TCP/IP Networking

• Objectives– to learn how to integrate a RedHat system onto a TCP/IP network

• Contents– the TCP/IP protocol suite

– IP addressing

– basic TCP/IP applications

– TCP/IP configuration files

• Practicals– working with TCP/IP utilities and files

• Summary

Overview of TCP/IP

• US DoD funded experimental network– supports inter-networks, inter-host communication

– most popular UNIX networking protocols

• Three basic protocolsTCP - a reliable session protocol: telnet, ftp

UDP - low overhead sessionless: NFS, NIS, DNS, routing

IP - Network layer protocol, sessionless, base of TCP and UDP

gatewaynetwork

hosts

• All networked systems need a unique IP address– address has four dot separated numbers (each 0 - 255)

– IP address mapped to hardware using ARP or RARP protocols

• Companies allocated a site address by NIC– allocated class A B or C address ranges

– local administrator allocates individual host numbers

• Some address values reserved0 not used

255 reserved for broadcasts

• Network address of 127 is reserved for loopback

• Network address of 10 is reserved for internal networks

• Network addesss of 172.16 is reserved for internal networks

• Network addesss of 192.168 is reserved for internal networks

Internet Protocol Address

7 bits 0 8 bits 24 bits

24 bit host address network

1

16 bit host address 16 bit network

0

network addresses in range 0 - 126

network addresses in range 128.0 - 191.254

1

8 bit host24 bit network

0

network addresses in range 192.0.0 - 223.254.254

1

14 bits 16 bits

21 bits 8 bits

Class AAddresses

Class BAddresses

Class CAddresses

IP Address Format

Defining IP Addresses

• Traditionally IP address defined in /etc/hosts– one line per known host defining IP address hostname and aliases

– if last line is a + then NIS is being used

– hostnames are limited to 8 characters

• Larger sites use DNS (Domain Name Services)– one or more hosts on the network maintain all IP addresses

– individual hosts request addresses as needed

– address cached locally to optimise DNS

# more /etc/hosts127.0.0.1 localhost.localdomainlocalhost192.168.0.12 mash4077 loghostmailhost192.168.0.42 rosies printserver 10.1.1.1 seoul

# more /etc/hosts127.0.0.1 localhost.localdomainlocalhost192.168.0.12 mash4077 loghostmailhost192.168.0.42 rosies printserver 10.1.1.1 seoul

Analyze Network Interface Configuration

• Use ifconfig to view network interfaces– use the -a option to list all configured interfaces

# ifconfig -aeth0 Link encap:Ethernet HWaddr 00:50:04:50:61:98 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:59078481 errors:0 dropped:0 overruns:84 frame:0 TX packets:53902612 errors:0 dropped:0 overruns:0 carrier:0 collisions:0

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:22596609 errors:0 dropped:0 overruns:0 frame:0 TX packets:22596609 errors:0 dropped:0 overruns:0 carrier:0 collisions:0

# ifconfig eth0 down# ifconfig eth0 up

# ifconfig -aeth0 Link encap:Ethernet HWaddr 00:50:04:50:61:98 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:59078481 errors:0 dropped:0 overruns:84 frame:0 TX packets:53902612 errors:0 dropped:0 overruns:0 carrier:0 collisions:0

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:22596609 errors:0 dropped:0 overruns:0 frame:0 TX packets:22596609 errors:0 dropped:0 overruns:0 carrier:0 collisions:0

# ifconfig eth0 down# ifconfig eth0 up

Network Interface Configuration

• Use ifconfig to configure the network interface

• Permanent changes in /etc/sysconfig/network-scriptsFiles named like: ifcfg-eth0 STATIC settings:

DHCP settings:

• Alias interfaces

Permanent changes in /etc/sysconfig/network-scripts/ifcg-eth0:0

With DEVICE=eth0:0

• Releasing/Renewing IP adresses

ifdown eth0 / ifdown eth0

# ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up# ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up

DEVICE=eth0USERCTL=noONBOOT=yesBOOTPROTO=noneBROADCAST=192.168.0.255NETWORK=192.168.0.0NETMASK=255.255.255.0IPADDR=192.168.0.1

DEVICE=eth0USERCTL=noONBOOT=yesBOOTPROTO=noneBROADCAST=192.168.0.255NETWORK=192.168.0.0NETMASK=255.255.255.0IPADDR=192.168.0.1

