Linux administration, network
Networking
Configuration files are in "/etc/network/interfaces" To test networking possible to use "nmcli"
Dynamic IP vs Static
- Dynamic address DHCP server assign an address
- Static address - unchanging address set by administrator
Working with network service
- systemctl status servicename
- systemctl start | stop servicename
Finding network connection information
Find all adapters "ip a".
Predictable network interface names.
- Onboard - eno1/eno2
- PCI hotplug - ens1/ens2
- PCI card - enp0s3, enpp1s2
- WLAN/WIFI - wlp1s3
- By MAC address - enx1a2b3c4d5e6f
Configuring dynamic address with Network manager
Checking network manager "nmcli -d".
Deleting a connection:
nmcli c del "Connection name"
Edit or create connection:
nmcli c e [connection name for editing]
Commands in nmcli UI:
- "help"
- Properties we can change for "print ipv4"
- Information about properties "describe method"
- Set automatic connection "set ipv4.method auto"
- Set dns server "set ipv4.dns 8.8.8.8"
- "save"
- Show all current connections "print connection"
- Setting connection to adapter "set connection.interface-name enp0s3"
- "quite"
Configure a static address with Networkmanager
Create connection"nmcli c e".
Commands in nmcli UI:
- Set manual connection "set ipv4.method manual"
- Set address ip "set ipv4.addresses 10.0.2.10/24"
- Set gateway "set ipv4.gateway 10.0.0.1"
Configuring dynamic address manually.
Open interfaces config files "/etc/network/interfaces".
Automatically enables "ethernet network peripheral" when system start "auto enp0s3".
Declaring interface settings "iface enp0s3 inet dhcp".
Restarting network manager "systemctl restart NetworkManager".
Check if device is managed by nmcli "nmpcli d", now we see that device is in "unmanaged" state.
Restarting networking service "systemctl restart networking".
Checking devices "ip a".
Configuring static address manually
Open interfaces config files "/etc/network/interfaces".
Automatically enables "ethernet network peripheral" when system start "auto enp0s3".
Declaring interface settings:
iface enp0s3 inet static
# address 10.0.2.20
# netmask 255.255.255.0
address 10.0.2.20/24
gateway 10.0.2.1
dns-nameservers 8.8.8.8
Then we need to reboot server.
Checking devices "ip a".
Checking connection with net cat:
- On one machine "nc -l 3000"
- On another machine "nc 10.0.2.02 3000" and write message
- Message appears on first machine
Configuring firewall to filter packets
Firewall overview:
- Blocks or allows access to network ports
- Netfilter controls access
- Managed through "iptables"
- "iptables" uses chains of rules to determine access
- ufw (uncomplicated firewall) is available on Ubuntu
Enabling and disabling rules:
- Enable the firewall "sudo ufw enable"
- Status of the firewall "sudo ufw status verbose"
- Reject traffic on 3000 port (IPV4/IPV6) with firewall "sudo ufw reject 3000"
- Allow traffic on 3000 port (IPV4/IPV6) with firewall "sudo ufw allow 3000"
- Delete rule from firewall "sudo ufw delete 1" or "sudo ufw delete allow 3000"
Allow only traffic from our machine "ufw allow proto tcp from 10.0.2.6 to 10.0.2.20 port 3000".
Checking rules manually "cd /etc/ufw", rules are located in files.
Configuration for firewall "vim /etc/ufw/ufw.conf".
