incs775_lect3.ppt
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,255
On Slideshare
1,255
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Linux Network Setup
  • 2. Introduction
    • Linux can implement different protocols for networking
    • TCP/IP the most common one
    • We will look at how to setup a simple linux network using Fedora Core 6
  • 3. Network topology – simple configuration Cable modem Firewall/Router Hub/Switch Server/Gateway Workstation 1 Workstation 2 216.220.99.1 eth0 = 216.220.99.3 eth1 = 192.168.1.1 eth0 = 192.168.1.2 eth0 = 192.168.1.3 eth0 = 192.168.1.4
  • 4. Network Components
    • Firewall/router – a modest computer with two network interfaces can easily become a firewall/router if there is no such device available
    • Hub/Switch – a physical device used to extend the network
    • Server – a computer that will be running FC6 and implement DNS, web server and database server.
    • Workstation – a computer that will be running FC6
    • Except the hub, everything else can be implemented using virtual machines
  • 5. FC6 installation
    • Partitioning the hard drive:
      • Can be done either manually or automatically(by the installation script)
        • For the beginning the best bet is to let the script do the work for you
    • On the firewall and the server we will install only the packages that we need.
    • On the workstations we will install everything
  • 6. Network installation screen for FC6
  • 7. Installing the Firewall
    • Use FC6 DVD and proceed with the installation.
    • When prompted for network setup
      • choose to set up hostname manually
      • Type in the name firewall.mynetwork.com
      • Edit the network devices
        • Input the network address for eth0 – 216.220.99.3
        • If the script shows a configuration option for eth1, edit that one too, and entered the network address for eth1 – 192.168.1.1 – If it does not you will have to configure this interface manually after the system is started
      • In the Miscellaneous Settings area enter
        • The gateway address: 192.168.1.2 (this is the address of the server)
        • The Primary DNS: 192.168.1.2 (this is the address of the server)
  • 8.
    • All Fedora Core installations include the following network services:
      • centralized logging through syslog
      • email through SMTP (Simple Mail Transfer Protocol)
      • network file sharing through NFS (Network File System)
      • remote access through SSH (Secure SHell)
      • resource advertising through mDNS (multicast DNS)
    • The default installation also provides:
      • network file transfer through HTTP (HyperText Transfer Protocol)
      • printing through CUPS (Common UNIX Printing System)
      • remote desktop access through VNC (Virtual Network Computing)
    Installing the Firewall – cont.
  • 9.
    • We will choose a minimal installation – packages can be added off the DVD later on if we need to
    • The minimal installation should include
      • DNS
      • Iptables
    • You do not have to worry about the dependencies since the installation script checks for them
    Installing the Firewall – cont.
  • 10. Installing the Server
    • The installation of the server is similar to that of the firewall except that we can choose to install more packages, even a complete installation.
    • When installing the network, follow the same steps as for the firewall. The IP address of the server is 192.168.1.2
  • 11.
    • If you want to be conservative – select only the packages that you need to run DNS, Apache and Mysql – you do not have to worry about the dependencies since the installation script checks for them
    • Otherwise, install everything – be aware that install everything does not mean install every single package on the DVD
    Installing the Server (cont.)
  • 12. Installing the Workstations
    • The installation is similar to the server and the firewall
  • 13.
    • /etc/resolv.conf - host name resolver configuration file
    • search name-of-domain.com - Name of your domain or ISP's domain if using their name server
    • nameserver XXX.XXX.XXX.XXX - IP address of primary name server
    • nameserver XXX.XXX.XXX.XXX - IP address of secondary name server
    • /etc/hosts - locally resolve node names to IP addresses
    • 127.0.0.1 your-node-name.your-domain.com localhost.localdomain localhost
    • XXX.XXX.XXX.XXX node-name – enter the full qualified network name first then the alias
    TCP/IP Network Configuration files
  • 14.
    • /etc/nsswitch.conf - System Databases and Name Service Switch configuration file
    • hosts: files dns nisplus nis
      • It tells Linux to first resolve a host name by looking at the local hosts file(/etc/hosts), then if the name is not found look to your DNS server as defined by /etc/resolv.conf and if not found there look to your NIS server
    TCP/IP Network Configuration files (cont.)
  • 15.
    • /etc/sysconfig/network
      • Red Hat network configuration file used by the system during the boot process.
    • /etc/sysconfig/network-scripts/ifcfg-eth0
      • Configuration settings for your first ethernet port (0). Your second port is eth1.
