TCP/IP Networking Objectives –to learn how to integrate a SuSE system onto a TCP/IP network Contents –the TCP/IP protocol suite –IP addressing –basic TCP/IP applications –TCP/IP configuration files Practicals –working with TCP/IP utilities and files Summary

Overview of TCP/IP US DoD funded experimental network –supports inter-networks, inter-host communication –most popular UNIX networking protocols Three basic protocols TCP - a reliable session protocol: telnet, ftp UDP - low overhead sessionless: NFS, NIS, DNS, routing IP - Network layer protocol, sessionless, base of TCP and UDP gatewaynetwork hosts

All networked systems need a unique IP address –address has four dot separated numbers (each ) –IP address mapped to hardware using ARP or RARP protocols Companies allocated a site address by NIC –allocated class A B or C address ranges –local administrator allocates individual host numbers Some address values reserved 0not used 255reserved for broadcasts Network address of 127 is reserved for loopback Network address of 10 is reserved for internal networks Network addesss of is reserved for internal networks Network addesss of is reserved for internal networks Internet Protocol Address

7 bits 0 8 bits 24 bits 24 bit host addressnetwork 1 16 bit host address16 bit network 0 network addresses in range network addresses in range bit host 24 bit network 0 network addresses in range bits16 bits 21 bits 8 bits Class A Addresses Class B Addresses Class C Addresses IP Address Format

Defining IP Addresses Traditionally IP address defined in /etc/hosts –one line per known host defining IP address hostname and aliases –if last line is a + then NIS is being used –hostnames are limited to 8 characters Larger sites use DNS (Domain Name Services) –one or more hosts on the network maintain all IP addresses –individual hosts request addresses as needed –address cached locally to optimise DNS # more /etc/hosts localhost.localdomainlocalhost mash4077loghost mailhost rosies printserver seoul # more /etc/hosts localhost.localdomainlocalhost mash4077loghost mailhost rosies printserver seoul

Analyze Network Interface Configuration Use ifconfig to view network interfaces –use the -a option to list all configured interfaces # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:50:04:50:61:98 inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:84 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lo Link encap:Local Loopback inet addr: Mask: UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets: errors:0 dropped:0 overruns:0 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 # ifconfig eth0 down # ifconfig eth0 up # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:50:04:50:61:98 inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:84 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lo Link encap:Local Loopback inet addr: Mask: UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets: errors:0 dropped:0 overruns:0 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 # ifconfig eth0 down # ifconfig eth0 up

Network Interface Configuration Use ifconfig to configure the network interface Permanent changes in /etc/sysconfig/network Files named like: ifcfg-eth-id- STATIC settings: DHCP settings: Alias interfaces Permanent changes in /etc/sysconfig/network-scripts/ifcfg-eth-id- Releasing/Renewing IP adresses ifdown eth0 / ifup eth0 # ifconfig eth netmask up STARTMODE=auto BOOTPROTO=static BROADCAST= NETWORK= NETMASK= IPADDR= STARTMODE=auto BOOTPROTO=static BROADCAST= NETWORK= NETMASK= IPADDR= DEVICE=eth0 BOOTPROTO=dhcp STARTMODE=auto # Ifconfig eth0: IPADDR_0=' ' NETMASK_0=' ' LABEL_0='0' IPADDR_0=' ' NETMASK_0=' ' LABEL_0='0'

Routing information Use route to get/manipulate network routing –Route table netstat –r(n) or route –Routes to all directly connected networks are created automatic –To add a net-route: route add –net gw –To delete a net-route: route del –net gw SuSE can hande RIP/OSPF + traffic shaping Metric value for priority if different value or round robin if same: route add –net netmask gw metric 10 route add –net netmask gw metric 10 Detete the route: route del –net netmask # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface * U eth * U eth * U eth * U eth * U lo default router.ing-stee UG eth3 # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface * U eth * U eth * U eth * U eth * U lo default router.ing-stee UG eth3