Configure a system to forward packets
Routes and Forwarding:
- A route where packets intended for another network are sent
- IP forwarding moves packets from one network interface to another
- Usually, these tasks are handled by a dedicated network router
- A Linux machine can do this if ipv4_forwarding is enabled
- To check it "cat /proc/sys/net/ipv4/ip_forward"
- To enable it "sudo sysctl -w net.ipv4.ip_forward=1"
- To enable it permanently change it in "/etc/sysctl.conf"
Network Address Translation
Addressing on Private Networks:
- Devices need an IP address to communicate
- There aren’t enough unique IP’s to go around
- Solution: Give internet-facing devices a unique IP, use other IPs on private networks
- 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 are reserved for private networks
- NAT converts the packet addresses between networks
Network address translation:
- NAT converts packets addresses for different networks
- Modify the firewall to use masquerading
Setting NAT:
- Firewall default routing policy "/etc/default/ufw" change DEFAULT_FORWARD_POLICY="DROP" => DEFAULT_FORWARD_POLICY="ACCEPT"
- Add to "/etc/ufw/before.rules" next lines
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.2.0/24 -o enp0s8 -j MASQUARADE
COMMIT
- Disable and re-enable the firewall "sudo ufw disable" and "sudo ufw enable".
Routing trafic
Check system route "ip route".
Create tmp route "ip route add 10.0.3.0/24 via 10.0.2.6".
Create permanent route "/etc/network/interface".
auto enp0s3
…
up route add 10.0.3.0/24 via 10.0.2.6
Create permanent route with Network Manger:
nmcli connection modify ConnectionName \ ipv4.routes "10.0.3.0/24 10.0.2.6"
Dynamic routing:
- Sometimes used on very large networks
- Zebra or Quagga - software that monitor and updates routes across large network
Configure network traffic tunneling
Network tunnels:
- Tunnels establish a connection between two devices, through which traffic can be sent
- IP-IP tunnels allow IPv4 traffic
- SIT tunnels allow IPv6 traffic over an IPv4 network
- GRE tunnels allow IPv4 and IPv6, unicast and multicast, over an IPv4 network
Creating tunnel:
- Need to know IPs of the devices at each end
- Need to create a network device for the tunnel at each end
- Need to give the tunnel device an IP address at each end
Create a GRE Tunnel at the CLI
On router 1:
ip tunnel add mytunnel0 mode gre \
remote 87.65.43.21 local 12.34.56.78 ttl 255
ip link set mytunnel0 up
ip address add 10.1.0.1/24 dev mytunnel0
On router 2:
ip tunnel add mytunnel0 mode gre\
Remote 12.34.56.78 local 87.65.43.21 ttl 255
ip link set mytunnel0 up
Create a GRE Tunnel at the Configuration
On both machines:
auto mytunnel0
iface mytunnel0 net static
On Router 1:
address: 10.1.0.0.2
netmask: 255.255.255.0
pre-up ip tunnel add mytunnel0 mode gre\
remote 87.65.43.21 local 12.34.56.78 ttl 255
post-down ip tunnel del mytunnel0
On Router 2:
address: 10.1.0.0.2
netmask: 255.255.255.0
pre-up ip tunnel add mytunnel0 mode gre\
remote 12.34.56.78 local 87.65.43.21 ttl 255
post-down ip tunnel del mytunnel0
Restart servers
Time Synchronization
- It’s important for network peer to operate with the correct time
- Time synchronization is especially useful for VMs
- System get their time from an NTP (network time protocol) server
- Software for NTP for linux is called "chrony"
- Check all sources "chronyc sources"
- Check time date information "timedatectl"
- Modifying chrony configuration "/etc/chrony/chrony.conf", there it’s possible to allow time synchronization for other servers
- Restarting chrony service "sudo systemctl restart chrony"
- On other server we can add "/etc/chrony/chrony.conf" server a reference that we use for NTP
- On our NTP server we need to allow incoming traffic with firewall "sudo ufw allow 123", 123 is a standard port for NTP
Monitoring network performance
- iftop - shows traffic per host
- nethogs - show traffic per process
- ss - show open ports and connections on the server
Using SS utility:
- "ss -u" show active connections,
- "ss -tl" listening TCP connections
- "ss -ul" listening UDP connections
- "ss - uln" disable port guessing
- "ss -ulnp" show which process is responsible for opening the connection
- "ss -ul" local IP address and PORT