    • /etc/modules.conf
    • alias eth0 eepro100
      • Modules for other devices on the system will also be listed. This tells the kernel which device driver to use if configured as a loadable module.
    TCP/IP Network Configuration files (cont.)
  • 16. Fedora Network GUI Configuration Tools - TCP/IP ethernet configuration
    • Network configuration:
      • /usr/sbin/system-config-network
    • Text console configuration tool:
      • /usr/sbin/system-config-network-tui
  • 17.
    • Gnome Desktop Network Configuration
      • /usr/bin/gnome-network-preferences
    • Proxy configuration. Choose one of three options:
    • 1. Direct internet connection
    • 2. Manual proxy configuration (specify proxy and port)
    • 3. Automatic proxy configuration (give URL)
    Fedora Network GUI Configuration Tools – Gnome Desktop
  • 18. Assigning an IP address - Static IP address assignment
    • Command Line:
      • ifconfig eth0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
    • Fedora GUI tools:
      • /usr/bin/neat Gnome GUI network administration tool. Handles all interfaces. Configure for Static IP or DHCP client.
    • Fedora Console tools:
      • /usr/sbin/system-config-network-tui (Text User Interface)
  • 19. More Network Configuration
    • Directly edit configuration files/scripts
    • The ifconfig command does NOT store this information permanently. Upon reboot this information is lost. (Manually add the commands to the end of the file /etc/rc.d/rc.local to execute them upon boot.) The commands netcfg and netconfig make permanent changes to system network configuration files located in /etc/sysconfig/network-scripts/, so that this information is retained.
  • 20. Fedora Core IP Configuration Files
    • /etc/sysconfig/network
    • Static IP address Configuration: (Configure gateway address)
    • NETWORKING=yes
    • HOSTNAME=my-hostname - Hostname is defined here and by command hostname
    • FORWARD_IPV4=true - True for NAT firewall gateways and linux routers.
    • False for everyone else - desktops and servers.
    • GATEWAY="XXX.XXX.XXX.YYY" - Used if your network is connected to another network or the internet.
    • Static IP configuration. Gateway not defined here for DHCP client.
  • 21.
    • DHCP client configuration
    • NETWORKING=yes
    • HOSTNAME=my-hostname - Hostname is defined here and by command hostname
    • (Gateway is assigned by DHCP server.)
    Fedora Core IP Configuration Files (cont.)
  • 22.
    • /etc/sysconfig/network-scripts/ifcfg-eth0
    • This file used by the command scripts ifup and ifdown
    • Static IP address configuration:
    • DEVICE=eth0
    • BOOTPROTO=static
    • BROADCAST=XXX.XXX.XXX.255
    • IPADDR=XXX.XXX.XXX.XXX
    • NETMASK=255.255.255.0
    • NETWORK=XXX.XXX.XXX.0
    • ONBOOT=yes - Will activate upon system boot
    • TYPE=Ethernet
    • HWADDR=XX:XX:XX:XX:XX:XX
    • GATEWAY=XXX.XXX.XXX.XXX
    Fedora Core IP Configuration Files (cont.)
  • 23.
    • DHCP client configuration
    • DEVICE=eth0
    • ONBOOT=yes
    • BOOTPROTO=dhcp
    • IPV6INIT=no
    • USERCTL=no
    • PEERDNS=yes
    • TYPE=Ethernet
    • HWADDR=XX:XX:XX:XX:XX:XX
    • Used by script /etc/sysconfig/network-scripts/ifup to bring the various network interfaces on-line
    • To disable DHCP change BOOTPROTO=dhcp to BOOTPROTO=none
    • In order for updated information in any of these files to take effect, one must issue the command: service network restart (or: /etc/rc.d/init.d/network restart)
    Fedora Core IP Configuration Files (cont.)
  • 24. Changing the host name
    • This is a three step process:
    • 1. Issue the command: hostname new-host-name
    • 2. Change network configuration file: /etc/sysconfig/network
    • Edit entry: HOSTNAME=new-host-name
    • 3. Restart systems which relied on the hostname (or reboot):
    • * Restart network services: service network restart
    • (or: /etc/rc.d/init.d/network restart)
    • * Restart desktop:
    • o Bring down system to console mode: init 3
    • o Bring up X-Windows: init 5
    • One may also want to check the file /etc/hosts for an entry using the system name which allows the system to be self aware
  • 25. Network IP aliasing
    • Assign more than one IP address to one ethernet card:
    • ifconfig eth0 XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast XXX.XXX.XXX.255
    • ifconfig eth0:0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
    • ifconfig eth0:1 192.168.1.4 netmask 255.255.255.0 broadcast 192.168.1.255
    • route add -host XXX.XXX.XXX.XXX dev eth0
    • route add -host 192.168.1.1 dev eth0
    • route add -host 192.168.1.4 dev eth0
    • n this example 0 and 1 are aliases in addition to the regular eth0
  • 26.