Routing information configuration Use route to configure the defaultrouter Permanent changes in /etc/sysconfig/network File named routes: Using several routes Permanent changes in /etc/sysconfig/network/routes Another way is to use /etc/init.d/boot.local This way is the most common in other RPM distributions # route add default gw eth0 default # route add -net netmask gw eth0 route add -net netmask gw eth eth-id-00:03:47:b0:5e:85

Adding/Removing NIC’s Adding NIC 1.Before going further, find out current NIC-order a) By physical inspection, pinging and moving cables. b) Look in /etc/modprobe.conf or find NIC modules with lsmod, lsdev, hwinfo, lspci and ksymoops Kernel key symbol is exported like [3c59x] for 3c905 boards. c) Modify /etc/modprobe.conf to reflect your wished NIC order. 2.Look if new NIC needs to be added in kernel or kernel need patch. If that is the case, recompile kernel and do step 1 again! 3.Power off the host 4.Insert the new NIC 5.If you are lucky, hwinfo and hald will find the new NIC and add it for you, you will be asked configuration parameters. 6.If everything goes well you can now goto step 1 once again to check out your NIC order. If you are satisfied it is time to do NIC configuration permanent. Removing NIC, you basically do the same steps but you now remove support, hald will detect NIC removal and you can remember its configuration.

Changing NIC parameters Use ethtool to view NIC settings Using mii-tool to force 100MBit/s Full Duplex Making changes permanent /etc/init.d/boot.local # ethtool eth0 Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: MII PHYAD: 1 Transceiver: internal Auto-negotiation: on Supports Wake-on: g Wake-on: d Current message level: 0x (7) Link detected: yes # ethtool eth0 Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: MII PHYAD: 1 Transceiver: internal Auto-negotiation: on Supports Wake-on: g Wake-on: d Current message level: 0x (7) Link detected: yes # ethtool -s eth0 speed 100 duplex full

Nameservers for non nameserver hosts Nameservers are stored in /etc/resolv.conf General format: NameserverThe nameservers to query for names DomainMy domain, my host is added to this domain. SearchA space delimited list of max six key domains to add hostnames to in the query if domain is missing. Optionsrotate round robin Nameserver list timeout:ndefault is 30 seconds attempts:ndefault is 3 or 4 Searchorder for finding hosts are stored in /etc/host.conf Name Service Switch config file /etc/nsswitch.conf domain my-site.com search my-site.com nameserver ip 2 nameserver ip 1 nameserver ip 3 order hosts,bind Hosts: files lwres dns

Looking at Network Statistics Use netstat to get network status information –use -a to view all sockets –use -i to view interfaces –use -rn to view routing statistics MRTG Multi Router Traffic Grapher –Is common to make graphs over network traffic –Usally togeather with SNMP Simple Network Management Protocol –Apache is common for presentation of plots # netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth BRU lo LRU # netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth BRU lo LRU

Activating SNMP Actviating at boot and starting SNMPD server –Your server will now respond to SNMP messages Check that SNMP server responds –Your server will now respond to SNMP messages –The ”password” public can be secured in /etc/snmpd.conf Apache webserver is needed for presentation –You simply ”browse” to read your network plots –It is most simple to setup one ”plotting” directory in DocumentRoot # insserv /etc/init.d/snmp ; rcsnmpd start # snmpwalk -v 1 -c public localhost interface #rocommunity public rocommunity crazy42guy #rocommunity public rocommunity crazy42guy # mkdir /srv/www/htdocs/mrtg

Activating MRTG Autoconfigure MRTG with cfgmaker –First create config directory –Then execute the autoconfig –All must be in one row! Test run MRTG 3 times –MRTG will now make three test plots, the warnings will go away Use MRTG's indexmaker command to create a Web index page Add a CRON job to run MRTG every 5 minute –Enter with crontab –e Check the plots with web-browser # mkdir /etc/mrtg/ # cfgmaker --output=/etc/mrtg/mrtg.cfg \ --global "workdir: /srv/www/htdocs/mrtg" -ifref=ip \ --global 'options[_]: growright,bits' \ # mkdir /etc/mrtg/ # cfgmaker --output=/etc/mrtg/mrtg.cfg \ --global "workdir: /srv/www/htdocs/mrtg" -ifref=ip \ --global 'options[_]: growright,bits' \ # env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg # indexmaker --output=/srv/www/htdocs/mrtg/index.html \ /etc/mrtg/mrtg.cfg 0-59/5 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg /mrtg/index.html

