TCPIP Networking by utg65734

VIEWS: 11 PAGES: 30

									TCP/IP Networking
• Objectives
   – to learn how to integrate a RedHat system onto a TCP/IP network
• Contents
   –   the TCP/IP protocol suite
   –   IP addressing
   –   basic TCP/IP applications
   –   TCP/IP configuration files
• Practicals
   – working with TCP/IP utilities and files
• Summary
Overview of TCP/IP
• US DoD funded experimental network
  – supports inter-networks, inter-host communication
  – most popular UNIX networking protocols
• Three basic protocols
  TCP - a reliable session protocol: telnet, ftp
  UDP - low overhead sessionless: NFS, NIS, DNS, routing
  IP - Network layer protocol, sessionless, base of TCP and UDP



                     network                        gateway




       hosts
Internet Protocol Address
• All networked systems need a unique IP address
     – address has four dot separated numbers (each 0 - 255)
     – IP address mapped to hardware using ARP or RARP protocols
• Companies allocated a site address by NIC
     – allocated class A B or C address ranges
     – local administrator allocates individual host numbers
• Some address values reserved
         0 not used
       255 reserved for broadcasts
•   Network address of 127 is reserved for loopback
•   Network address of 10 is reserved for internal networks
•   Network addesss of 172.16 is reserved for internal networks
•   Network addesss of 192.168 is reserved for internal networks
IP Address Format
                      network                   24 bit host address
 Class A
 Addresses       0     7 bits          8 bits        24 bits

network addresses in range      0 - 126
                          16 bit network                   16 bit host address
 Class B
 Addresses       10              14 bits                        16 bits


network addresses in range      128.0 - 191.254
                                    24 bit network                        8 bit host
 Class C
 Addresses        110                      21 bits                         8 bits


 network addresses in range     192.0.0 - 223.254.254
Defining IP Addresses
• Traditionally IP address defined in /etc/hosts
   – one line per known host defining IP address hostname and aliases
   – if last line is a + then NIS is being used
   – hostnames are limited to 8 characters
• Larger sites use DNS (Domain Name Services)
   – one or more hosts on the network maintain all IP addresses
   – individual hosts request addresses as needed
   – address cached locally to optimise DNS

       # more /etc/hosts
       127.0.0.1            localhost.localdomain
                            localhost
       192.168.0.12         mash4077       loghostmailhost
       192.168.0.42         rosies         printserver
       10.1.1.1             seoul
Analyze Network Interface Configuration
• Use ifconfig to view network interfaces
     – use the -a option to list all configured interfaces


# ifconfig -a
eth0    Link encap:Ethernet HWaddr 00:50:04:50:61:98
        inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
       UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
        RX packets:59078481 errors:0 dropped:0 overruns:84 frame:0
        TX packets:53902612 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0

lo      Link encap:Local Loopback
        inet addr:127.0.0.1 Mask:255.0.0.0
       UP LOOPBACK RUNNING MTU:16436 Metric:1
        RX packets:22596609 errors:0 dropped:0 overruns:0 frame:0
        TX packets:22596609 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0
# ifconfig eth0 down
# ifconfig eth0 up
Network Interface Configuration
• Use ifconfig to configure the network interface
     # ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up

• Permanent changes in /etc/sysconfig/network-scripts
     Files named like: ifcfg-eth0 STATIC settings: DEVICE=eth0
       DHCP settings: DEVICE=eth0                  USERCTL=no
                                                   ONBOOT=yes
                         BOOTPROTO=dhcp            BOOTPROTO=none
                         ONBOOT=yes                BROADCAST=192.168.0.255
                                                   NETWORK=192.168.0.0
                                                   NETMASK=255.255.255.0
•   Alias interfaces
                                                   IPADDR=192.168.0.1
        # Ifconfig eth0:0 192.168.1.12
     Permanent changes in /etc/sysconfig/network-scripts/ifcg-eth0:0
     With DEVICE=eth0:0


• Releasing/Renewing IP adresses
     ifdown eth0 / ifdown eth0
Routing information
• Use route to get/manipulate network routing
   –   Route table netstat –r(n) or route
   –   Routes to all directly connected networks are created automatic
   –   To add a net-route: route add –net 192.168.7.0 gw 192.168.1.254
   –   To delete a net-route: route del –net 192.168.7.0 gw 192.168.1.254
• Redhat can hande RIP/OSPF + traffic shaping
   Metric value for priority if different value or round robin if same:
     route add –net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.253 metric 10
     route add –net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.254 metric 10
   Detete the route:
     route del –net 192.168.3.0 netmask 255.255.255.0

