Basic Network Interface Management: NIC Management
- /etc/sysconfig/network/ : configuration information for all network devices is stored in text files under this directory.
- /etc/init.d/network : init script will use the information in these files to setup static or dynamic IP
- /etc/sysconfig/networking-scripts/ifcfg-ethX : store the configuration for Ethernet device ethX
- /usr/share/doc/initscripts-*/sysconfig.txt listing all the valid options that can be set for a network interface.
Interface Management
- ifconfig : most useful tool for diagnosing network problem
- w/ no options will display the current networking settings include IP address, adapter MAC addresses, etc.
- change w/ parameters of the network configuration as shown in following example:
- e.g. : ifconfig eth0 192.168.x.x netmask 255.255.255.0
- ip : it's more capable command is used to manage IP aliases, kernel routing, tunnels and policies.
- following example shows using ip to list addresses assigned to all interfaces on system:
- e.g. : ip addr show
- e.g. : ip addr add 192.168.1.12/24 dev eth1
- e.g. : ip addr del 192.168.1.12/24 dev eth1
- e.g. : ip link show
- running ip w/ the route argument will display the current routing
- e.g. : ip route del default
- e.g. : add default via 192.168.1.12
- tcpdump : package capture
- wireshark : package capture
Adapter Link
- ethtool : to determine (and modify) the speed and duplex settings your Ethernet interface is operating at, or whether it has a link:
- Display Setting for eth0:
- ethtool eth0
- PS: sometime old HW might try mii-tool
- route : to determine whether there is a default route.
- Display default route:
- route
- PS : check default gateway address to make the network allows to access any other systems outside of its local network.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 virbr1
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
16.92.228.0 * 255.255.252.0 U 0 0 0 eth1
link-local * 255.255.0.0 U 1003 0 0 eth1
default 16.92.228.1 0.0.0.0 UG 0 0 0 eth1
Kernel Module Problem
- /etc/modprobe.d : All files underneath the /etc/modprobe.d directory which end with the .conf extension specify those options as required. Since the modprobe command can add or remove more than one module, due to modules having dependencies, we need a method of specifying what options what's options are to be used with those modules.
- /var/lib/dhclient : The DHCP client file is named dhclient-$INTERFACE.lease
- PS: Use the ifconfig command to find the MAC addresses assigned for Ethernet adapters. Look at the HWaddr label.
- /etc/resolv.conf : if you find you can ping a numeric IP address but you can not ping its domain name equivalent, name resolution may be the culprit. Check the contents of the /etc/resolv.conf file for accurate information.
- PS: NetworkManager daemon will overwrite changes to the /etc/resolv.conf. At least one, in successive order, of DNS1, DNS2, and DNS3 must be entered into the appropriate network interface configuration script in the /etc/sysconfig/network-scripts/ifcfg-ethX.
IP Aliases and Virtual Interfaces
Linux provided support for multiple IP addresses on a single physical interface by using virtual interfaces. Virtual interfaces can be configured by using the ip or ifconfig commands.
- eg: ethX:Y where ethX is the physical interface and Y is the virtual interface label.
- ip addr add 10.100.0.247/24 dev eth0
- ip -4 addr list eth0 or ifconfig eth0
The Xinetd Super Daemon
The extended internet service daemon (Xinetd) is a super daemon that manages several network services, which includes IMAP & POP servers, FTP servers, talk servers and time servers. Xinetd controls services and can apply access control list (ACL).
ACLs can be used to determine which hosts can access the services from the network and what times of the day a service is available. Xinetd also leverages TCP wrappers to provide even more fine-grained control.
Xinetd uses individual configuration files for each service that it controls. If changes are made to a service's configuration file, then the xinetd daemon will need to be restarted. A common method for restarting the xinetd daemon is by using the SysV init script:
- service xinetd restart
- /etc/xinetd.conf : The main configuration file for the xinetd daemon location. It contains global parameters that affect the behavior of the xinetd daemon.
- Each service managed by Xinetd can be enabled or disabled by editing its corresponding configuration file and modifying the "disabled = directive". If the disable=directive is missing from the file the service will be enabled.
- /etc/xinetd.d : service specific configuration files are stored in this directory (this directory is specified in the /etc/xinetd.conf file, identified by the "includedir /etc/xinetd.d" )
- /var/log/message (/var/log/secure): most Xinetd problems stem from "configuration errors". The Xinetd daemon does a good job of logging configuration parsing errors, so examining the /var/log/messages file is a good way to quickly identify most configuration related errors.
- netstat, lsof or fuser : can display a list of in use (bound) ports and the processes and services that are using those ports:
- fuser -v 22/tcp
- [user@server /]$ sudo fuser -v 22/tcp
- [sudo] password for wangjoh:
- USER PID ACCESS COMMAND
- 22/tcp: root 3214 F.... sshd
- root 15542 f.... sshd
- user 15546 F.... sshd
TCP Wrappers provides a general security method for limiting access to services based on remote IP address. TCP Wrappers create a centralized administrative point where access to all services can be managed. It works by "wrapping around" existing applications.
- /usr/sbin/tcpd or /lib/libwrap.so : binaries
- /etc/hosts.allow, /etc/host.deny : configuration files
- /var/log/secure, /var/log/message : logs
- daemon_list, client_list : syntax
Netfilter/iptables (firewall)
Netfilter is the standard Linux firewall solution. It has proven to be both robust and flexible. Because it is so capable, it can also be very complicated When a system has problems providing or connecting to network services, iptables should be one of the first suspects.
The iptables command is used to interact with Netfilter, which is inside the kernel.
- related packages:
- iptables
- iptables-ipv6
- binaires:
- /sbin/iptables
- /sbin/iptables-restore
- /sbin/iptables-save
- /sbin/ipt6tables
- /sbin/ip6tables-restore
- /sbin/ip6tables-save
- configs:
- /etc/sysconfig/iptables-config
- /etc/sysconfig/ip6tables-config
- logs:
- /var/log/messages
- data directory
- /lib/xtables/
- Init
- /etc/init.d/iptables
- /etc/init.d/ip6tables
iptables enable logging
- iptables -L : By scanning the output of iptables to show Netfilter's contain rules
- iptables -I INPUT 5 -m limit --limit 6/m -j LOG : enable logging before a suspect entry in the INPUT chain, with a limit of 6 messages per minute, the command.
- /proc/net/ip_tables_names : A list of all tables that have been activated on system.
- PS: default "filter" table includes for Netfilter.
- To disable Netfilter, use iptables to flush all the rules and ensure that policy allows traffic. Use the -F option to flush each table and then use the -P option to make sure each chain has a default policy of accept. It's also a good idea to remove any user-defined chains that may exist with the -X option, though this is not strictly necessary in order to disable Netfilter:
- iptables -F : Flush each table
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- iptables -t nat -X :-X --delete-chain
- iptables -t mangle -X
- iptables -P INPUT ACCEPT : -P --change policy on chain to target
- iptables -P FORWARD ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -t nat -P PREROUTING ACCEPT : -t --table, table to manipulate (default: 'filter')
- iptables -t nat -P OUTPUT ACCEPT
- iptables -t nat -P POSTROUTING ACCEPT
- iptables -t mangle -P PREROUTING ACCEPT
- iptables -t mangle -P INPUT ACCEPT
- iptables -t mangle -P FORWARD ACCEPT
- iptables -t mangle -P OUTPUT ACCEPT
- iptables -t mangle -P POSTROUTING ACCEPT
No comments:
Post a Comment