Looking for a System The simplest TCP/IP utility is ping which sends a message to a host and waits for a reply –the host can be specified as a name or an IP address $ ping –c1 gkse1 PING gkse1.ing-steen.se ( ) from : 56(84) bytes of data. 64 bytes from gkse1.ing-steen.se ( ): icmp_seq=0 ttl=64 time=1.119 mse --- gkse1.ing-steen.se ping statistics packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/mdev = 1.119/1.119/1.119/0.000 ms $ ping ulf2 PING ulf2.intra.ing-steen.se ( ) from : 56(84) bytes of data. From lina.intra.ing-steen.se ( ): Destination Host Unreachable --- ulf2.intra.ing-steen.se ping statistics packets transmitted, 0 packets received, +1 errors, 100% packet loss $ ping dude ping: unknown host dude $ ping –c1 gkse1 PING gkse1.ing-steen.se ( ) from : 56(84) bytes of data. 64 bytes from gkse1.ing-steen.se ( ): icmp_seq=0 ttl=64 time=1.119 mse --- gkse1.ing-steen.se ping statistics packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/mdev = 1.119/1.119/1.119/0.000 ms $ ping ulf2 PING ulf2.intra.ing-steen.se ( ) from : 56(84) bytes of data. From lina.intra.ing-steen.se ( ): Destination Host Unreachable --- ulf2.intra.ing-steen.se ping statistics packets transmitted, 0 packets received, +1 errors, 100% packet loss $ ping dude ping: unknown host dude

Network layer 2 To see if you have contact with network layer 2 –use ifconfig Shows if interfaces are up –use arp Shows the local arp cache Manipulate with arp cache –Add static route To secure system and increase network speed –Flush arp cache If you have stale arp entries –Delete entry in arp cache Remove faulty entries # arp –s :0B:5F:12:81:00 # arp –d # arp Address HWtype HWaddress Flags Mask Iface router.ing-steen.se ether 00:0B:5F:12:81:00 C eth3 grey.ing-steen.se ether 00:06:5B:1A:84:11 C eth3 # arp –s :0B:5F:12:81:00 # arp –d # arp Address HWtype HWaddress Flags Mask Iface router.ing-steen.se ether 00:0B:5F:12:81:00 C eth3 grey.ing-steen.se ether 00:06:5B:1A:84:11 C eth3

Telnet & local name resolution 1/2 Telnet server settings –It is dependent of xinetd the internet demon –Xinetd starts telnet demon whenever connections to it’s port 23 is made declared in file /etc/xinetd.d/telnet –Most Xinetd dependent TCP/UDP services are declared in /etc/services –Offcource your telnet server need a login & welcome text like: Welcome to SuSE.. and Have a lot of fun... these are added in /etc/issue + /etc/issue.net and /etc/motd service telnet { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/in.telnetd } service telnet { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/in.telnetd } telnet 23/tcp # Telnet telnet 23/udp # Telnet telnet 23/tcp # Telnet telnet 23/udp # Telnet

Telnet & local name resolution 2/2 To activate telnet Telnet is used to access most network gears (routers) and many servers sitting in trusted networks The local name resolution should allways be setup to cover the most important hosts and servers. $ uname -n a01 $ telnet a02 My SuSE linux server! login: hawkeye password: Welcome to Uncle Sam's wonderful world of Unix Remember the bar never closes! $ uname -n a02 $ uname -n a01 $ telnet a02 My SuSE linux server! login: hawkeye password: Welcome to Uncle Sam's wonderful world of Unix Remember the bar never closes! $ uname -n a02 # cat /etc/hosts localhost.localdomainlocalhosta a01.my-site.coma01# This host IP address! a02.my-site.coma02# Other important hosts a03.my-site.coma a04.my-site.coma04 # cat /etc/hosts localhost.localdomainlocalhosta a01.my-site.coma01# This host IP address! a02.my-site.coma02# Other important hosts a03.my-site.coma a04.my-site.coma04 # chkconfig telnet on ; rcxinetd restart

