Linux Networking Jump Start

22 11 2010

Configure ethernet interfaces using text files in the /etc/sysconfig/network-scripts/ directory:

[root@vvx7 ~]# cd /etc/sysconfig/network-scripts/
[root@vvx7 network-scripts]# vi ifcfg-eth0

Example configuration file shown below (static IP address):

# Intel Corporation 82575EB Gigabit Network Connection
DEVICE=eth0
HWADDR=00:21:28:57:42:02
ONBOOT=yes
BOOTPROTO=none
IPADDR=172.27.5.107
NETMASK=255.255.255.0
GATEWAY=172.27.5.1
USERCTL=no

Example configuration file shown below (dynamic IP address):

# Intel Corporation 82575EB Gigabit Network Connection
DEVICE=eth0
HWADDR=00:21:28:57:42:02
ONBOOT=yes
BOOTPROTO=dhcp
USERCTL=no

Update the DNS servers and the search domain using the /etc/resolv.conf file:

[root@vvx5 /]# vi /etc/resolv.conf 
search domain.co.uk.local
nameserver 172.27.2.2
nameserver 195.40.1.36
nameserver 212.158.248.6
nameserver 194.72.6.51

Print the current routing table using the route command:

[root@vvx6 ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.27.5.0      *               255.255.255.0   U     0      0        0 bond0
link-local      *               255.255.0.0     U     1004   0        0 bond0
default         172.27.5.1      0.0.0.0         UG    0      0        0 bond0
[root@vvx6 ~]#

The route command can also be used to add or delete a route to or from the routing table. Note this does not persist and lasts only to the next network restart.

[root@vvx6 ~]# route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.27.5.10
[root@vvx6 ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     172.27.5.10     255.255.255.0   UG    0      0        0 bond0
172.27.5.0      *               255.255.255.0   U     0      0        0 bond0
link-local      *               255.255.0.0     U     1004   0        0 bond0
default         172.27.5.1      0.0.0.0         UG    0      0        0 bond0
[root@vvx6 ~]# route del -net 192.168.1.0 netmask 255.255.255.0
[root@vvx6 ~]#

It’s also possible to set the default gateway using the route command:

[root@vvx6 ~]# route add default gw 10.10.10.1

Add a persistent static route to an interface using a new text file in the same directory, called route-. Eg;

[root@vvx7 network-scripts]# cat route-eth0 
172.27.2.0/24 via 172.27.5.1
10.128.2.0/24 via 172.27.5.1
[root@vvx7 network-scripts]#

To look at the running network configuration for one or all the interfaces, use the ifconfig command:

[root@vvx6 network-scripts]# ifconfig
bond0     Link encap:Ethernet  HWaddr 00:21:28:57:41:22  
          inet addr:172.27.5.106  Bcast:172.27.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:142897 errors:0 dropped:0 overruns:0 frame:0
          TX packets:296926 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:32370272 (30.8 MiB)  TX bytes:345828268 (329.8 MiB)

eth0      Link encap:Ethernet  HWaddr 00:21:28:57:41:22  
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:142897 errors:0 dropped:0 overruns:0 frame:0
          TX packets:296926 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:32370272 (30.8 MiB)  TX bytes:345828268 (329.8 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5570451 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5570451 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1171684633 (1.0 GiB)  TX bytes:1171684633 (1.0 GiB)

[root@vvx6 network-scripts]# ifconfig bond0
bond0     Link encap:Ethernet  HWaddr 00:21:28:57:41:22  
          inet addr:172.27.5.106  Bcast:172.27.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:143026 errors:0 dropped:0 overruns:0 frame:0
          TX packets:296992 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:32384633 (30.8 MiB)  TX bytes:345837192 (329.8 MiB)

[root@vvx6 network-scripts]# 

The ifconfig command can also be used to bring an interface up or down.

