

Ifconfig interface address options Interface: identifies the hardware interface to which

the command applies Address: the IP address of the interface, many

versions of ifconfig accept hostname for this parameter.

ifconfig Examples Ifconfig eth0 128.138.240.1 netmask 255.255.255.0 upIfconfig interfaceIfconfig –a Netstat –I

Options:

• Up: turns the interface on (default)• Down : turns the interface off• Netmask: set the subnet mask for the network, used if subnetting

isused , the network part is set to ones , the host part is set to zero• Broadcast : IP broadcast address for the interface, expressed in

either hex or dotted quad notation. Broadcast address is, in most systems, found by setting host part to all

1s. Most systems used the netmask and ip address to calculate the

broadcast address.

ifconfig Examples Red Hat% /sbin/ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:02:b3:19:C8:86 inet addr:192.168.1.13 Bcast:192.168.1.255 UP BRADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets 206983 errors:0 dropped:0 overruns:0 frame:0 TX packets 218292 errors:0 dropped:0 overruns:0 frame:0 collisions:0 txqueuelen:100 interrupt:7 Base address:0xef00

Ifconfig eth0 128.138.243.151 netmask 255.255.255.192 broadcast 128.138.243.191 up

Mii-tool: configure autonegotiation and other media-specific options

Autonegotiation mode: both the card and its upstream connection (usually a switch port) try to guess what the other wants to use.

Problem: high packet loss

It is better to lock the interface speed and duplex both on servers and on the switch ports they are connected to.

Mii-tool sets Media specific parameters such as link speed and duplex

Mii-tool –force=100BaseTx-FD eth0

Route: configure static routes If a packet is destined for some host on a directly connected network,

the “next-hop gateway” address in the routing table will be one of the local host’s own interfaces.

If no route matches the destination address, the default route is invoked if one exists, otherwise, an ICMP “netrwork unreachable” or “host unreachable”.

route [op] [type] destination gw gateway [metric] [dev interface]

Op:• Add: add a route• Del : remove a route

Route (cont.) Destination : host address (type – host) or a network address

(type –net) Gateway: the machine to which packets should be forwarded.it

must be on a directly connected network. Dev is optional and can be ommited

Metric: the number of forwardings (the hop count) required to reach the destinaction.

Type: optional “-net” or “-host”. If not specified then check the host part (is it all zeros), route may also check the /etc/networks

Route examples Route –f ,or route –flush : completely flushes the routing tables and

starts over. Netstat –nr : inspect existing routes netstat –r : see names instead of numbers.

redhat% netstat -nrKernel IP routing table

Destination Gateway Genmask Flags MSS Window irrt Iface

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

127.0.0.0 0.0.0.0 U 0 0 0 lo

0.0.0.0 192.168.1.254 UG 0 0 0 eth0

Route examplesredhat% netstat -rKernel IP routing table

Destination Gateway Genmask Flags MSS Window irrt Iface

192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

127.0.0.0 * U 0 0 0 lo

0.0.0.0 Sprint-gw UG 0 0 0 eth0

Genmask: the netmask associated with the destination

Flags: status of the route, how is was learned and other parameters

Iface: the interface through which the packets using the route are sent.

Default routes All packets whose destination network is not found in

the kernels routing table are sent to the default route. route add default gw gateway-ip-address How to set default route

System File to change Variable to change

Red Hat /etc/sysconfig/network GATEWAY

SuSE /etc/route.conf Add line: default IP-addr mask interface

Debian /etc/network/interfaces gateway

Configuring DNS

To configure a machine as a DNS client: Modify /etc/resolv.conf,

• this file lists the domains that should be searched to resolve names that are incomplete(not fully qualified)

• It lists the IP addresses of the name servers to contact for name lookups.

Some requires modification of “service switch” file

Modify /etc/resolv.conf

Search cs.clorado.edu colorado.eduNameserver 128.138.242.1Nameserver 128.138.234.151Nameserver 192.108.21.1

Domain is sometimes used instead of search in ancient resolve,conf file.

Search is preferred, but Red Hat defaults tp resolv.conf file that uses domain instead of search

service switch

Some systems have a “service switch” file that determines which mechanism will be used to resolve hostname-to-IP-address mappings. See page 498 for prioritization .

Allow specification of the order in which DNS, NIS, and /etc/hosts should be consulted.

