tcp ip sections 13 7 13 8 13 11 13 12
Download
Skip this Video
Download Presentation
TCP/IP Sections: 13.7, 13.8, 13.11, 13.12

Loading in 2 Seconds...

play fullscreen
1 / 43

TCP/IP Sections: 13.7, 13.8, 13.11, 13.12 - PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on

TCP/IP Sections: 13.7, 13.8, 13.11, 13.12. 13.7 Adding A Machine to a Network 13.8 Distribution-Specific Network Configuration 13.11 Security Issues 13.12 Linux NAT (IP MASQUERADING). Adding A Machine to a Network. The Basic steps to add a new machine to a local network are:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' TCP/IP Sections: 13.7, 13.8, 13.11, 13.12' - yamka


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tcp ip sections 13 7 13 8 13 11 13 12
TCP/IP Sections: 13.7, 13.8, 13.11, 13.12

13.7 Adding A Machine to a Network

13.8 Distribution-Specific Network Configuration

13.11 Security Issues

13.12 Linux NAT (IP MASQUERADING)

adding a machine to a network
Adding A Machine to a Network

The Basic steps to add a new machine to a local network are:

  • Assign a unique IP Address and Hostname.
  • Set up the new host to configure its network interfaces at boot time
  • Set up a default route
  • Point to a DNS name server, to allow access to the rest of the internet.
  • Reboot the system each time you make changes that might affect the reboot to make sure that the machine comes up correctly
adding a mechine to a network
Adding a mechine to a network

Each distribution has established its own configuration files for automating network configuration at boot time as summarized in the following table

assigning hostnames and ip addresses
Assigning hostnames and IP addresses

Mapping from hostnames to IP addresses can be maintained through

  • Hosts file (/etc/hosts)
  • NIS = Network Information Service
  • DNS = Domain Name Service
  • some combination of above sources
renumbering issue
Renumbering Issue

Renumbering = Assigning new IP addresses

  • Using Hostnames in the configuration files and making the hostname-to-IP address translation be done through DNS help overcoming the problem of changing IP addresses.

However,

  • Using IP addresses in configuration files reduces dependencies during bootup when all services are not available.
etc hosts example
/etc/hosts example

127.0.0.1 localhost

192.108.21.48 lollipop.xor.com lollipop loghost

192.108.21.254 chimchim-gw.xor.com chimchim-gw

192.108.21.1 ns.xor.com ns

192.225.33.5 licenses.xor.com license-server

  • Because hosts file contains local mappings only. Most mapping systems use it for mappings that are needed at boot time.
  • Can be used for mappings that u don’t want others to know about it.
  • Minimal data are mappings for loopback address and the host itself.
etc hosts cont
/etc/hosts (cont.)
  • Some put all their really important hosts, servers and gateways.
    • Debian – only localhost
    • Red Hat – localhost and the machine itself
    • SuSE – local host, the machine itself, and a few special IPv6 names.
  • The hostname command assigns a hostname to a machine. It typically run at boot time from one of the startup scripts, which obtains the name to be assigned from a configuration file.
ifconfig configure network interfaces
ifconfig: configure network interfaces
  • Enables/disables a network interface
  • Sets IP address and subnet mask
  • Sets various other parameters

Ifconfiginterface address options

  • