Open source software security

Linux Networking Primer

30 November -0001
November 25, 2002

Ok, so now we've got our Linux machine up and running. Its time to take a brief look at networking, the heart and soul of *nix operating systems. Networking is what allows your Linux machine to hop onto the internet, send and receive email, and perform a host of other options. The easiest way to set up your initial networking configuration is with linuxconf. Linuxconf, run at the command line presents a rather crude, but easy to use graphical interface for configuring your computer for networking. Linuxconf presents you with a list of options that are fairly similar to the 'Properties' of your 'Network Neighborhood' on a Windows machine. To use linuxconf open a shell, su to root, and type in 'linuxconf'. If you don't have it installed, it should be on the Mandrake distribution CD's so you can just use the instructions in the previous article to install it.

Using linuxconf you can set up your machine with ease, although you may wonder what becomes of the network settings you specify. Its actually quite easy to do all of this by hand, but it requires some care and a greater understanding of how your computer's networking is set up. Lets take a quick look at how your computer is currently configured. To find out some basic and quick information, at the command prompt (as root) type in 'ifconfig' to see your current settings. On my machine I show:

[root@laptop jkeane]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:30:F1:0F:F3:A4
          inet addr:207.188.197.45  Bcast:207.188.197.63  Mask:255.255.255.224
          UP BROADCAST NOTRAILERS RUNNING  MTU:1500  Metric:1
          RX packets:2223 errors:0 dropped:0 overruns:0 frame:0
          TX packets:323 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:217099 (212.0 Kb)  TX bytes:94106 (91.9 Kb)
          Interrupt:3 Base address:0x100

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3627 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3627 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:206704 (201.8 Kb)  TX bytes:206704 (201.8 Kb)

You'll notice I have two devices enabled. eth0 is the ethernet card. The default card is always eth0, but if you have multiple cards you may see eth1, eth2, and so on. The 'lo' interface is the local loopback. This is used for diagnostic purposes. To make sure your connection is working you can first ping your local interface. This is done using the ping command. Ping sends a few packets of data across your connection. To understand ping you first have to understand how TCP/IP or Transmission Control Protocol / Internet Protocol functions. The internet uses TCP/IP to communicate. TCP/IP is a robust, error trapping system. Basically, if I want to send a message to another computer, I can use TCP/IP to make sure the whole message gets to the recipient in the correct order. TCP/IP is a lot like the postal mail, but more powerful. If I wanted to send you a letter I could write it up, stuff it in an envelope, postmark it and dump it in a mailbox. However, using this method I'm never quite sure if you actually get the letter. It would be more reliable if I was to take the letter and mail it, but with instructions that you should mail me a return receipt once you get the letter, this way I know you actually get my letter. What happens, however, if your return letter gets lost in the mail? A more reliable way would be to send you the letter in several parts, say on postcards, and request a return receipt for each postcard. This way you're sending lots of letters back and it is more likely that I'll get one of your receipts. This presents a problem though, because you have to reassemble the letter based on postcards. If I number the postcards then you know what order you should reassemble them in to make up the original letter. What if you get postcards 1-6 of a 7 postcard letter though? How will you know you missed postcard number 7? Well, I can number the postcards to indicate their place in the total sequence. That way if you get a postcard that says 'postcard 1 of 7', then you know to expect 6 more, and if you don't ever get the postcard that says 'postcard 7 of 7' you know you should mail me and request the last postcard. TCP/IP works in the same way. Computers connect to the internet and begin a sequenced transmission that can span several computers to their destination. But where does your computer begin this connection? Usually the 'default gateway/router' is the first step in any transmission. Say you want to send an email to me (jkeane@madirish.net), how does your computer get the email from your computer to mine? Well, your computer bundles up the email and knows its going to madirish.net. First your computer does a DNS (domain name service) lookup. DNS is the system by which computers keep track of names and numbers. Computers communicate to one another using IP addresses (numbers) listed in the format of a series of four three digit numbers between 0 and 255. Thus an IP address can be anywhere from 0.0.0.0 to 255.255.255.255. Note, however, that some of these numbers have been reserved for diagnostic purposes (such as 127.0.0.1, which is always the local loopback) or internal addressing (192.168.0.1 for instance). DNS translates a domain (madirish.net) into an IP. DNS servers keep track of all of the domains and IP addresses. DNS is a hierarchy with root DNS servers maintained by a select few highly secure companies. You must configure a DNS server for your machine in order to communicate to other machines using names. You can use IP addressing and avoid DNS, but its much easier to tell someone that my web site is at www.madirish.net than to tell them my homepage is at http://207.188.197.44. To see how DNS works you can use 'host' from the command line. You'll have to have the 'bind-utils' package installed to use it. Open up a shell and type in 'host madirish.net' You should see:

[root@laptop /home]# host madirish.net
madirish.net has address 207.188.197.44

What the 'host' command does is it contacts my DNS server (I'm using ns2.fcc.net or Frontline Communication's second Name Server (ns2)) and asks what the IP address of madirish.net is. The DNS server checks it tables and finds the entry for 'madirish.net'. If a DNS server can't find the name it usually contacts a higher level DNS server to resolve the name.

Once your machine has the IP address of the intended recipient it initiates a connection. To do this your machine checks to see what the default router/gateway is and fires off a connection packet (sort of like a machine 'knock-knock' on a door to see if the recipient machine is turned on) to the gateway with a header that says it is intended for 207.188.197.44. The router or gateway is configured with a routing table, or listing of where to send packets to get to a host, and forwards the packet along on the internet to its destination. Sometimes the route to the target is really circuitous. To see how long it takes to get to madirish.net you can use a program called traceroute. This basically traces the route of packets taken to their intended host. Note that you'll have to have traceroute installed (try 'rpm -q traceroute'). Unfortunately traceroute uses UDP packets (or emergency packets) and madirish.net is set up to block all of these for security reasons. Try tracrouteing to www.yahoo.com to get more illustrative results:

[root@laptop jkeane]# traceroute www.yahoo.com
traceroute: Warning: www.yahoo.com has multiple addresses; using 64.58.76.176 traceroute to www.yahoo.akadns.net (64.58.76.176), 30 hops max, 38 byte packets
 1  21.c5bccf.client.atlantech.net (207.188.197.33)  3.058 ms  3.175 ms  3.113 ms
 2  7d.d8bccf.client.atlantech.net (207.188.216.125)  7.440 ms  7.088 ms  6.553 ms
 3  core2-vl206.ss.atlantech.net (207.188.213.35)  7.716 ms  5.349 ms  10.171 ms
 4  core05-ss-fa0-0-0.ss.atlantech.net (207.188.210.66)  7.288 ms  3.596 ms  10.251 ms
 5  edge01-ash-ge-0-1-0.ash.atlantech.net (207.188.210.2)  9.656 ms  11.384 ms  58.354 ms
 6  exchange-cust1.ash.equinix.net (206.223.115.16)  12.012 ms  11.854 ms  7.916 ms
 7  vl21.bas1.dcx.yahoo.com (216.115.102.98)  11.503 ms  9.942 ms  10.509 ms  
 8  www7.dcx.yahoo.com (64.58.76.176)  9.660 ms  19.783 ms  12.473 ms

Wow! Lots of steps between me and www.yahoo.com. The first step is to my gateway though (207.188.197.33) and then on from there. You'll see from there packets go upstream to atlantech, bop around their network, then hit equinix.net and then finally over to yahoo.com. Once this connection is established your computer will begin transmitting the email in the form of packets (all numbered like our postcards) and will wait for confirmation from the recipient and will resend any packets that get lost. When the transmission is finally over the connection will terminate. You can image what a blizzard this type of communication will create on even a small network. Its a great system though, because if a network goes down somewhere in the middle of the communication, routers are supposed to find alternate routes to the destination (this leading to the myth that the internet was designed to withstand nuclear war). With all the flood of packets out there its easy to see how things can get lost so its good that TCP/IP expects data loss and compensates.

Ok, so now we understand the basics. But how is your computer's IP address set? Well, in most circumstances your IP gets set using DHCP or Dynamic Host Control Protocol. You can set up your machine to use DHCP to request an IP address. All DHCP servers do is keep a list of IP addresses and 'leases' them out by request. So when a computer comes online and requests an IP address from DHCP, the server will assign one of its available IP addresses from a list, and mark that address as in use. Once your machine turns off, the DHCP server will return the address to its list of those available for lease. Most ISP's use DHCP, and even many office LAN's. If you are fortunate enough to have your own IP though, you have to specifically set it. DHCP is nice though, because in addition to leasing out IP addresses, DHCP servers can also store default gateway IP's and DNS server IPs so that when your computer requests an IP address the DHCP server can also fill in your computer's default gateway and DNS servers.

Now that you understand a little about what is going on lets check out our default configuration. The first thing to take a look at is your own hostname, or the name your computer uses (and possibly DNS uses) to identify itself. To find your hostname type 'hostname' at the command prompt:

[root@laptop jkeane]# hostname
laptop.madirish.net

You'll see my hostname is 'laptop.madirish.net'. To change your hostname you use the same command, but specify the new hostname as an argument. For instance:

[root@laptop jkeane]# hostname mylaptop.madirish.net
[root@laptop jkeane]# hostname
mylaptop.madirish.net

And there you go :) This information, and all basic IP information is stored in your kernel. Your hostname is actually stored in a text file in /etc. Issue a 'pico /etc/HOSTNAME' to view the file. You can change your hostname here, but unfortunately you'll have to reboot for the changes to take effect.

Your Linux machine also has its own basic routing table. This is stored in /etc as well as /etc/hosts. Take a look at it, it should list one entry that looks like this:

127.0.0.1	localhost.localdomain	localhost

The first entry is an IP address, the second entry is the fully qualified (or not) domain name, the third column lists the alias (or other usable name to refer to the entry). You can add other hosts to your file if you want, especially if you're in a closed LAN. Your computer checks your /etc/hosts file before it checks DNS to resolve names, so entries here will have precedence. So where is the text file containing the default gateway, broadcast, and other information? Well, actually there isn't one. Because networking is so essential to Linux your networking information is actually stored in the kernel. This doesn't mean though that you can't take a look at what is there and change it. Lets first take a look at how our default gateway is set up. To view this information type 'route' at the command prompt with the '-n' flag so we get IP numbers instead of domain names:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     10     0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     10     0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    10     0        0 eth0

You can change your router using the 'route' command. You can delete the currently entry using the 'route -del' command, and add new entries using the 'route -add' command. For instance, if I want to add a new route to a reserved network I can use:


[root@mylaptop etc]# route add 10.0.0.0 gw 207.188.197.45

This command adds a new route to any IPs in the 10.x.x.x range (with x being from 0-255) by sending all requests to those IP's through the gateway (gw) 207.188.197.45. If I had used the word 'default' instead of 10.0.0.0 I could change my default router ;) To check if the add worked I can use another 'route' command.

[root@mylaptop etc]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     10     0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     10     0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    10     0        0 eth0
10.0.0.0	207.188.197.45	255.255.255.255	UGH   0      0        0 eth0

And to get rid of the route I issue a:

[root@mylaptop etc]# route del 10.0.0.0 gw 207.188.197.45

Be careful playing with this because if you mess up your routing tables your internet connection will die. I'm only outlining this process for illustrative purposes (and sysadmin usage).

To play around with our IP settings we can use the 'ifconfig' command as before. We'll just specify a few flags. For instance, if I want to change my IP address to 127.0.0.1 I can issue 'ifconfig eth0 127.0.0.1' and then check it with 'ifconfig' like so:

[root@mylaptop etc]# ifconfig eth0 127.0.0.1
[root@mylaptop etc]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:30:F1:0F:F3:A4
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST NOTRAILERS RUNNING  MTU:1500  Metric:1
          RX packets:4593 errors:0 dropped:0 overruns:0 frame:0
          TX packets:541 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:570316 (556.9 Kb)  TX bytes:61256 (59.8 Kb)
          Interrupt:3 Base address:0x100

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:92 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9016 (8.8 Kb)  TX bytes:9016 (8.8 Kb)

Once again be careful with this, since once your ethernet card is misconfigured your internet connection will die :)

Ok, so now we can configure all our basic networking options, but what about our DNS entries? Well, these are actually handily stored in a text file in the /etc directory. Check it out by using 'pico /etc/resolv.conf'. You should see something like this:

nameserver 207.197.222.7
nameserver 207.199.197.36

You can add nameservers to this file or edit your existing DNS servers by changing this file as you like. Be careful with this one too because if you dump all your good name servers you won't be able to make any valid DNS queries and using the internet will become a lot more difficult. To find out more about the ifconfig command check out the man pages using 'man ifconfig'. Of course there are usually GUI's in your distribution that will help you do this a log more quickly, but if something goes wrong you may want to have this information as a backup.