• Tidak ada hasil yang ditemukan

Linux Network Administrators Guide

N/A
N/A
Info
Unduh - Bebas
Protected

Academic year: 2024

Membagikan "Linux Network Administrators Guide"

Copied!
505
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 505 Halaman )

Teks penuh

Purpose and Audience for This Book

Sources of Information

  • Documentation Available via FTP
  • Documentation Available via WWW
  • Documentation Available Commercially
  • Linux Journal and Linux Magazine
  • Linux Usenet Newsgroups
  • Linux Mailing Lists
  • Online Linux Support
  • Linux User Groups
  • Obtaining Linux

The home page of the Linux Documentation Project can be accessed at http://www.linuxdoc.org/. You can also find the magazine on the World Wide Web at http://www.linuxjournal.com/.

File System Standards

Standard Linux Base

About This Book

The Official Printed Version

Overview

Chapter 18 and Chapter 19 cover the configuration of sendmail and exim, two mail transfer agents you can use for Linux. The following chapters discuss more modern alternatives to C News that use the Internet's NNTP (Network News Transfer Protocol).

Conventions Used in This Book

Submitting Changes

Acknowledgments

The Hall of Fame

Introduction to Networking

  • History
  • TCP/IP Networks
    • Introduction to TCP/IP Networks
    • Ethernets
    • Other Types of Hardware
    • The Internet Protocol
    • IP Over Serial Lines
    • The Transmission Control Protocol
    • The User Datagram Protocol
    • More on Ports
    • The Socket Library
  • UUCP Networks
  • Linux Networking
    • Different Streaks of Development
    • Where to Get the Code
  • Maintaining Your System
    • System Security

In this section, we will look at the fundamental concepts of TCP/IP protocols. He integrated some BSD network code into the Linux kernel for this driver.

Issues of TCP/IP Networking

  • Networking Interfaces
  • IP Addresses
  • Address Resolution
  • IP Routing
    • IP Networks
    • Subnetworks
    • Gateways
    • The Routing Table
    • Metric Values
  • The Internet Control Message Protocol
  • Resolving Host Names

By default, the destination network is derived from the network part of the IP address. Again, this is a 32-bit number that specifies the bit mask for the network portion of the IP address.

Configuringthe NetworkingHardware

  • Kernel Configuration
    • Kernel Options in Linux 2.0 and Higher
    • Kernel Networking Options in Linux 2.0.0 and Higher
  • A Tour of Linux Network Devices
  • Ethernet Installation
    • Ethernet Autoprobing
  • The PLIP Driver
  • The PPP and SLIP Drivers
  • Other Network Types

When routing IP over a Wide Area Network such as the Internet, it is preferable to use smaller datagrams to ensure that they do not need to be further split along the route through a process called IP fragmentation. The kernel can automatically determine the smallest MTU of an IP route and automatically configure a TCP connection to use it. At boot time you can provide arguments and information to the kernel that any of the kernel components can read. In the 2.2 kernels, the PLIP driver uses the parport parallel port sharing driver developed by Philip Blundell. The new driver assigns the names of the PLIP network devices serially, just as for the Ethernet or PPP drivers, so the first PLIP device created is plip0, the second is plip1, and so on.

You would use the lilo append keyword to automatically pass these arguments to the kernel at startup.

Configuring the Serial Hardware

  • Communications Software for Modem Links
  • Introduction to Serial Devices
  • Accessing Serial Devices
    • The Serial Device Special Files
  • Serial Hardware
  • Using the Configuration Utilities
    • The setserial Command
    • The stty Command
  • Serial Devices and the login: Prompt
    • Configuring the mgetty Daemon

This is an abbreviation for the Teletype device, which was once one of the main ones. To do this, the kernel changes what is called the tty device line discipline. This parameter will cause the kernel to attempt to automatically determine the IRQ of the specified device.

One of the more important uses of the stty for serial devices is to enable hardware handshaking on the device.