[root@vvx7 network-scripts]# ifconfig eth3 down
[root@vvx7 network-scripts]# ifconfig eth3 up

It can also be used to set an IP address on an interface (again this won’t persist beyond a network reload):

[root@vvx6 ~]# ifconfig eth1 192.168.10.99 netmask 255.255.255.0 up
[root@vvx6 ~]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:21:28:57:41:23  
          inet addr:192.168.10.99  Bcast:192.168.10.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root@vvx6 ~]#

Restart the networking service to reload changed ifcfg files. This will disconnect your SSH session but only temporarily unless you change the interface you’re connected to. It’s worth noting that if you delete a configuration file, and restart the networking service, the deleted interface will not go down, this can cause issues if you need to reuse the same IP address elsewhere. (In this instance use ifconfig to bring the interface down):

[root@vvx6 network-scripts]# service network restart
Shutting down interface bond0:                             [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface bond0:                               [  OK  ]
[root@vvx6 network-scripts]#

Combine the ifconfig command with grep to get only the details you’re interested in, for example show all active IP addresses:

[root@vvx6 network-scripts]# ifconfig | grep inet
          inet addr:172.27.5.106  Bcast:172.27.5.255  Mask:255.255.255.0
          inet addr:127.0.0.1  Mask:255.0.0.0
[root@vvx6 network-scripts]#

Linux has all the usual network utilities that you’d expect including ping for connectivity testing (Use ‘Ctl+c’ to stop the ping):

[root@vvx6 ~]# ping vvx1
PING vvx1.local (172.27.5.101) 56(84) bytes of data.
64 bytes from vvx1.local (172.27.5.101): icmp_req=1 ttl=64 time=1.02 ms
64 bytes from vvx1.local (172.27.5.101): icmp_req=2 ttl=64 time=0.175 ms
64 bytes from vvx1.local (172.27.5.101): icmp_req=3 ttl=64 time=0.161 ms
^C
--- vvx1.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.161/0.453/1.023/0.403 ms
[root@vvx6 ~]# 

As well as traceroute:

[root@vvx6 ~]# traceroute 172.27.3.2
traceroute to 172.27.3.2 (172.27.3.2), 30 hops max, 60 byte packets
 1  172.27.5.1 (172.27.5.1)  0.485 ms  0.965 ms  1.176 ms
 2  asterisk.domain.co.uk.local (172.27.3.2)  0.317 ms  0.317 ms  0.309 ms
[root@vvx6 ~]#

Another useful utility, especially if you’re not physically at the server, is the ethtool command. It can show you if the interface is up or if it hasn’t detected a link.:

[root@vvx6 ~]# ethtool eth0
Settings for eth0:
	Supported ports: [ TP ]
	Supported link modes:   10baseT/Half 10baseT/Full 
	                        100baseT/Half 100baseT/Full 
	                        1000baseT/Full 
	Supports auto-negotiation: Yes
	Advertised link modes:  10baseT/Half 10baseT/Full 
	                        100baseT/Half 100baseT/Full 
	                        1000baseT/Full 
	Advertised pause frame use: No
	Advertised auto-negotiation: Yes
	Speed: 1000Mb/s
	Duplex: Full
	Port: Twisted Pair
	PHYAD: 1
	Transceiver: internal
	Auto-negotiation: on
	MDI-X: Unknown
	Supports Wake-on: pumbg
	Wake-on: g
	Current message level: 0x00000007 (7)
	Link detected: yes
[root@vvx6 ~]#

Configure a VLAN interface by copying an existing ifcfg file, it’s normal to name the configuration file after the VLAN tag:

[root@vvx6 network-scripts]# cp ifcfg-eth1 ifcfg-eth1.100
[root@vvx6 network-scripts]# vi ifcfg-eth1.100

Sample VLAN 100 ifcfg file (after creating this file you’ll likely want to restart the network service):

DEVICE="eth1.100"
HWADDR="00:21:28:57:41:23"
ONBOOT="yes"
IPADDR="172.27.15.200"
NETMASK="255.255.255.0"
GATEWAY="172.27.15.1"
VLAN="yes"

Another useful utility is to be able to capture and display packets sent or received on a particular interface (the -q in this instance means quiet, essentially one line per packet, however you can use -vvv which produces verbose output):

[root@vvx6 network-scripts]# tcpdump -i eth0 -q
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:08:43.219785 IP vvx6.local.ssh > 10.128.2.6.55298: tcp 96
20:08:43.226684 IP vvx6.local.43536 > vvx.local.domain: UDP, length 41
20:08:43.226760 IP vvx6.local.ssh > 10.128.2.6.55298: tcp 192
20:08:43.241811 IP vvx.local.domain > vvx6.local.43536: UDP, length 41
20:08:43.242008 IP vvx6.local.60369 > vvx.local.domain: UDP, length 41
20:08:43.242225 IP vvx.local.domain > vvx6.local.60369: UDP, length 114
20:08:43.318535 IP 10.128.2.6.55298 > vvx6.local.ssh: tcp 0
20:08:43.318564 IP vvx6.local.ssh > 10.128.2.6.55298: tcp 864
20:08:43.319797 IP vvx6.local.ssh > 10.128.2.6.55298: tcp 272
20:08:43.336950 IP 10.128.2.6.55298 > vvx6.local.ssh: tcp 0
20:08:43.336976 IP vvx6.local.ssh > 10.128.2.6.55298: tcp 160
20:08:43.337788 IP vvx6.local.ssh > 10.128.2.6.55298: tcp 272
20:08:43.342973 IP 10.128.2.6.55298 > vvx6.local.ssh: tcp 0
20:08:43.343000 IP vvx6.local.ssh > 10.128.2.6.55298: tcp 160
20:08:43.343797 IP vvx6.local.ssh > 10.128.2.6.55298: tcp 272
20:08:43.397405 IP 10.128.2.6.55298 > vvx6.vvxlocal.ssh: tcp 48
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel
[root@vvx6 network-scripts]#

Network performance can be monitored using ifconfig however this only gives the rx and tx bytes since the service started, to find out the current bandwidth being used, use the nload command (Use the q key to exit). This command shows the load for eth0 and I’ve specified that it’s displayed in MB.

[root@vvx5 /]# nload eth0 -u m



Another useful utility to have in your toolkit is the nmap package. The nmap package is a very useful tool and can do some pretty complex jobs. I find it most useful for finding out what’s on the current LAN:

[root@ftp ~]# nmap -sP 172.27.2.101-150

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-11-22 21:22 GMT
Host 172.27.2.107 appears to be up.
Host bti-9108.domain.local (172.27.2.108) appears to be up.
Host bti-9114.domain.local (172.27.2.114) appears to be up.
Nmap finished: 50 IP addresses (3 hosts up) scanned in 3.231 seconds
[root@ftp ~]#

Occasionally the local firewall gives network issues, so it’s useful to see what’s allowed and what’s not. I’ll not go into much detail here, but generally the INPUT policy is the one which monitors inbound connections and prevents connections when something doesn’t work:

[root@vvx6 ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 68 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 199 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2812 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9998 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 1620 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
[root@vvx6 ~]#

When inserting a rule into the iptables package it’s probably easiest to add the rule to the top (that way your rule won’t be blocked by a higher priority rule, because yours is checked first). Note this rule will not persist and therefore not appear after an iptables reload (see the next command if you want to save the ruleset). This example allows UDP port 8888 to be connected to by any source IP address:

[root@vvx6 ~]# iptables -I INPUT -p udp -m state --state NEW -m udp --dport 8888 -j ACCEPT

To persist rules (if they appear correct) it’s best to run the command:

[root@vvx6 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@vvx6 ~]#

It’s also possible to modify the rule list by editing the file /etc/sysconfig/iptables:

[root@vvx6 ~]# vi /etc/sysconfig/iptables
Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: