Sunday 19 May 2013

Linux Networking


Linux Networking


Linux is a networking operating system. Even so, problems related to networking are not uncommon. PPP
dialup can be hard to setup, local network IP address issues can be hard to understand. We try to solve most
common problems here with tips on how to make your networking and Internet experience a good one.

Tip 1: Easy PPP dialup



By default, most Linux distributions come with text-based configuration files and console menu-based
configuration programs for PPP dialup. Often, this simply isn't enough for most new users.

Several GUI programs exist and can be used to configure your PPP dialup. One is X-isp, available from
http://users.hol.gr/~dbouras/. You may still need to edit the pap-secrets file in /etc/ppp.
An other is the Gnome PPP dialer. It comes with Gnome and can be used with no text file editing. Be sure to
put a "*" in the "Remote address" field if it should be set dynamically.
Here is a quick guide to setup the Gnome PPP program. First make sure the pppd program is suid root. Then,
enter your user name, password and "*" in the remote IP field. Enter the DNS server, and set your IP address
or set to dynamic. This should work for most Internet providers. Check the PPP-HOWTO for a complete
overview of the PPP programs.
This is the Gnome PPP interface:


Tip 2: Internet for your LAN



Many companies have local networks, and it is becoming even more popular in homes, where 2 or 3 systems
are linked together using ethernet wires. Most providers only offer 1 IP address per connection, which means
that you can't put all of the systems on the Internet at the same time, unless you use a special gateway.
Linux comes with something called IP-Masquerade. With it, you can assign LAN IPs, which are IPs that
can't go on the Internet directly, and then use the Linux system as a gateway. All you need to implement this
is a Linux system with 2 ethernet cards, and an Internet connection. The Linux system has IP-Masquerade
enabled, and the LAN systems will have access to the Internet using the Linux gateway as a transparant proxy
server.
You can find more on the subject by reading the IP-Masq HOWTO and other networking documentation at
http://metalab.unc.edu/pub/Linux/docs. You also need to make sure your Internet provider accepts this kind
of network on their connection.


Tip 3: Domains to search in



When you try to access a Web site, or any remote site, you need to specify the full hostname. This means the
machine name plus the domain name:
lynx my.yahoo.com
If you have a few domain names that you access a lot, you can make your life easier. You can edit
/etc/resolv.conf and add the domains there:
search domain.net yahoo.com
This means that the system will search in those domains for hostnames. From now on type:
lynx my
The system will now look for "my", if that hostname doesn't exist it will look for "my.domain.net", and at
last "my.yahoo.com".


Tip 4: Display IP rather than hostname



When dealing with networking issues, it often helps to be able to use only IP addresses rather than
hostnames. Why? For 2 reasons. First, the name server might not always be available if routing is being
changed. And most important, you may not have the time to wait for all the IP resolving to be done.
Fortunately, many networking utilities in Linux share a common option flag. The -n flag. It will allow you to
make the utility display IP addresses rather than hostnames. Here are a few examples:
netstat -an
traceroute 1.2.3.4 -n
arp -n -a -i eth0 -a proxy
These commands were all given the -n flag and will display only IP addresses.


Tip 5: Is my modem a winmodem?



Winmodems are modems which lack some hardware. They use software drivers to emulate the hardware, and
the CPU to do some tasks. Unfortunately the drivers provided by the winmodem manufacturers are Windows
only.
There is no sure way to know if the modem should work in Linux or not, except trying it yourself, or ask
someone else who has tried it. Fortunately, there is a Web site with a very long list of modems that are known
to work in Linux, and those that are winmodems. The Web site can be found at
http://www.o2.net/~gromitkc/winmodem.html.


Tip 6: Sharing files from a Windows system



The protocol to use to be able to share files with Windows systems is called SMB. Linux supports natively a
lot of file systems and network protocols. SMB is one of them. To be able to mount a Windows file system to
share files, that system needs to have file sharing enabled, and you need to enable SMB support in the kernel.
You also need to download a program called Samba which allows you to share remote file systems, and build
yourself a server. General information about how to connect Linux, Windows machines and Macs is on the
Web at http://www.eats.com/linux_mac_win.html.
If SMB is not a possibility, you could use FTP. Linux by default has an FTP server turned on. Windows FTP
servers are also available for free.


Tip 7: Sorry but this host is not in my list



Mail clients require you to specify your server for incoming mail, but they also need a server for outgoing
mail. If you have sendmail or Qmail running, you can use localhost. If not, you may use your provider's mail
server.
If you setup your own mail server, you may have problems sending mail from other systems on your
network. Mail servers often block clients from using them for outgoing mail to prevent relaying. You need to
specify the hosts where you will be sending mail from. Here is how to do it in Qmail, from the FAQ. You
need to put the following line in /etc/hosts.allow:
tcp-env: ip1, ip2, ip3: setenv = RELAYCLIENT


Tip 8: Access to various networks



Big corporations often sub-divide their networks into small networks, hidden behind gateways. To access
them, you need to tell your Linux system that there is a gateway to use to access the networks.
The route program makes it easy to add networks, hosts and gateways to your routing table. To add a default
gateway, for example to access the Internet, you can set it as default with the following line:
route add default gw 10.0.0.1
This will work if you need to access the Internet via the 10.0.0.1 gateway. Now, if you want to access
networks 10.1.0.0 and 10.2.0.0 through other gateways, here is what you will want to do:
route add -net 10.1.0.0 gw 10.0.0.10
route add -net 10.2.0.0 gw 10.0.0.20


Tip 9: Accessing remote file systems



SMB is the most popular protocol to access Windows systems. But from the Unix world comes NFS. NFS is
a way to share files that predates SMB and Samba, and comes compiled in most Linux distributions. To
enable file sharing, you must have the nfsd and mountd daemons running. You also need to add the IPs of the
systems you want to allow in /etc/exports.
To access remote file systems, you simply mount them like local hard drives. To mount /usr/files from 1.2.3.4
into /mnt/files, simply type:
mount -tnfs 1.2.3.4:/usr/files /mnt/files
The -tnfs parameter may be omited.