# route
Kernel IP routing table
Destination     Gateway           Genmask           Flags   Metric   Ref   Use   Iface
80.84.37.0      *                 255.255.255.240   U       0        0       0   eth3
172.16.0.0      *                 255.255.255.0     U       0        0       0   eth2
192.168.1.0     *                 255.255.255.0     U       0        0       0   eth0
192.168.0.0     *                 255.255.255.0     U       0        0       0   eth1
127.0.0.0       *                 255.0.0.0         U       0        0       0   lo
default         router.ing-stee   0.0.0.0           UG      0        0       0   eth3
Routing information configuration
• Use route to configure the defaultrouter
                              # route add default gw 192.168.1.1 eth0

• Permanent changes in /etc/sysconfig/
   Files named network:       GATEWAYDEV=eth0
                              NETWORKING=yes
                              FORWARD_IPV4=yes
                              NISDOMAIN=nis.ikea.se
                              HOSTNAME=node01.ikea.se
                              GATEWAY=80.84.37.1
• Using several routes
      # route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 eth0
   Permanent changes in /etc/sysconfig/static-routes
               eth0 net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254
   Or better use /etc/rc.d/rc.local
            route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 eth0
Adding/Removing NIC’s
•   Adding NIC
    1. Before going further, find out current NIC-order
       a) By physical inspection, pinging and moving cables.
       b) Look in /etc/modprobe.conf or find NIC modules with lsmod and ksyms –m or
       –am Kernel key symbol is exported like [3c59x] for 3c905 boards.
       c) Modify /etc/modprobe.conf to reflect your wished NIC order.
    2. Look if new NIC needs to be added in kernel or kernel need patch. If that is the
       case, recompile kernel and do step 1 again!
    3. Power off the host
    4. Insert the new NIC
    5. If you are lucky, kudzu will find the new NIC and add it for you, you will be
       asked configuration parameters.
        NOTE! Kudzu can destroy current configuration in /etc/modprobe.conf and
       change Nic order.
    6. If everything goes well you can now goto step 1 once again to check out your
       NIC order. If you are satisfied it is time to do NIC configuration permanent.

    Removing NIC, you basically do the same steps but you now remove support,
      kudzu will detect NIC removal and you can remember its configuration.
Changing NIC parameters
• Use mii-tool to view NIC settings
  # mii-tool –v
  [steen@lina sysconfig]$ mii-tool -v | more
  eth0: negotiated 100baseTx-FD, link ok
    product info: vendor 00:10:18, model 18 rev 0
    basic mode: autonegotiation enabled
    basic status: autonegotiation complete, link ok
    capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
    advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
    link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-
        control
• Using mii-tool to force 100MBit/s Full Duplex
   # mii-tool -F 100baseTx-FD eth0


• Making changes permanent /etc/rc.d/rc.local
Nameservers for non nameserver hosts
• Nameservers are stored in /etc/resolv.conf
   General format:   domain my-site.com
                     search my-site.com
                     nameserver ip 2
                     nameserver ip 1
                     nameserver ip 3

   Nameserver        The nameservers to query for names
   Domain            My domain, my host is added to this domain.
   Search            A space delimited list of max six key domains to add hostnames
                     to in the query if domain is missing.
   Options           rotate round robin Nameserver list
                     timeout:n      default is 30 seconds
                     attempts:n default is 3 or 4
• Searchorder for finding hosts are stored in /etc/host.conf
                       order hosts,bind
• Name Service Switch config file /etc/nsswitch.conf
                       Hosts: files dns
Looking at Network Statistics
• Use netstat to get network status information
    – use -a to view all sockets
    – use -i to view interfaces
    – use -rn to view routing statistics

# netstat -i
Kernel Interface table
Iface MTU   Met RX-OK    RX-ERR RX-DRP RX-OVR   TX-OK    TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0     59098394 0      0      84       53924429 0      0      0      BRU
lo    16436 0   22598046 0      0      0        22598046 0      0      0      LRU
Looking for a System
• The simplest TCP/IP utility is ping which sends a message
  to a host and waits for a reply
  – the host can be specified as a name or an IP address
   $ ping –c1 gkse1
   PING gkse1.ing-steen.se (80.84.37.2) from 80.84.37.3 : 56(84) bytes of data.
   64 bytes from gkse1.ing-steen.se (80.84.37.2): icmp_seq=0 ttl=64 time=1.119 mse

   --- gkse1.ing-steen.se ping statistics ---
   1 packets transmitted, 1 packets received, 0% packet loss
   round-trip min/avg/max/mdev = 1.119/1.119/1.119/0.000 ms
   $ ping ulf2
   PING ulf2.intra.ing-steen.se (192.168.1.37) from 192.168.1.100 : 56(84) bytes of data.
   From lina.intra.ing-steen.se (192.168.1.100): Destination Host Unreachable

   --- ulf2.intra.ing-steen.se ping statistics ---
   1 packets transmitted, 0 packets received, +1 errors, 100% packet loss
   $ ping dude
   ping: unknown host dude
Network layer 2
• To see if you have contact with network layer 2
    – use ifconfig
        Shows if interfaces are up
    – use arp
        Shows the local arp cache
• Manipulate with arp cache
    – Add static route
        To secure system and increase network speed
    – Flush arp cache
        If you have stale arp entries
    – Delete entry in arp cache
        Remove faulty entries
# arp –s 192.168.0.12 00:0B:5F:12:81:00
# arp –d 192.168.0.12
# arp
Address               HWtype   HWaddress           Flags Mask   Iface
router.ing-steen.se   ether    00:0B:5F:12:81:00   C            eth3
grey.ing-steen.se     ether    00:06:5B:1A:84:11   C            eth3
Telnet & local name resolution
• The Telnet command is used to connect to another
  machine over a TCP/IP network
   – a connection is established and the user logs on as normal
   – chkconfig telnet on
   – telnet is a xinetd demon service: /etc/xinetd.d/telnet
    $ uname -n
    a01
    $ telnet a02
    My RedHat linux server!
    login: hawkeye
    password:
    Welcome to Uncle Sam's wonderful world of Unix
    Remember the bar never closes!
    $ uname -n
    a02

• Local name resolution is in /etc/hosts
     # cat /etc/hosts
     127.0.0.1          localhost.localdomain   localhost        a01
     192.168.0.1        a01.my-site.com a01     # This host IP address!
     192.168.0.2        a02.my-site.com a02     # Other important hosts
     192.168.0.3        a03.my-site.com a03
     192.168.0.4        a04.my-site.com a04
     192.168.0.5        a05.my-site.com a05
     192.168.0.6        a06.my-site.com a06
SSH
• The SSH command is used to connect to another machine
  over a TCP/IP network
  – a connection is established and the user logs on as normal
  – chkconfig - -add ssh implements ssh
  – ssh config sit in: /etc/ssh and run as stand alone server

    $ hostname
    a02
    $ chkconfig -–list sshd
    sshd 0:off 1:on 2:on 3:on           4:on   5:on   6:off
    $ ssh –l peter a01
    password:
    $ hostname
    a01


  – ssh is standard in RedHat 9
File Transfer Protocol
• FTP is an interactive utility for network file transfer
   – login to remote host supplying username and password
   – Client/Server concept
• Restrict FTP access using /etc/vsftpd/vsftpd.ftpusers file
   – FTP access is denied to users named in this file

        $ ftp a01
        Connected to a01
        Name (a01:hawkeye):
        Password:
        ftp> get file2
        ...data about the transfer...
        ftp> put /etc/hosts /tmp/mash.hosts
        ...data about the transfer...
        ftp> bye

• Configure vsftpd using /etc/vsftpd/vsftpd.conf file
• Two kinds of ftp servers: private ftp and anonymous ftp
File Transfer Protocol
Berkeley R Utilities & the new S Utilities
• The Unix (or Berkeley) r utilities provide an alternative to IP facilities
  telnet and ftp.
• Three programs:
     rlogin hostname                         remote login
     rsh hostname command                    remote command
     rcp [host:]file [host:]file             remote copy, from to
     scp user1@host:file user2@host:file     secure copy, from to
     ssh hostname                            remote command
     rdist                                   remote distrubtuion
• For R family: passwords not required if .rhosts files configured
   – friendly hosts defined for all normal users in /etc/hosts.equiv
   – users may add to this list in $HOME/.rhosts
• For S family: you need to exchange keys (RedHat 9+ default)
   – Users may add friendly hosts in $HOME/.ssh/authorized_keys
   – Keys must be give to you from remote host $HOME/.ssh/id_rsa.pub
   – Keys generated with ssh-keygen –t rsa
Exercise - Who has Remote Access
• Here are three files from mash4077
         # more /etc/hosts.equiv
         seoul
         # more /.rhosts
         rosies
         # /home/hawkeye/.rhosts
         rosies
         swamp
         division bfpierce

•   Can root on seoul copy files to/from mash4077?
•   Can hawkeye on seoul run commands on mash4077?
•   Can hawkeye on rosies run commands on mash4077?
•   Can root on mash4077 copy files to/from rosies?
•   Can bfpierce on division copy files to mash4077?
•   Can root on seoul login to mash4077?
Remote shells
• The rsh (remsh) command
  –   run a command on a named host
  –   standard I/O can be redirected as normal
  –   /etc/profile and .profile not executed
  –   requires /etc/hosts.equiv or $HOME/ .rhosts file to be configured