Configuring TCP/IP Networking

Mounting the /proc Filesystem

Some configuration tools of the Linux NET-2 and NET-3 release rely on the /proc file system to communicate with the kernel. It contains a number of files that show things like the kernel's ARP tables, the status of TCP connections, and the routing tables. The proc file system (or procfs, as it is also known) is usually mounted at /proc during system startup.

You will then need to recompile the kernel and answer yes when prompted for procfs support.

Installing the Binaries

Setting the Hostname

Assigning IP Addresses

Creating Subnets

Writing hosts and networks Files

Interface Configuration for IP

  • The Loopback Interface
  • Ethernet Interfaces
  • Routing Through a Gateway
  • Configuring a Gateway
  • The PLIP Interface
  • The SLIP and PPP Interfaces
  • The Dummy Interface
  • IP Alias

If you also have access to the remote host, you will need to go to that machine and check the interface statistics. To use a gateway, you must pass additional routing information to the network layer. Now suppose that Flager also has a connection to the Internet (for example via an extra SLIP link).

However, on some occasions you need to send data to the official IP address of the local host.

All About ifconfig

This option is used for point-to-point IP links involving only two hosts. This option can be used to assign a metric value to the routing table entry created for the interface. On the other hand, this option allows attackers to do nasty things, like scan your network's traffic for passwords.

You can also use secure authentication protocols such as Kerberos or the Secure Shell Login suite.[38] This option corresponds to the PROMISC flag.

The netstat Command

  • Displaying the Routing Table
  • Displaying Interface Statistics
  • Displaying Connections

MSS is the maximum segment size and is the size of the largest datagram the kernel will produce for transmission over this path. A window is the maximum amount of data that the system can accept in one set from a remote host. The initial round-trip time is the value that TCP will use when a connection is first established.

Additionally, if you specify the −a flag, sockets waiting for a connection (that is, listening) are also listed.

Checking the ARP Tables

Another useful application of proxy ARP is when one of your hosts acts as a gateway for another host only temporarily, for example, over a dial-up connection. Of course, this application will only work if the address of the host you want to provide the ARP proxy for is on the same IP subnet as your gateway.

Name Service and Resolver ConfigurationConfiguration

The Resolver Library

  • The host.conf File
    • Resolver environment variables
  • The nsswitch.conf File
  • Resolver Robustness

This variable specifies a list of trim domains to be added to those given in host.conf. If you are using a dial-up IP connection to the Internet, you will usually specify the name server of your service provider in the resolv.conf file. The most important option in resolv.conf is nameserver, which gives the IP address of a nameserver to use.

The current implementation allows you to have up to three nameserver statements in resolv.conf.

How DNS Works

  • Name Lookups with DNS
  • Types of Name Servers
  • The DNS Database
  • Reverse Lookups

It starts by sending a query to a nameserver for the root domain, asking for the address of erdos.maths.groucho.edu. Example 6−4 shows part of the domain database loaded into the name servers for the physics.groucho.edu zone. Note that all names in the example file that do not end with a dot must be interpreted relative to the physics.groucho.edu domain.

The sticker records indicating the name servers for physics.groucho.edu are shown in Example 6−5.

Running named

  • The named.boot File
  • The BIND 8 host.conf File
  • The DNS Database Files
  • Caching−only named Configuration
  • Writing the Master Files
  • Verifying the Name Server Setup
  • Other Useful Tools

It tells Named to enable its cache and load the root nameserver hints from the specified cache file (named.ca in our case). The NS record points to the primary name server of the given zone, with the resource data field containing the host name of the name server. To solve this dilemma, we can configure special A records directly into the parent zone's name server.

The named.ca cache file shown in Example 6−10 shows sample advice notes for a root name server.

Serial Line IP

  • General Requirements
  • SLIP Operation
  • Dealing with Private IP Networks
  • Using dip
    • A Sample Script
    • A dip Reference
  • Running in Server Mode

However, this speed requires that the serial line be explicitly converted to SLIP mode. Suppose your modem is set to /dev/ttyS3 and you have successfully logged into the SLIP server. After transferring the line to the SLIP driver, you must configure the network interface.

The netmask does not apply to the SLIP link itself, but is used in combination with it.