    • The result of the ifconfig command:
    • eth0 Link encap:Ethernet HWaddr 00:10:4C:25:7A:3F
    • inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.255 Mask:255.255.255.0
    • UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    • RX packets:14218 errors:0 dropped:0 overruns:0 frame:0
    • TX packets:1362 errors:0 dropped:0 overruns:0 carrier:0
    • collisions:1 txqueuelen:100
    • Interrupt:5 Base address:0xe400
    • eth0:0 Link encap:Ethernet HWaddr 00:10:4C:25:7A:3F
    • inet addr:192.168.10.12 Bcast:192.168.10.255 Mask:255.255.255.0
    • UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    • Interrupt:5 Base address:0xe400
    • eth0:1 Link encap:Ethernet HWaddr 00:10:4C:25:7A:3F
    • inet addr:192.168.10.14 Bcast:192.168.10.255 Mask:255.255.255.0
    • UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    • Interrupt:5 Base address:0xe400
    Network IP aliasing (cont.)
  • 27.
    • Config file: /etc/sysconfig/network-scripts/ifcfg-eth0:0
    • DEVICE=eth0:0
    • ONBOOT=yes
    • BOOTPROTO=static
    • BROADCAST=192.168.10.255
    • IPADDR=192.168.10.12
    • NETMASK=255.255.255.0
    • NETWORK=192.168.10.0
    • ONBOOT=yes
    • Aliases can also be shut down independently. i.e.: ifdown eth0:0
    Network IP aliasing (cont.)
  • 28. Activating and De-Activating your NIC
    • Activate: /sbin/ifup eth0 (Also: ifconfig eth0 up - Note: Even if no IP address is assigned you can listen.)
    • De-Activate: /sbin/ifdown eth0 (Also: ifconfig eth0 down)
    • These scripts use the scripts and NIC config files in /etc/sysconfig/network-scripts/
  • 29. GUI Interface control/configuration
    • /usr/bin/system-control-network
  • 30. Adding a network interface card (NIC)
    • It can be permanently added to /etc/modules.conf
    • alias eth0 3c59x
    • insmod -v 3c59x (For a 3Com ethernet card)
    • Fedora Core has a hardware detection tool called kudzu which will detect any new hardware added to the system and will try to install it and configure it(with the user’s help)
  • 31.
    • Define network parameters in configuration files /etc/sysconfig/network-scripts/ifcfg-eth1
    • DEVICE=eth1
    • BOOTPROTO=static
    • IPADDR=192.168.1.1
    • NETMASK=255.255.255.0
    • GATEWAY=XXX.XXX.XXX.XXX
    • HOSTNAME=firewall.mydomain.com
    • DOMAIN=mydomain.com
    • Special routing information may be specified, if necessary, in the file /etc/sysconfig/static-routes
    Adding a network interface card (NIC) (cont.)
  • 32.
    • Define network parameters using Unix command line interface:
    • Define IP address:
    • ifconfig eth0 216.220.99.3 netmask 255.255.255.0 broadcast 216.220.99.255
    • ifconfig eth1 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
    • If necessary, define route with with the route command:
    • Examples:
    • route add default gw XXX.XXX.XXX.XXX dev eth0
    • route add -net XXX.XXX.XXX.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth0
    • XXX.XXX.XXX.XXX is the gateway to the internet as defined by your ISP or network operator
    • If you make a mistake just repeat the route command substituting "del" in place of "add"
    Adding a network interface card (NIC) (cont.)
  • 33. Routes
    • route - show / manipulate the IP routing table (Static route)
    • Examples:
    • Show routing table: route -e
    • Access individual computer host specified via network interface card eth1:
    • route add -host 192.168.1.2 eth1
    • Access ISP network identified by the network address and netmask using network interface card eth0:
    • route add -net 216.220.99.0 netmask 255.255.255.0 gw 216.220.99.254 eth0
    • Conversly: route del -net 216.220.99.0 netmask 255.255.255.0 gw 216.220.99.254 eth0
    • Specify default gateway to use to access remote network via network interface card eth0:
    • route add default gw 216.220.99.254 eth0
    • (Gateway can also be defined in /etc/sysconfig/network)
    • Specify two gateways for two network destinations: (i.e. one external, one internal private network. Two routers/gateways will be specified.)