        From a02 or a03 you issue the commands below:
           $ whoami
           trapper
           $ rsh a01 ls -l
           ..run ls –l as trapper on a01 output..
           $ rsh a01 ls -l > list.a01
           file list.a01 created on local system
           $ rsh a01
           ...same as rlogin...
           $ rsh –l hawkeye a01
           ...same as rlogin –l hawkeye...
Remote distribution -rdist
• The rdist command
  – replicating/maintain identical copies of files over multiple hosts
  – relies on rlogin and rsh
  – can use ssh as transport for secure mode
  – rdist is client software and rdistd is server software
  – the server rdistd is started via rsh or ssh on the server
  – R-family rsh requires: /etc/hosts.equiv or $HOME/ .rhosts file to be
    configured
  – S-family ssh requires: $HOME/.ssh/rsa_key.pub to be copied from remote
    server/client
  – Uses a special file Distfile for updating and maintaining files
  – Can syslog to /var/log/messages file

  RDIST HOME: http://www.magnicomp.com/rdist/
• The rdist command is RedHat standard
Remote distribution –preparation
•   Pepare a master-server and a client files to replicate
    1. Logins must be done without password on clients, or rdist fails.
    2. With R-Family: setup server and clients like on page 22 in this chapter.
    3. With S-Family: Generate keys and distribute server keys to all clients, look
       below.
    4. S-Family: Enable ssh root-logins on all clients.
    5. Create a Distfile with files and directories to update on your clients with.
•   Enable root logins (trusted enviroment only) on all
    clients:
    1. sshd config file: /etc/ssh/sshd_config:
        PermitRootLogin yes
        AuthorizedKeysFile           .ssh/authorized_keys
Remote distribution –preparation test
•   Generate server private and public keys:
    1. As root generate server keys on server:
        # ssh-keygen –t rsa
    2. Copy keys to identity files:
        # cd .ssh ; cp id_rsa identity ; cp id_rsa.pub identity.pub
•   Distribute public keys to clients:
    1. Create client private and public keys:
        # ssh <client ip> ssk-keygen –t rsa
    2. Distribute server public key to all your clients (they need /root/.ssh catalog):
        # scp identity.pub <client ip>:.ssh/authorized_keys
•   As root on the server, test root password-less login
    rights to all of the nodes/clients by:
       # ssh node01 date
       sat dec 12 14:52:55 CET 2004
Remote distribution -Distfile
• Used to specify how replication should take place
• The Distfile format:
    <variable name> `=' <name list>
    [ label: ] <source list> `->' <destination list> <command list>
    [ label: ] <source list> `::' <time_stamp file> <command list>

    The label is optional.
    HOSTS is in our example all hosts and logins that FILES can be
    replicated to/from
    ${FILES} -> ${HOSTS} sends files to list of hosts.
    /usr/src/bin -> arpa sends catalog with contents to host arpa
    Commands list is instrcution howto install/operate with lists/files
Remote distribution –execute rdist
•    Create some testfiles to distribute among clients.
        # vi /etc/my-rdist-testfile
        This is the rdist test file!
•    Create a Distfile

                NODES = ( a01 a02 a03 a04 )
                ETCFILES = ( /etc/my-rdist-testfile )
                ${ETCFILES} -> ${NODES}
                      install;


    This file willl replicate the ETCFILES onto all the NODES.
•    Replicate the files using rdist together with SSH

    # /usr/local/bin/rdist -P /usr/local/bin/ssh -p /usr/local/bin/rdistd -f /etc/Distfile

     You may want to run this command every night on your master-server by using the crontab
     command.
Internetwork demon Configuration
• Internet facilities controlled by the internet daemon
   – /usr/sbin/xinetd
   – started up from /etc/inittab
• xinetd controlled by configuration file /etc/xinetd.conf
   – Tells where facilities/service catalog sit
   – Set mandatory facility/service configuration and logging
   – Former name was inetd.conf and inetd demon
• Services configuration files /etc/xinetd.d/
   Telnet example:
         service telnet
         {
                 disable = no
                 flags              = REUSE
                 socket_type        = stream
                 wait               = no
                 user               = root
                 server             = /usr/sbin/in.telnetd
                 log_on_failure     += USERID
         }
Summary
• Unix systems use TCP/IP for networking
• Every host on the network must have a unique
  IP address
• The file /etc/hosts maps names into IP
  addresses for network utilities
• Systems using DNS don't keep local host files
• Unix supports standard TCP/IP programs
  such as ping, telnet and ftp
• Unix provides its own equivalents (rlogin,
  rcp/scp, rsh and rdist) which use .rhosts files
• Unix uses several TCP/IP configuration files in
  /etc (xinetd.conf, services, etc.)

								
To top