Network Configuration

Transcription

1

2 Network Configuration In order to access a network (whether a local area network or an Internet Service Provider), you need To have a network interface device for instance, an Ethernet card that physically connects to a network cable or is wireless, this would be called eth# such as eth0 there is also the loopback device which allows software running on your computer to communicate to your computer as if the communication came over the network, this device is called lo or localhost and is always denoted with the IP address of you cannot communicate over network if lo is down, but if lo is up it does not mean you can communicate over the network!

3 Network Configuration You need to have your network service running The network service establishes your IP address(es) Other services are useful but not critical such as your firewall (iptables) and nfs (to mount remote file systems) You need to have access to a network broadcast device This will typically be a router, gateway, switch or hub but may also be a MODEM

4 Computer Networks: Broadcast Devices Computers in a network operate by sending their messages to a nearby broadcast device The network is divided into subnets where each subnet is glued together by a broadcast device The hub is a device which broadcasts any received message to all connected devices The switch receives a message with an address and uses that address to send the message to one machine the address is a MAC address The router receives a message with an address and uses that address to send the message to one machine the address is a network address (IPv4, IPv6) The gateway is a router used to connect different types of networks together

5 Computer Networks Here we see a local area network in which two subnets uses switches and are connected together by a router The router knows how to route a message from network to network while the switch only knows how to route a message within the subnet or to the router

6 TCP/IP All Internet communication requires an implementation of TCP/IP This is a four-level protocol suite Each level can be implemented by one of many protocols

7 TCP/IP: Layers Application layer Application software takes your message and produces an initial, application-neutral message DNS, FTP, HTTP, IMAP, LDAP, MIME, NFS, POP, SSH, SMTP, SNMP, Telnet Transport layer Uniform interface between two resources Supports host-to-host communication Segments message into packets Adds detail such as packet number (6 of 9), checksum for error correction (if needed) TCP, UDP, also SCTP, DCCP, UDP Lite

8 TCP/IP: Layers Internet Layer Add appropriate address(es) to message header IPv4 or IPv6 addressing IPv4 uses 32 bits as 4 octets, each octet is 8 bits (or an integer between 0 and 255) 32 bits gives us a little over 4 billion addresses, most of which have been used so we need larger addresses and thus IPv6 IPv6 uses 128 bits as 32 hexadecimal digits Gives us over addresses! Communicate with routers Link layer Handles physical communication including such tasks as modulation, multiplexing Operates with MAC addresses instead of IP addresses

9 TCP/IP: Ports A 16-bit number assigned with a message s address as the destination for the message The port is a specification of the protocol that the message should use to be received The protocol then dictates the application software to be used to handle the message 16 bits gives us ports numbered 0 to 65,535 Most ports are unassigned but many of the first 1024 ports are assigned to currently used protocols or protocols being developed

10 TCP/IP: Common Ports Port Packet Type (TCP, UDP) Usage 20 both FTP data 21 TCP FTP control 22 both ssh (also SCP, SFTP) 23 both telnet 25 TCP SMTP 43 TCP WHOIS 53 both DNS 57 TCP Mail transfer protocol 67 UDP Bootstrap Protocol (used by DHCP) 68 UDP Bootstrap Protocol (used by DHCP) 70 TCP Gopher 80 TCP HTTP 109, 110 TCP POP2, POP3 118 both SQL 123 UDP Network time protocol

11 TCP/IP: Common Ports Port Packet Type (TCP, UDP) Usage 161 UDP SNMP 194 both IRC (Internet relay chat) 443 TCP HTTPS 514 UDP Syslog (Linux system logging) 530 both RPC 636 both LDAP 989 both FTPS data (FTP over TLS/SSL) 990 both FTPS control (FTP over TLS/SSL) 992 both Telnet over TLS/SSL 2049 both NFS 3128 TCP Squid proxy TCP IRC both BitTorrent 8008, 8080, TCP Alternate for HTTP 8090

12 TCP/IP: IPv4 vs IPv6 IPv4: 32 bit addresses Protocol dates back to the 80s at a time when there were thousands of hosts (instead of billions) IPv6: 128 bit stored as 32 hexadecimal digits grouped into 8 sections, separated by colons 1234:5678:90ab:cdef:0012:0034:0000:5678 a 0000 entry can be deleted so that the address 1234:5678:9000:0000:0000:0000:00bc:def0 can appear as 1234:5678:9000::00bc:def0