SSH (Secure Shell) 1/2 The SSH command is used to connect or copy files to/from another machine over a TCP/IP network –It is a stand alone service –It is activated by default in SuSE and most other linuxes. –Encryption makes use of private and public keys id_rsaprivate key id_rsa.pubpublic key known_hostspublic key container Configuration files: /etc/ssh/sshd_config –Most common options to change is: Port 22Change this Protocol 2,1SSH protocol V2 and V1 ListenAddress Bind to all interfaces as here or to one only PermitRootLogin no Disable root direct logins # chkconfig --list sshd sshd 0:off 1:off 2:off 3:on 4:off 5:on 6:off # chkconfig --list sshd sshd 0:off 1:off 2:off 3:on 4:off 5:on 6:off # ls.ssh/... id_rsa id_rsa.pub known_hosts # ls.ssh/... id_rsa id_rsa.pub known_hosts

SSH (Secure Shell) 2/2 SSH login –a connection is established and the user logs on as normal First time you login to a new server a public key must eventually be generated and stored in known_hosts, Second time login will eventually prompt you for password. SSH copy –From current host to any other host running sshd –From any other host to current host –Between two remote hosts FileZilla & Putty –Login & Copy tools for use with Windows to administer your unix servers $ hostname a02 $ ssh password: $ hostname a01 $ hostname a02 $ ssh password: $ hostname a01 # scp filename.txt Welcome to Linux (i586) Password: filename.txt 100% KB/s 00:00 # scp filename.txt Welcome to Linux (i586) Password: filename.txt 100% KB/s 00:00

FTP is an interactive utility for network file transfer –login to remote host supplying username and password –FTP can be run as xinetd or stand alone service Anonymous FTP server –Allows only user anonymous or ftp to login Non Anonymous FTPserver –Allows also local registered users (passwd users) to login As standard it is Anonymous server –Only file download is allowed VSFTP has to be opened in order to do more VSFTP Very Secure FTP $ ftp a01 Connected to a01 Name (a01:hawkeye): Password: ftp> get file2...data about the transfer... ftp> put /etc/hosts /tmp/mash.hosts...data about the transfer... ftp> bye $ ftp a01 Connected to a01 Name (a01:hawkeye): Password: ftp> get file2...data about the transfer... ftp> put /etc/hosts /tmp/mash.hosts...data about the transfer... ftp> bye

The file is in clear textand somewhat selfexplained, basicaly we have –General settings –Anonymous FTP settings –Transfer settings anonymous_enable=Yes/NoAllow anon users at all anon_upload_enable=Yes/No Allow anon users to uploadfiles anon_mkdir_write_enable=Yes/No Allow anon users to make dirs anon_root= FTP root settings userlist_enablevs.ftpd.user_list contain allowed users userlist_denyvs.ftpd.user_list contain denied users local_enable=Yes/NoAllow non anonymous local users to login write_enable=Yes/NoTo be allowed to write at all ftpd_banner= My FTP ServerWelcome message xferlog_enable=YES/NoLog filetransfers xferlog_file= Logfile Restrict FTP access using /etc/vsftpd.ftpusers file Chroot Jail users: /etc/vsftpd.chroot_list Ftp userlist: /etc/vsftpd.user_list VSFTPD setup: /etc/vsftpd.conf

There are many other options you can add to this file: Limiting the maximum number of client connections: max_clients Limiting the number of connections by source IP address: max_per_ip The maximum rate of data transfer per anonymous login: anon_max_rate The maximum rate of data transfer per non-anonymous login: local_max_rate 0=Unlimited Descriptions on this and more can be found in the vsftpd.conf man pages. Other vsftpd.conf Options