DEVICE=eth0BOOTPROTO=dhcpONBOOT=yes

DEVICE=eth0BOOTPROTO=dhcpONBOOT=yes

# Ifconfig eth0:0 192.168.1.12# Ifconfig eth0:0 192.168.1.12

Routing information• Use route to get/manipulate network routing

– Route table netstat –r(n) or route

– Routes to all directly connected networks are created automatic

– To add a net-route: route add –net 192.168.7.0 gw 192.168.1.254

– To delete a net-route: route del –net 192.168.7.0 gw 192.168.1.254

• Redhat can hande RIP/OSPF + traffic shapingMetric value for priority if different value or round robin if same:

route add –net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.253 metric 10

route add –net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.254 metric 10

Detete the route:

route del –net 192.168.3.0 netmask 255.255.255.0

# routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface80.84.37.0 * 255.255.255.240 U 0 0 0 eth3172.16.0.0 * 255.255.255.0 U 0 0 0 eth2192.168.1.0 * 255.255.255.0 U 0 0 0 eth0192.168.0.0 * 255.255.255.0 U 0 0 0 eth1127.0.0.0 * 255.0.0.0 U 0 0 0 lodefault router.ing-stee 0.0.0.0 UG 0 0 0 eth3

# routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface80.84.37.0 * 255.255.255.240 U 0 0 0 eth3172.16.0.0 * 255.255.255.0 U 0 0 0 eth2192.168.1.0 * 255.255.255.0 U 0 0 0 eth0192.168.0.0 * 255.255.255.0 U 0 0 0 eth1127.0.0.0 * 255.0.0.0 U 0 0 0 lodefault router.ing-stee 0.0.0.0 UG 0 0 0 eth3

Routing information configuration

• Use route to configure the defaultrouter

• Permanent changes in /etc/sysconfig/Files named network:

• Using several routes

Permanent changes in /etc/sysconfig/static-routes

Or better use /etc/rc.d/rc.local

# route add default gw 192.168.1.1 eth0

# route add default gw 192.168.1.1 eth0

GATEWAYDEV=eth0NETWORKING=yesFORWARD_IPV4=yesNISDOMAIN=nis.ikea.seHOSTNAME=node01.ikea.seGATEWAY=80.84.37.1

GATEWAYDEV=eth0NETWORKING=yesFORWARD_IPV4=yesNISDOMAIN=nis.ikea.seHOSTNAME=node01.ikea.seGATEWAY=80.84.37.1

eth0 net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254

eth0 net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254

# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 eth0

# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 eth0

route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 eth0

route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 eth0

Adding/Removing NIC’s• Adding NIC

1. Before going further, find out current NIC-ordera) By physical inspection, pinging and moving cables.b) Look in /etc/modprobe.conf or find NIC modules with lsmod and ksyms –m or –am Kernel key symbol is exported like [3c59x] for 3c905 boards.c) Modify /etc/modprobe.conf to reflect your wished NIC order.

2. Look if new NIC needs to be added in kernel or kernel need patch. If that is the case, recompile kernel and do step 1 again!

3. Power off the host4. Insert the new NIC5. If you are lucky, kudzu will find the new NIC and add it for you, you will be

asked configuration parameters. NOTE! Kudzu can destroy current configuration in /etc/modprobe.conf and

change Nic order.6. If everything goes well you can now goto step 1 once again to check out your

NIC order. If you are satisfied it is time to do NIC configuration permanent.

Removing NIC, you basically do the same steps but you now remove support, kudzu will detect NIC removal and you can remember its configuration.

Changing NIC parameters

• Use mii-tool to view NIC settings

• Using mii-tool to force 100MBit/s Full Duplex

• Making changes permanent /etc/rc.d/rc.local

# mii-tool –v[steen@lina sysconfig]$ mii-tool -v | moreeth0: negotiated 100baseTx-FD, link ok product info: vendor 00:10:18, model 18 rev 0 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-

HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-

HD link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-

HD flow-control

# mii-tool –v[steen@lina sysconfig]$ mii-tool -v | moreeth0: negotiated 100baseTx-FD, link ok product info: vendor 00:10:18, model 18 rev 0 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-

HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-

HD link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-

HD flow-control# mii-tool -F 100baseTx-FD eth0# mii-tool -F 100baseTx-FD eth0

Nameservers for non nameserver hosts

• Nameservers are stored in /etc/resolv.confGeneral format:

Nameserver The nameservers to query for names

Domain My domain, my host is added to this domain.