13 TCP/IP: IPv4 vs IPv6 IPv4 is not set up to handle secure transmission Today, we add SSL on top of the protocol IPv6 is an attempt not only to increase the number of addresses but also to rectify other problems of IPv4 IPsec (IP security) for encryption auto configuration for hosts on a network optional header components for smaller (when available) header sizes but can also be expanded to what we call jumbograms

14 TCP/IP: IPv4 vs IPv6 Many networks are not yet IPv6 compliant Most operating systems can handle IPv6 but not all network administrators have set it up Or there are network devices that cannot handle it (e.g., routers) IPv4 and IPv6 are not compatible (different addresses, different headers) So most networks need to implement both versions (or at least IPv4) Another solution is to use a tunnel in IPv4 where inside the tunnel we have IPv6

15 The Internet: DNS The Internet is made up of domains and subdomains Domains and subdomains are managed by authorities We tend to use IP aliases to reference resources on the Internet because they are easier to remember than IP addresses However, we need to then have a mechanism to map from an IP alias to the proper IPv4 (or IPv6) address We use the domain name system (DNS) for this Scattered around the Internet are devices that contain this mapping information, DNS name servers

16 The Internet: Name Servers Every organization that exists in its own domain (subdomain) has its own DNS name server It is the authority for the devices within its domain If you want to map an IP alias to an address, how do you find that particular name server? You don t, instead you query your own name server and if it has the information cached locally, it returns it to you Otherwise, it kicks the request to another DNS name server This makes for recursive name servers and when a name server receives information from another, it can cache it locally making it a caching name server

17 The Internet: Domains and Subdomains The top-level domains of the Internet are well-defined.edu,.gov,.net,.com, etc Within each of these, subdomains are established by requesting a domain name and IP addresses amazon.com, nku.edu Within a subdomain, the organization can define further subdomains informatics.nku.edu it.nku.edu And then within the organization, you name your resources and provide them IP addresses This information is then stored in your organization s name server(s)

18 The Internet: Name Servers There are generally two forms of name servers Authorities those that an organization has that describes their domain and subdomains Caches those that merely cache responses from other authorities so that requests can be handled locally note that authorities can also be caching name servers In Linux Your local DNS name servers addresses are stored in the file /etc/resolv.conf If you already know the IP address for an alias and want to bypass DNS, store this mapping information locally in /etc/hosts (but if this information changes on you, you will have to update this yourself)

19 Linux: network Service network used to establish IP addresses for your interfaces loopback (lo) is always but eth0 (or other interface device) will not be established unless network is running network also establishes your /etc/resolv.conf DNS server addresses starting this service runs the script /etc/init.d/functions followed by /etc/sysconfig/network this gives you the environment variables NETWORKING=yes and HOSTNAME=hostname it then runs the script /etc/sysconfig/network-scripts/networkfunctions

20 Linux: network Service The network-functions script Queries devices for their statuses (up or down) Sets the interface s MAC address or if there is a wireless device available Establish values for variables hostname, IP address, default routes Locate the local network s gateway At this point, all network interface devices will be known and either be down or up with IP addresses assigned to them

21 Linux: network-scripts Directory This directory is used to house scripts that can start and stop interface devices It also stores the configuration files for all of your network devices (and lo) A script like ifup-eth or ifdown-eth can start or stop the given device Or, you can start or stop a device using the more generic ifup and ifdown by supplying the device name

22 Linux: ifcfg-eth0 This file contains a list of directives that establish environment variables for your eth0 device This will include (see the next slides for descriptions of these variables) BOOTPROTO HWADDR ONBOOT DEVICE and/or NAME BROADCAST or GATEWAY (assigned if static) IPADDR (assigned if static)

23 Linux: ifcfg-eth0 Variable Range/Type of Value Meaning BOOTPROTO static, dhcp, none Source of the IP address (static or via DHCP server or none at all) BROADCAST IP address Broadcast device s address (typically you will use this variable or GATEWAY but not both) DEVICE alphanumeric Device s name (e.g., eth0, ippp, lo) DHCP_HOSTNAME IP alias Name of DHCP server DHCP_TIMEOUT integer Number of seconds before timing out when waiting for DHCP server to respond GATEWAY IP address IP address of subnet router/gateway HWADDR hexadecimal address MAC address of device IPADDR IP address Set by system administrator for static IP IPV6INIT yes, no Initialize IPv6 address by default NAME alphanumeric Name of device, e.g., ethernet, loopback

24 Linux: ifcfg-eth0 Variable Range/Type of Value Meaning NETMASK Subnet mask The mask used to obtain the local network portion of the IP address, e.g., NETWORK network address IP address of the local network NM_CONTROLLED yes, no Whether the device is controlled by a network manager program ONBOOT yes, no Whether to start this interface upon boot or have it manually started TYPE alphanumeric Type of device, e.g., Ethernet, PPP USERCTL yes, no Is user allowed to control this device? UUID hexadecimal address Address of physical device

25 Internet: Netmask One variable needed for network communication is the netmask The netmask is used to obtain the network portion of an IPv4 address The netmask is either assigned by the network administrator or provided by the network s gateway The idea is to AND the netmask with the IP address which gives you the IP address of the local network hosting the resource If you NOT the netmask and apply this to the IP address of the resource you are given its local address within the network

26 Internet: Netmask Let s look at some examples Assume the IP address of And a netmask of AND = This example is not very illustrative of the concept because 240 AND 12 = 0, let s try the IP address AND =

27 Linux: Other Network Services snmpd (Simple Network Management Protocol daemon) Listen and respond to SNMP messages This is usually used by a network administrator to control a device remotely portreserve and portrelease While most ports that we use are already reserved, you can temporarily assign a port to a particular application and then release it later Avahi Discovers available services on y our local network such as printers and file servers

28 Linux: Other Network Services rdisc Locates your subnet s router using ICMP (Internet Control Message Protocol) dnsmasq A simplified DNS server that is primarily used to cache previously fulfilled IP alias to address mappings as provided by DNS name servers postfix Controls Linux and calls upon the sendmail program httpd The Apache web server certmonger Maintains your downloaded digital certificates and keeps them up to date

29 Linux: xinetd Service Sometimes known as a superserver It is a service that calls other network services on demand This is preferably than keeping the various on demand services running all the time Use the /etc/xinetd.conf file to configure it First define default configurations including number of available instances and who will handle logging and what should be logged Then for each service, provide a configuration that includes the service s executable location, whether the service can operate in a multithreaded mode and how logging information should be adjusted

30 Linux: xinetd Service Here we see a default setting followed by the specific setting for rsync defaults { instances = 50 log_type = RSYSLOG authpriv log_on_success = PID HOST DURATION EXIT log_on_failure = HOST cps = umask = 002 } includedir /etc/xinetd.d service rsync { disable = yes flags = IPv6 socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID }

31 IP Addresses: Static The network administrator assigns the resource with its IP address This is typically reserved for servers as we would not want a server s IP address to change (or change often) but we would not have to do this for non-servers such as workstations In the ifcfg file (e.g., ifcfg-eth0) IPADDR=static address BOOTPROTO=static Manually assign NETMASK, HOSTNAME, GATEWAY (or BROADCAST)

32 IP Addresses: Dynamic An organization will have a limited number of addresses available Rather than assigning one per device, let the device request an address when the device is in use (booted) This approach uses dynamic IP addressing Some device needs to be in charge of handling the pool of addresses and assigning one on demand to a device Usually we will have our network s router or gateway handle this task

33 IP Addresses: DHCP Server Dynamic Host Configuration Protocol Based on the Boostrap Protocol from the early 90s The DHCP server receives a request from a client on its subnet and assigns it one of the available IP addresses Sometimes addresses are assigned temporarily known as a lease if the time limit expires, the client must request a new address but it may request the same one if it is still available DHCP is available for Linux, stored under /sbin/dhclient

34 IP Addresses: DHCP Server DHCP Directives Directive Meaning subnet DHCP s network (or subnet) address netmask DHCP s local network (or subnet) netmask range Range of IP addresses available to assign to clients, ranges are indicated by separating IP addresses with a space as in routers IP address (or alias) of router(s) that DHCP server will respond to domain-name organization (or subnet) domain name domain-nameservers IP addresses (or aliases) of domain DNS servers default-lease-time value value is the amount of time (in seconds) that an IP address can be made available to a client max-lease-time value value is the maximum amount of time IP address is leased authoritative If listed, means this DHCP is the official server for network log-facility level Use level listed for syslogd logging (e.g., local7) group Specify parameters that apply to a group of subnets

35 IP Addresses: DHCP Server Example configuration for a DHCP server operating on two subnets option domain-name somecompany.com; option domain-name-servers ; subnet netmask { range ; option broadcast-address ; option routers ; } subnet netmask { range ; broadcast-address ; option routers ; }

36 Linux: Network Programs The ip program is an umbrella program handling tasks of many older Linux network instructions It can assign/display/delete IP addresses for interfaces It can assign/display a network device It can manipulate, replace, display or delete router tables It can add, change, delete or display neighbor ARP and cache entries It can create a tunnel over IP The syntax of the instruction differs by the object type (e.g., address versus route versus tunnel) Each object type will have its own type of operation such as set, show, add, change, del, flush, or replace

37 Linux: Network Programs ifconfig set or display IP addresses of interfaces (including lo), replaced by ip ping/traceroute send out packets and respond about time to receive responses (traceroute also outputs the routers in the path taken) route display or modify the router table(s), replaced by ip ss display socket usage information and statistics netstat provide network connection information, replaced by ss

38 The Firewall A firewall is a program that examines messages and decides whether the messages should be allowed passed the firewall A firewall can examine incoming messages, outgoing messages and forwarding messages Messages being forwarded are usually only of interest to broadcast devices like routers, we typically wouldn t worry about such messages for our PCs A stateful firewall is one that can apply rules not just to one message but to many related messages Such as the messages that make up a session with a remote host

39 The Firewall Firewalls can run on PCs/laptops and mobile devices We can also implement them in routers We can also implement them in other software/servers like Proxy servers While a firewall is software, we might have a dedicated computer serve as a firewall for an organization In this case, the firewall is both software and hardware We would implement the firewall on a device the serves as our Internet connection A firewall uses a set of rules which analyze a message for specific criteria to decide what to do with the message

40 The Firewall Here we seen an example of a firewall which is allowing all outgoing messages to move from the computer to the Internet while restricting incoming messages to only those that pass the firewall s rules

41 The Firewall: iptables In Linux, the firewall service is called iptables There is also ip6tables for IPv6 Each of these has two files of note iptables-config (and ip6tables-config) which is the configuration file that dictates mostly how the firewall information can be viewed iptables (and ip6tables) which is the rules file You can also adjust the firewall through the Firewall GUI (refer back to chapter 11)

42 The Firewall: iptables The config file uses the following directives Directive Meaning Default IPTABLES_MODULES List of modules to load (none) IPTABLES_MODULES_UNLOAD Unloads modules on stop/restart yes IPTABLES_SAVE_ON_STOP IPTABLES_SAVE_ON_RESTART IPTABLES_SAVE_COUNTER Rules may be added to your firewall from the command line; if this directive is set to yes then rules are saved to iptables upon stopping the firewall If set to yes, saves all current rules to iptables uponrestarting the firewall Saves all chains of rules and counters for rules to iptables upon stop or restart IPTABLES_STATUS_NUMERIC Print IP addresses and ports in numeric yes format IPTABLES_STATUS_VERBOSE Print statistics about packets and bytes yes IPTABLES_STATUS_LINENUMBERS Print line numbers of rules yes no no no

43 The Firewall: iptables Here we see the output of /sbin/service iptables status with the following directive values IPTABLES_STATUS_VERBOSE=yes IPTABLES_STATUS_LINENUMBERS=yes

44 The Firewall: iptables Rules are placed into chains For instance, all INPUT rules are in one chain, all OUTPUT rules are in a separate chain Most rules use the A option to indicate that we are adding this rule to an existing chain Syntax: -A chain [options] [-j target] The chain will be INPUT, OUTPUT, FORWARD Options specify the criteria by which this rule will judge a packet, such as destination port or source IP address Target is one of ACCEPT, REJECT, DROP or LOG

45 The Firewall: iptables The targets are defined as follows ACCEPT permit the packet entry to the system REJECT reject the packet and notify the sender DROP reject the packet without notifying the sender LOG log the packet but continue chaining rules to reach one of the other targets. The distinction here is between REJECT and DROP because DROP does not notify sender You would use DROP if you feel the message was spam or an attack