    • Add internet gateway as before: route add default gw 216.220.99.254 eth0
    • Add second private network: route add -net 192.168.1.0 netmask 255.0.0.0 gw 192.168.1.2 eth1
    • routed - network routing daemon. Uses RIP protocol to update routing table.
    • ipx_route - show / manipulate the IPX routing table - IPX is the Novell networking protocol (Not typically used unless your office has Novell servers)
    • ifuser - Identify destinations routed to a particular network interface.
  • 34. Domain Name Server (DNS) configuration - Primary server (master)
    • File: /etc/named.conf
    • options {
    • version "Bind"; - Don't disclose real version to hackers
    • directory "/var/named";
    • allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS
    • recursion no;
    • fetch-glue no; - Bind 8 only! Not used by version 9
    • };
    • zone "your-domain.com"{
    • type master;
    • file "named.your-domain.com";
    • notify yes;
    • };
    • zone "0.0.127.in-addr.arpa"{
    • type master;
    • file "named.local";
    • allow-update { none; };
    • };
  • 35.
    • File: /var/named/named.mydomain.com
    Domain Name Server (DNS) configuration - Primary server (master)
  • 36.
    • $TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement. Measured in seconds. This value is 7 days.
    • mydomain.com. IN SOA server.mydomain.com. hostmaster.mydomain.com. (
    • 2000021600 ; serial - Many people use year+month+day+integer as a system. Never greater than 2147483647 for a 32 bit processor.
    • 86400 ; refresh - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)
    • 7200 ; retry - How long secondary server should wait for a retry if contact failed.
    • 1209600 ; expire - Secondary server to purge info after this length of time.
    • 604800 ) ; default_ttl - How long data is held in cache by remote servers.
    • IN A 192.168.1.2 - Note that this is the default IP address of the domain.
    • I put the web server IP address here so that domain.com points to the same servers as www.domain.com
    • ;
    • ; Name servers for the domain
    • ;
    • IN NS server.mydomain.com.
    • ;
    • ; Mail server for domain
    • ;
    • IN MX 5 server - Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address!
    • ;
    • ; Nodes in domain
    • ;
    • workstation1 IN A 192.168.1.3 - Note that this is the IP address of workstation1
    • workstation2 IN A 192.168.1.4 - Note that this is the IP address of workstation1
    • server IN A 192.168.1.2 - Optional: For hosting your own primary name server. Note that this is the IP address of server
    • firewall IN A 192.168.1.1 - this is the IP address of the firewall
    • IN MX 5 192.168.1.2 - Identify the IP address for mail server named server
  • 37.
    • File: named.conf
    • options {
    • version "Bind"; - Don't disclose real version to hackers
    • directory "/var/named";
    • allow-transfer { none; };
    • recursion no;
    • fetch-glue no; - Bind 8 only! Not used by version 9
    • };
    • zone "your-domain.com"{
    • type slave;
    • file "named.mydomain.com"; - Specify slaves/named.your-domain.com for RHEL4 chrooted bind
    • masters { 192.168.1.2; }; - IP address of primary DNS
    • };
    • zone "0.0.127.in-addr.arpa"{
    • type master;
    • file "named.local";
    • };
    Domain Name Server (DNS) configuration - Secondary server (slave)
  • 38. DNS GUI configuration
    • /usr/bin/system-config-bind
  • 39. DNS
    • Most modern Linux distributions default to a "chrooted" installation.
    • This technique runs the Bind name service with a view of the filesystem which changes the definition of the root directory "/" to a directory in which Bind will operate. i.e. /var/named/chroot.
    • The latest Fedora bind updates run the named as user "named" to avoid a lot of earlier hacker exploits.
    • To chroot the process is to create an even more secure environment by limiting the view of the system that the process can access.
    • The process is limited to the chrooted directory assigned
  • 40. Chrooted DNS configuration
    • Directory: /var/named/chroot
    • Configuration files: /var/named/chroot/etc
    • devices used by bind: /var/named/chroot/dev
      • /dev/null
      • /dev/random
      • /dev/zero
    • Zone files and configuration information: /var/named/chroot/var
  • 41. More DNS HOWTO
    • http://langfeldt.net/DNS-HOWTO/BIND-9/