File Transfer Protocol

There are many other options you can add to this file: Limiting the maximum number of client connections: max_clients Limiting the number of connections by source IP address: max_per_ip The maximum rate of data transfer per anonymous login: anon_max_rate The maximum rate of data transfer per non-anonymous login: local_max_rate 0=Unlimited Descriptions on this and more can be found in the vsftpd.conf man pages. Other vsftpd.conf Options

FTP Users with Only Read Access to a Shared Directory 1. Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this: # Allow anonymous FTP? # anonymous_enable=YES 2. Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this: # Uncomment this to allow local users to log in. local_enable=YES 3. Start VSFTP. service vsftpd start 4. Create a user group and shared directory. In this case, use /home/ftp- users and a user group name of ftp-users for the remote users groupadd ftp-users mkdir /home/ftp-docs VSFTP tutorial 1/3

5. Make the directory accessible to the ftp-users group. chmod 750 /home/ftp-docs chown root:ftp-users /home/ftp-docs 6. Add users, and make their default directory /home/ftp- docs useradd -g ftp-users -d /home/ftp-docs user1 useradd -g ftp-users -d /home/ftp-docs user2 useradd -g ftp-users -d /home/ftp-docs user3 useradd -g ftp-users -d /home/ftp-docs user4 passwd user1 passwd user2 passwd user3 passwd user4 VSFTP tutorial 2/3

7. Copy files to be downloaded by your users into the /home/ftp-docs directory 8. Change the permissions of the files in the /home/ftp-docs directory for read only access by the group chown root:ftp-users /home/ftp-docs/* chmod 740 /home/ftp-docs/* Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no: write_enable = NO Remember, you must restart VSFTPD, if it is run as stand alone, for the configuration file changes to take effect. VSFTP tutorial 3/3

Here is a simple test procedure you can use to make sure everything is working correctly: 9. Check for the presence of a test file on the ftp client server. ll total 1 -rw-r--r-- 1 root root 0 Jan 4 09:08 testfile 10.Connect to bigboy via FTP ftp Connected to ( ) 220 ready, dude (vsFTPd 1.1.0: beat me, break me) Name ( :root): user1 331 Please specify the password. Password: 230 Login successful. Have fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> Sample Login Session To Test if it works

As expected, we can't do an upload transfer of testfile to my-host. ftp> put testfile local: testfile remote: testfile 227 Entering Passive Mode (192,168,1,100,181,210) 553 Could not create file. ftp> But we can view and download a copy of the VSFTPD RPM located on the FTP server my- host. ftp> ls 227 Entering Passive Mode (192,168,1,100,35,173) 150 Here comes the directory listing. -rwxr Jan 04 17:06 vsftpd i386.rpm 226 Directory send OK. ftp> get vsftpd i386.rpm vsftpd i386.rpm.tmp local: vsftpd i386.rpm.tmp remote: vsftpd i386.rpm 227 Entering Passive Mode (192,168,1,100,44,156) 150 Opening BINARY mode data connection for vsftpd i386.rpm (76288 bytes). 226 File send OK bytes received in secs (1.5e+02 Kbytes/sec) ftp> exit 221 Goodbye. Sample Login Session To Test if it works

As expected, anonymous FTP fails. ftp Connected to ( ) 220 ready, dude (vsFTPd 1.1.0: beat me, break me) Name ( :root): anonymous 331 Please specify the password. Password: 530 Login incorrect. Login failed. ftp> quit 221 Goodbye. Now that testing is complete, you can make this a regular part of your FTP server's operation. Sample Login Session To Test if it works

Summary Unix systems use TCP/IP for networking Every host on the network must have a unique IP address The file /etc/hosts maps names into IP addresses for network utilities Systems using DNS don't keep local host files Unix supports standard TCP/IP programs such as ping, telnet and ftp Unix uses snmpd network analysis MRTG is nice to make graph over netstat Unix uses several TCP/IP configuration files in /etc (xinetd.conf, services, etc.)