46 The Firewall: iptables Option Meaning Example -p protocol True if the message is of the given protocol -p tcp -i interface True if message received by given interface -i eth0 -o interface True if message sent over given interface -o lo -s address True if message originated from given IP -s address -s /16 -d address True if message being sent to IP address -d dport port True if message is intended to be received --dport 431 at given port --sport port True if message originated from port --sport 22 --dports port1,port2, --sports port1,port2, True if message intended for any ports --dports 80,8080,443 True if message originated from any ports --sports 67,68

47 The Firewall: iptables Another option is m to specify a further module to use There are numerous modules (see the next slide) One module is state which will test the state of the message Is this a new message, a message in response to an already established communication, or a message related to an already established communication? By using this module with ESTABLISHED and/or RELATED then you can allow messages in through your firewall if they are in response to messages that you initiated (such as an HTTP request)

48 The Firewall: iptables Module Meaning Extensions addrtype Match based on source --src-type type address type or destination --dst-type type address type Types include BLACKHOLE, BROADCAST, MULTICAST, NAT, UNICAST conntrack Match based on the connection s status --ctstate state States include INVALID, ESTABLISHED, NEW, RELATED, SNAT, DNAT icmp Match based on ICMP type --icmp-type [!] type Type can be any ICMP type or its corresponding number iprange Match if message s source or destination falls within the given range [!]--src-range range [!]--dst-range range Range denoted as address1-address2 length Match if message s length is equal to, or within the range, provided limit Limit the number of received messages time Match if specified time is met --length [!] length[:length] Examples: --length 500: length! 0 --limit-burst number --timestart value, --timestop value, --days days, --datestop days value is a time given in hh:mm format and days is Mon, Tue, Wed, etc

49 The Firewall: iptables You can add a default rule to serve at the end of a chain -P INPUT REJECT if the message does not match any rule in the INPUT chain, then reject it If you want to start with all new rules, use F to flush the current chain and then define new rules This makes more sense when you are defining rules from the command line To input a rule from the command line, prepend iptables to the rule as in iptables A INPUT To list all rules of a chain, use -L

50 The Firewall: iptables Here we look at an example P INPUT REJECT # default for incoming packets P OUTPUT ACCEPT # allow all outgoing messages P FORWARD DROP # do not perform forwarding # Forwarding is commonly used for routers, not workstations. A INPUT i lo j ACCEPT # accept anything over lo A INPUT p tcp --dport 22 j ACCEPT # accept incoming ssh A INPUT m state --state ESTABLISHED,RELATED j ACCEPT # accept continuation messages of previously established connections A INPUT p icmp j ACCEPT # accept ICMP messages A INPUT i eth0 s /24 j ACCEPT # accept messages from # subnet A INPUT p tcp s facebook.com --sports 80, 443 j DROP # drop webpage responses from facebook.com

51 The Firewall: iptables Additional rules A INPUT p tcp m multiport --dports 80,8080,443 m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT s /13 j DROP A INPUT p tcp m multiport --dports 80, 443 m limit --limit 25/minute --limit-burst 100 j ACCEPT A INPUT p icmp --icmp-type echo-request j DROP A OUTPUT p icmp --icmp-type echo-reply j DROP A LOGGING --log-level 7 j LOG A LOG j DROP

52 Network Scripts We wrap up by looking at some shell scripts that might be useful tools try_ip( ) { ip=$1 num=$2 x=`ping c $num q $ip awk '/received/ {print $4}'` if [ $x eq 0 ]; then echo "$ip not responsive on `date` with $num tries" >> /root/net_stats/non_responding_devices.txt fi } list=( ) for ip in $list; do try_ip $ip 10 done

53 Network Scripts try_wget( ) { filename=$2.index /usr/bin/wget q --tries=$1 $2 O /root/$filename if [ -e $filename ] then rm /root/$filename return 0 else return 1 fi }

54 Network Scripts urls=( numattempts=0 contact=0 while [[ $contact eq 0 && $numattempts lt ${#urls[@]} ]] do u=${urls[numattempts]} try_wget 5 $u if [ $? eq 0 ]; then contact=1 fi numattempts=$((numattempts+1)) done if [ $contact eq 1 ]; then echo Warning, Internet connection appears to be down fi

55 Network Scripts list= # start list as NULL count=0 for user in `who egrep v $USER awk '{print $1}'`; do if [ -z `echo $list grep $user awk '{print $1}'` ]; then list="$list $user" fi done echo "Users at `date` are $list" >> /root/logged_in_users.txt