Service switch files by system

System Switch file Default for hostname lookups

Red Hat /etc/nsswitch.conf

/etc/hosts.conf

Files nisplus nis dns

Hosts, bind

SuSE and

Debian

/etc/nsswitch.conf

/etc/hosts.conf

Files dns

Hosts, bind

The Linux networking stack

Includes support for virtual network interfaces, selective acknowledgments as well as a new IP feature , Explicit Congestion Notification (NCF)

ECN marks TCP packets to notify the sender of congestion. It is a good thing for both bulk transfers of data and transactional data such as web requests and responses.

Distributed-Specific Network Configuration

Linuxconf: module-based utility that provides a simple interface for managing a number of system administration tasks, including most network-related configuration.

Three interfaces: text-based, web, and X windows. Reboot or bring the network interface down or up to

see for a change to a configuration file to take effect.• Red Hat and Debian ifup and ifdown

• SuSE reboot the machine

Network Configuration for Red Hat

File What’s set there

/etc/sysconfig/network Host name, Default route

/etc/sysconfig/static-routes

Static Routes

/etc/sysconfig/network-scripts/ifcfg-ifname

IP address, netmask, broadcast address per interface

etc/sysconfig/network example

NETWORKING=yes

HOSTNAME=redhat.toadranch.com

DOMAINNAME=toadranch.com ###OPTIONAL

GATEWAY=192.168.1.254

/etc/sysconfig/network-scripts/ifcfg-ifnameexamples

DEVICE=eth0IPADD=192.168.1.13NETMASK=255.255.255.0NETWORK=192.168.1.0BROADCAST=192.168.1.255ONBOOT=yes

DEVICE=loIPADD=127.0.0.1NETMASK=255.0.0.0NETWORK=172.0.0.0BROADCAST=127.255.255.255ONBOOT=yesNAME=loopback

Ifcfg-eth0 file

Ifcfg-lo file

Network Configuration for Red Hat(cont.)

Ifup ifname : brings an interface up Ifdown ifname : brings an interface down /etc/rc.d/init.d/network

• script that accepts the argument start, stop, restart, and status

• Manage all the interfaces at once

• Invoked at boot time Any routes added to the file /etc/sysconfig/static-routes

are entered into the routing table at root timeeth0 net 130.255.204.48 netmask 255.255.255.248 gw 130.255.204.49eth1 net 192.38.8.0 netmask 255.255.255.224 gw 192.38.8.9Arguments are provided to route add

Network Configuration for SuSE

/sbin/SuSEconfig: a tool that uses scripts in /sbin/conf.d and /etc/rc.config.d to do configuration stuff.

/etc/rc.config contains all network-related parameters except routing information and DNS information. ExampleSTART_LOOPBACK=“yes”NETCINFIG=“_0”IPADDR_0=“192.168.1.101”NETDEV_0=“eth0”IFCONFIG_0=“192.168.1.101 broadcast 192.168.1.255 netmask 255.255.255.0”FQHOSTNAME=“inura.toadranch.com”DISABLE_ECN=“yes”

File What’s set there

/etc/rc.config Hostname, IP address,netmask, and more

/etc/route.conf Default route, static routes

Dynamic Routing in SuSE

Dynamic routing is also configured in with rc.config

Example

START_ROUTED=“no” ### RIP (Routing Information Protocol) version 1 daemon

START_ZEBRA=“no” ### zebra routing manager

START_BGPD=“no” ### BGB (Border Gateway Protocol)daemon

START_RIPING=“no” ### RIP version 2 daemon

START_OSPFD=“no” ### OSPF (Open Shortest Path First) daemon

START_MRTD=“no” ### Multithreaded routing daemon

Network configuration for Debian

Example of /etc/network/interfaces fileIface lo inet loopback

Iface eth0 inet static

address 192.168.1.102

netmask 255.255.255.0

gateway 192.168.1.254

File What’s set there/etc/hostname Hostname (should be fully qualified)

/etc/network/interfaces IP address, netmask, default route

/etc/network/options Low-level network options (IP forwarding, etc)

The interfaces file is read by ifup and ifdown that prings the interfaces up and down respectively.

The inet keyword in the iface line is the address family, this will always be inet.

static specifies that the IP address and netmask lines are required for static configuration

gatway specifies the address of the default gateway and is used to install default route

The options file allows some network variables to be set at boot time.

Network Configuration with GUI

Red Hat include a tool called neat (Network administration Tool) that can perform Ethernet, modem, ISDN, xDSL, and wireless configuration.

To run • Select Main menu programs system network

configuration

Or

• type neat in a shell

Security Issues

IP forwarding

let the linux box acts as a router. Turn this feature off unless you have multiple

network interfaces and intend to have a the Linux box as router.