Tip 10: Secure Web server



Electronic commerce is becoming very popular on the Internet. Companies will often pay thousands of
dollars for commercial packages to deliver secure content to customers on the Web. You can setup one of the
most popular Web servers, Apache, running on Linux and serving secure content, for free.
To setup Apache to deliver secure content, you will need to get a cryptographic package called OpenSSL,
based on the SSLeay library. The place to start is at http://www.apache-ssl.org. From there, you can
download the needed patches to make Apache into a secure web server.
Detailed instructions are available in the packages, but here is a quick step-by-step guide:
•??First, you need to download 3 packages: Apache itself, the corresponding Apache-SSL patch
and OpenSSL.
•??Then you need to patch the Apache distribution and compile the SSL library.
•??After editing the configuration file in the Apache directory, and setting the right paths and
libraries to use, you can compile Apache and then create a test certificate.
•??All you have to do now is install Apache and configure it to use your test certificate.
Note that while Apache and the SSLeay libray are free, you may need to pay to get signed certificates from
commercial companies. Also, due to export laws in various countries, you may want to check your local laws
before using any encrypting product.


Tip 11: Secure alternative to telnet



Telnet is a protocol allowing you to connect to a remote system and run programs and commands on that
system. It is very old and still very much in use today.
Unfortunately, a telnet client sends the user password as clear text, and the connection is not encrypted. On
the other hand, a program called ssh exists that can replace both telnet and ftp in a secure, encrypted way.
Ssh stands for Secure Shell. It will encrypt each connection with a random key, so that it is impossible or at
least very hard for a third party to decrypt the connection and find the password, or spy on you.


Tip 12: Speed problems on a PPP connection



PPPd is the PPP connection daemon. It will try to connect to a server using a specified speed. The default
speed is 38400. If you use a serial connection, or a 56.7Kbps modem, it may not be enough. If you want to
use all the available bandwidth, you need to increase that number. For example, for a serial connection, you
want the speed set at 115200.
Another reason for speed drops is unwanted packets. You may want to filter unwanted packets out of your
network, like some ICMP messages and chat connections.
A last possibility for speed drops is Denial of Service attacks. DoS attacks are unfortunately very real and
they occur a lot. Malicious people that can't handle their problems elsewhere turn to the Internet and launch
attacks against networks. An attack against one user will always affect several thousands of people. By using
bandwidth of an Internet provider to cause trouble to any one user, the whole provider will be affected. To
prevent such attacks, firewalls exist, and tracking tools were invented to deal with abusers. MCI has a tool
called DoSTrack that can be of help if you are victim of such an attack. For more information about various
DoS attacks, you should search the Web.


Tip 13: Names and name servers



Internet hostnames and domains are resolved using the Domain Name System (DNS) using Name Servers
(NS). These name servers are usually hosted by your Internet provider. You can also host your own name
server, using the program named. Every name server, upon receiving a request to resolve a hostname, will ask
an upstream name server if it doesn't know the answer. Your name server may ask your ISP's name server,
which will ask the backbone's main name server, which will ask a root server.
Linux knows which name server to ask by looking in /etc/resolv.conf. In that file, a number of name servers
may be specified in the following way:
nameserver 192.168.0.1
nameserver 205.237.65.254
The name server itself, named, has a configuration file which is usually /etc/named.conf. In that file, you
configure the domain names you are responsible for, and the zone file to use. A nice introduction to running a
name server is available in the various named man pages.
Various utilities are related to resolving hostnames. One is called whois, and will query the Internet main
name servers to know who owns a domain:
whois linux.org
Another utility is called nslookup. That command will allow you to resolve hosts, and to get all kinds of
information about a domain. See the man page for more.


Tip 14: Who owns this port



Several utilities exist to check which ports are open, who is connected to your system and even what process
owns a port number.
First a few ground rules. Ports below 1024 are reserved for common services, and only root can use them.
Standard port numbers can be found in /etc/services. The maximum number of ports is 65k, so you have more
than enough Internet ports for all your services.
Here are some useful utilities. Netstat is a command that will list both the open ports and who is connected to
your system. You should run it like this:
netstat -an | more
This way you can find out who is connected to which service.
Another interesting command is the fuser program. This program can tell you which user and process owns a
port. For example, the following command will tell you who owns port 6000:
fuser -v -n tcp 6000


Tip 15: Network printers



By tradition in Unix most services come with networking capabilities. This includes the printing server. You
don't need to get third party software to make a printing server.
The lpd daemon allows you to print to your local printer, but also allows others to print on it, if you allow
them.
By default the printing software will read on port 515 on the UDP protocol. It will allow hosts listed in the
/etc/hosts.lpd to print using your printer.
For a full overview of the printing service, you should check the printing howto on the Web.

No comments:

Post a Comment