Search A space delimited list of max six key domains to add hostnames to in the query if domain is missing.

Options rotate round robin Nameserver list

timeout:n default is 30 seconds

attempts:n default is 3 or 4

• Searchorder for finding hosts are stored in /etc/host.conf

• Name Service Switch config file /etc/nsswitch.conf

domain my-site.comsearch my-site.comnameserver ip 2nameserver ip 1nameserver ip 3

domain my-site.comsearch my-site.comnameserver ip 2nameserver ip 1nameserver ip 3

order hosts,bindorder hosts,bind

Hosts: files dnsHosts: files dns

Looking at Network Statistics

• Use netstat to get network status information– use -a to view all sockets

– use -i to view interfaces

– use -rn to view routing statistics

# netstat -iKernel Interface tableIface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flgeth0 1500 0 59098394 0 0 84 53924429 0 0 0 BRUlo 16436 0 22598046 0 0 0 22598046 0 0 0 LRU

# netstat -iKernel Interface tableIface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flgeth0 1500 0 59098394 0 0 84 53924429 0 0 0 BRUlo 16436 0 22598046 0 0 0 22598046 0 0 0 LRU

Looking for a System

• The simplest TCP/IP utility is ping which sends a message to a host and waits for a reply

– the host can be specified as a name or an IP address

$ ping –c1 gkse1PING gkse1.ing-steen.se (80.84.37.2) from 80.84.37.3 : 56(84) bytes of data.64 bytes from gkse1.ing-steen.se (80.84.37.2): icmp_seq=0 ttl=64 time=1.119 mse

--- gkse1.ing-steen.se ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max/mdev = 1.119/1.119/1.119/0.000 ms

$ ping ulf2PING ulf2.intra.ing-steen.se (192.168.1.37) from 192.168.1.100 : 56(84) bytes of data.From lina.intra.ing-steen.se (192.168.1.100): Destination Host Unreachable

--- ulf2.intra.ing-steen.se ping statistics ---1 packets transmitted, 0 packets received, +1 errors, 100% packet loss

$ ping dudeping: unknown host dude

$ ping –c1 gkse1PING gkse1.ing-steen.se (80.84.37.2) from 80.84.37.3 : 56(84) bytes of data.64 bytes from gkse1.ing-steen.se (80.84.37.2): icmp_seq=0 ttl=64 time=1.119 mse

--- gkse1.ing-steen.se ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max/mdev = 1.119/1.119/1.119/0.000 ms

$ ping ulf2PING ulf2.intra.ing-steen.se (192.168.1.37) from 192.168.1.100 : 56(84) bytes of data.From lina.intra.ing-steen.se (192.168.1.100): Destination Host Unreachable

--- ulf2.intra.ing-steen.se ping statistics ---1 packets transmitted, 0 packets received, +1 errors, 100% packet loss

$ ping dudeping: unknown host dude

Network layer 2

• To see if you have contact with network layer 2– use ifconfig

Shows if interfaces are up

– use arp

Shows the local arp cache

• Manipulate with arp cache– Add static route

To secure system and increase network speed

– Flush arp cache

If you have stale arp entries

– Delete entry in arp cache

Remove faulty entries

# arp –s 192.168.0.12 00:0B:5F:12:81:00# arp –d 192.168.0.12# arpAddress HWtype HWaddress Flags Mask Ifacerouter.ing-steen.se ether 00:0B:5F:12:81:00 C eth3grey.ing-steen.se ether 00:06:5B:1A:84:11 C eth3

# arp –s 192.168.0.12 00:0B:5F:12:81:00# arp –d 192.168.0.12# arpAddress HWtype HWaddress Flags Mask Ifacerouter.ing-steen.se ether 00:0B:5F:12:81:00 C eth3grey.ing-steen.se ether 00:06:5B:1A:84:11 C eth3

Telnet & local name resolution

• The Telnet command is used to connect to another machine over a TCP/IP network

– a connection is established and the user logs on as normal

– chkconfig telnet on

– telnet is a xinetd demon service: /etc/xinetd.d/telnet

• Local name resolution is in /etc/hosts

$ uname -n a01$ telnet a02My RedHat linux server!login: hawkeyepassword: Welcome to Uncle Sam's wonderful world of UnixRemember the bar never closes!$ uname -n a02

$ uname -n a01$ telnet a02My RedHat linux server!login: hawkeyepassword: Welcome to Uncle Sam's wonderful world of UnixRemember the bar never closes!$ uname -n a02