Hosts with this feature enabled can compromise security by making external packets appear to have come inside local network which can enables naughty packets evade network scanners and packet filters

Security issues

ICMP redirectors Can be used maliciously to reroute the traffic and

mess with the networking table. Most operating systems listen to them and follow

their instructions It is recommended to configure routers and hosts

acting as routers to ignore and perhaps log ICMP

Security issues

Source routing IP source routing mechanism let the series of gateways for a

packet to transit on the way to its destination.

It can create security problems because packets are often filtered to their origin

If some one can cleverly route a packet to make it appear to have originated from your network instead of the internet, it might slip through your firewall.

It is recommended to not accept neither forward source routed packets

Security issues

Broadcast pings and other forms of directed broadcast Ping packets addressed to a network’s broadcast address

(instead of to a particular host address).

Can be used in denial of service attacks

Most hosts have a way to diable broadcast pings

The router can also be configured not to filter out broadcast pings

Security issues

IP spoofing If the software creating the packet uses a raw socket, it can fill

in any source address it likes. Te machine identified by the spoofed source address (if it is a

real address) is often the victim in this scheme. Error and return packets can disrupt or flood the victims network connections.

IP spoofing should be denied at border router by blocking outgoing packets whose source address is not within your

address space. If a network uses private address space, addresses escaping

to the internet can be filtered and caught since private addresses are not routable.

Security issues

IP spoofing (cont.) Linux-based firewalls provide a way to implement filtering,

however, most sites prefer to implement this type of filtering at their border routers.

Protect against a hacker forging the source address on external packets to fool the firewall into thinking that they originated on your internal network. Rp_filter kernel parameter (settable in the /proc/sys/net/ipv4/conf/ifname directory) can help detecting these packets. set rp (reversed path) to 1.

If the site has multiple connections to the internet, rp has to be set to 0 if inbound and outbound routes are different (preferred to be different)

Security issues

Host-based firewalls Packet filtering (aka “firewall”) software

Linux security is weak and NT’s security is worse.

It is recommended to buy a dedicated hardware solution to use as a firewall.

Go to page 676 to read more about firewall-related issues.

Security issues

Virtual private networks (VPN) Private networks that include a series secure, encrypted

“tunnels”. These “tunnels” allow using the internet as if it were a private

data line Used to connect several parts of the world as if they are

within a one pig private network Some VPNs use the IPSEC protocol (standarized by the

IETF in 1998. other use proprietary solutions. Examples: Cisco’s 3660 router and the Watchguard FireBox

provide VPN. They provide tunneling and encryption.

Security issues

Security-related kernel variables

Feature Host Gateway

Controlfile(in /proc/sys/net)

IP forwarding off on Ipv4/ip_forward for the whole system

Ipv4/conf/interface/forwarding per interface

ICMP redirects obeys ignores Ipv4/conf/interface/accept_redirects

Source routing ignores obeys Ipv4/conf/interface/accept_source_routes

Broadcasting ping answers snswers Ipv4/icmp_echo_ignore_broadcasts

Security issues

Changing of Security-related kernel variables Red hat :

• Add values to /etc/sysctl.conf, which is read by sysctl command ar boot time.

• Format of sysctl.conf is variable=value• Net.ipv4.ip_forward=0 (turn off IP forwarding)

SuSE• sysctl doesn’t run at boot process

• Edit rc.config(in /etc/init.d/boot) or add a call to the sysctl command somewhere in the startup sequence

Debian• It provides a sample sysctl.conf file nad also calls sysctl during startup

Linux NAT (IP MASQUERADING) Linux provides limited form of NAT (Network Address

Translation) that is more properly called PAT (Port Address Translation) or “IPMASQUERADING”

The predominant Linux software (up to writing of this book) for setting up NAT is called ipchains .However,

A new improved package called iptables uses the “netfilter” feature in linux 2.4 kernel and is the current release of Red Hat.

For IP masquerading to work

• Enable IP forwarding

• Build the kernel with CONFIG_IP_MASQUERADING defined

• It is helpful to set the kernel variable ip_masq_debug

IP MASQUERADING Examples

To disguise the private address space used on the internal network 192.168.1.0/24, you could use the following command

Ipchains –A forward –i ppp0 –s 192.168.1.0/24 –d ! 192.168.1.0 –j MASQ

To map packets from 192.168.1.0/24 network to a range of 10 addresses in the routable network 128.138.198.0 ,

Iptables –A POSTROUTING SNAT –to-source 128.138.198.1-128.138.198.0