The Point−to−Point Protocol

PPP on Linux

In this mode, all incoming data is passed to the PPP driver, which checks the incoming HDLC frames for validity (each HDLC frame has a 16-bit checksum), unpacks them and sends them. Since PPP is quite complex, it is impossible to explain them all in one chapter. Probably the greatest help you will find in configuring PPP will come from other users of the same Linux distribution.

This is the place where you can find most people involved in pppd development.

Running pppd

Using Options Files

Using chat to Automate Dialing

Specifying the chat script on the command line carries some risk, because users can view the command line of a process with the ps command. You can avoid this risk by placing the chat script in a file such as dial-c3po. Similarly, you can change the timeout value for parts of the chat scripts by inserting TIMEOUT options.

Sometimes you also need conditional execution for parts of the chat script: when you don't receive the remote end's login prompt, you might want to return a BREAK or a carriage return.

IP Configuration Options

  • Choosing IP Addresses
  • Routing Through a PPP Link

Again, the Vlager acts as the gateway to the brewery network and will support the PPP connection; its peer on the new branch is called vbourbon and has an IP address of 172.16.3.1. We can do this manually using the manual route command after the PPP connection is established, but this is not a very practical solution. 2 device The pathname of the serial device file used (/dev/tty, if stdin/stdout is used).

Similarly, /etc/ppp/ip−down can be used to undo any actions of ip−up after the PPP link has been removed again.

Link Control Options

You can enable this by using the lcp-echo-interval option along with the time in seconds. If no frame is received from the remote host during this interval, pppd generates an Echo Request and expects the peer to return an Echo Response. If the peer does not respond, the connection is terminated after a certain number of requests have been sent.

General Security Considerations

Authentication with PPP

  • PAP Versus CHAP
  • The CHAP Secrets File
  • The PAP Secrets File

When it needs to authenticate itself to a server using CHAP, pppd searches the chap-secrets file for an entry where the client field is equal to the local hostname, and the server field is equal to the remote hostname sent in the CHAP challenge. As explained earlier, the remote hostname is always provided by the peer in the CHAP challenge or response packet. When the remote host sends its authentication information, pppd uses the input which has a server field equal to the local hostname, and a user field equal to the username sent in the request.

The name vlager−pap in the first column is the username we send to c3po.

Debugging Your PPP Setup

More Advanced PPP Configurations

  • PPP Server
  • Demand Dialing
  • Persistent Dialing

This configuration would enable on-demand dialing, wait 60 seconds before re-establishing a failed connection, and disconnect if 180 seconds pass with no active data on the connection. With persistent dialing, the connection is automatically established as soon as the PPP daemon is started, and the persistent aspect comes into play whenever a phone call supporting the connection fails. Persistent dialing ensures that the connection is always available by automatically re-establishing the connection if it fails.

It is possible to combine persistent dialing with demand dialing, using idle to drop the link if it has been idle for a specified period of time.

TCP/IP Firewall

  • Methods of Attack
  • What Is a Firewall?
  • What Is IP Filtering?
  • Setting Up Linux for Firewalling
    • Kernel Configured with IP Firewall
    • The ipfwadm Utility
    • The ipchains Utility
    • The iptables Utility
  • Three Ways We Can Do Filtering
  • Original IP Firewall (2.0 Kernels)
    • Using ipfwadm
    • A More Complex Example
    • Summary of ipfwadm Arguments
  • IP Firewall Chains (2.2 Kernels)
    • Using ipchains
    • ipchains Command Syntax

Perhaps the simplest way to describe the use of the ipfwadm command is with an example. In the case of the ICMP protocol, the port field is used to indicate ICMP datagram types. Specify the address of the network interface on which the packet is received (−I) or sent (−O).

First, let's look at the general syntax of the ipchains command, and then we'll see how to use it.

Referensi

Unduh sekarang ( PDF - 505 Halaman - 1.53 MB )

Garis besar

IP Routing Ethernet Installation Accessing Serial Devices Interface Configuration for IP All About ifconfig How DNS Works The DNS Database Files A dip Reference IP Configuration Options Authentication with PPP

Dokumen terkait