# cat /etc/hosts127.0.0.1 localhost.localdomain localhost a01192.168.0.1 a01.my-site.com a01 # This host IP address!192.168.0.2 a02.my-site.com a02 # Other important hosts192.168.0.3 a03.my-site.com a03192.168.0.4 a04.my-site.com a04192.168.0.5 a05.my-site.com a05192.168.0.6 a06.my-site.com a06

# cat /etc/hosts127.0.0.1 localhost.localdomain localhost a01192.168.0.1 a01.my-site.com a01 # This host IP address!192.168.0.2 a02.my-site.com a02 # Other important hosts192.168.0.3 a03.my-site.com a03192.168.0.4 a04.my-site.com a04192.168.0.5 a05.my-site.com a05192.168.0.6 a06.my-site.com a06

SSH

• The SSH command is used to connect to another machine over a TCP/IP network

– a connection is established and the user logs on as normal

– chkconfig - -add ssh implements ssh

– ssh config sit in: /etc/ssh and run as stand alone server

– ssh is standard in RedHat 9

$ hostnamea02$ chkconfig -–list sshdsshd 0:off 1:on 2:on 3:on 4:on 5:on 6:off$ ssh –l peter a01password: $ hostnamea01

$ hostnamea02$ chkconfig -–list sshdsshd 0:off 1:on 2:on 3:on 4:on 5:on 6:off$ ssh –l peter a01password: $ hostnamea01

• FTP is an interactive utility for network file transfer– login to remote host supplying username and password

– Client/Server concept

• Restrict FTP access using /etc/vsftpd/vsftpd.ftpusers file– FTP access is denied to users named in this file

• Configure vsftpd using /etc/vsftpd/vsftpd.conf file

• Two kinds of ftp servers: private ftp and anonymous ftp

File Transfer Protocol

$ ftp a01Connected to a01Name (a01:hawkeye): Password:ftp> get file2...data about the transfer...ftp> put /etc/hosts /tmp/mash.hosts...data about the transfer...ftp> bye

$ ftp a01Connected to a01Name (a01:hawkeye): Password:ftp> get file2...data about the transfer...ftp> put /etc/hosts /tmp/mash.hosts...data about the transfer...ftp> bye

File Transfer Protocol

Berkeley R Utilities & the new S Utilities

• The Unix (or Berkeley) r utilities provide an alternative to IP facilities telnet and ftp.

• Three programs:rlogin hostname remote login

rsh hostname command remote command

rcp [host:]file [host:]file remote copy, from to

scp user1@host:file user2@host:file secure copy, from to

ssh hostname remote command

rdist remote distrubtuion

• For R family: passwords not required if .rhosts files configured– friendly hosts defined for all normal users in /etc/hosts.equiv

– users may add to this list in $HOME/.rhosts

• For S family: you need to exchange keys (RedHat 9+ default)– Users may add friendly hosts in $HOME/.ssh/authorized_keys

– Keys must be give to you from remote host $HOME/.ssh/id_rsa.pub

– Keys generated with ssh-keygen –t rsa

Exercise - Who has Remote Access

• Here are three files from mash4077

• Can root on seoul copy files to/from mash4077?

• Can hawkeye on seoul run commands on mash4077?

• Can hawkeye on rosies run commands on mash4077?

• Can root on mash4077 copy files to/from rosies?

• Can bfpierce on division copy files to mash4077?

• Can root on seoul login to mash4077?

# more /etc/hosts.equivseoul# more /.rhostsrosies# /home/hawkeye/.rhostsrosiesswampdivision bfpierce

# more /etc/hosts.equivseoul# more /.rhostsrosies# /home/hawkeye/.rhostsrosiesswampdivision bfpierce

Remote shells

• The rsh (remsh) command– run a command on a named host

– standard I/O can be redirected as normal

– /etc/profile and .profile not executed

– requires /etc/hosts.equiv or $HOME/ .rhosts file to be configured

From a02 or a03 you issue the commands below:

$ whoamitrapper$ rsh a01 ls -l..run ls –l as trapper on a01 output..$ rsh a01 ls -l > list.a01file list.a01 created on local system$ rsh a01...same as rlogin... $ rsh –l hawkeye a01...same as rlogin –l hawkeye...

$ whoamitrapper$ rsh a01 ls -l..run ls –l as trapper on a01 output..$ rsh a01 ls -l > list.a01file list.a01 created on local system$ rsh a01...same as rlogin... $ rsh –l hawkeye a01...same as rlogin –l hawkeye...

Remote distribution -rdist

• The rdist command– replicating/maintain identical copies of files over multiple hosts– relies on rlogin and rsh– can use ssh as transport for secure mode– rdist is client software and rdistd is server software– the server rdistd is started via rsh or ssh on the server

– R-family rsh requires: /etc/hosts.equiv or $HOME/ .rhosts file to be configured

– S-family ssh requires: $HOME/.ssh/rsa_key.pub to be copied from remote server/client

– Uses a special file Distfile for updating and maintaining files

– Can syslog to /var/log/messages file

RDIST HOME: http://www.magnicomp.com/rdist/

• The rdist command is RedHat standard

Remote distribution –preparation

• Pepare a master-server and a client files to replicate1. Logins must be done without password on clients, or rdist fails.

2. With R-Family: setup server and clients like on page 22 in this chapter.

3. With S-Family: Generate keys and distribute server keys to all clients, look below.

4. S-Family: Enable ssh root-logins on all clients.

5. Create a Distfile with files and directories to update on your clients with.

• Enable root logins (trusted enviroment only) on all clients:1. sshd config file: /etc/ssh/sshd_config:

PermitRootLogin yes

AuthorizedKeysFile .ssh/authorized_keys

Remote distribution –preparation test

• Generate server private and public keys:1. As root generate server keys on server:

# ssh-keygen –t rsa

2. Copy keys to identity files:

# cd .ssh ; cp id_rsa identity ; cp id_rsa.pub identity.pub

• Distribute public keys to clients:1. Create client private and public keys:

# ssh <client ip> ssk-keygen –t rsa2. Distribute server public key to all your clients (they need /root/.ssh

catalog):# scp identity.pub <client ip>:.ssh/authorized_keys

• As root on the server, test root password-less login rights to all of the nodes/clients by:

# ssh node01 date sat dec 12 14:52:55 CET 2004

Remote distribution -Distfile

• Used to specify how replication should take place

• The Distfile format:<variable name> `=' <name list>

[ label: ] <source list> `->' <destination list> <command list>

[ label: ] <source list> `::' <time_stamp file> <command list>

The label is optional.

HOSTS is in our example all hosts and logins that FILES can be replicated to/from

${FILES} -> ${HOSTS} sends files to list of hosts.

/usr/src/bin -> arpa sends catalog with contents to host arpa

Commands list is instrcution howto install/operate with lists/files

Remote distribution –execute rdist• Create some testfiles to distribute among clients.

# vi /etc/my-rdist-testfileThis is the rdist test file!

• Create a Distfile

This file willl replicate the ETCFILES onto all the NODES.

• Replicate the files using rdist together with SSH

You may want to run this command every night on your master-server by using the crontab command.

NODES = ( a01 a02 a03 a04 ) ETCFILES = ( /etc/my-rdist-testfile ) ${ETCFILES} -> ${NODES}

install;

NODES = ( a01 a02 a03 a04 ) ETCFILES = ( /etc/my-rdist-testfile ) ${ETCFILES} -> ${NODES}

install;

# /usr/local/bin/rdist -P /usr/local/bin/ssh -p /usr/local/bin/rdistd -f /etc/Distfile

# /usr/local/bin/rdist -P /usr/local/bin/ssh -p /usr/local/bin/rdistd -f /etc/Distfile

Internetwork demon Configuration

• Internet facilities controlled by the internet daemon– /usr/sbin/xinetd

– started up from /etc/inittab

• xinetd controlled by configuration file /etc/xinetd.conf– Tells where facilities/service catalog sit

– Set mandatory facility/service configuration and logging

– Former name was inetd.conf and inetd demon

• Services configuration files /etc/xinetd.d/Telnet example:

service telnet{ disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID}

service telnet{ disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID}

Summary

• Unix systems use TCP/IP for networking

• Every host on the network must have a unique IP address

• The file /etc/hosts maps names into IP addresses for network utilities

• Systems using DNS don't keep local host files

• Unix supports standard TCP/IP programs such as ping, telnet and ftp

• Unix provides its own equivalents (rlogin, rcp/scp, rsh and rdist) which use .rhosts files

• Unix uses several TCP/IP configuration files in /etc (xinetd.conf, services, etc.)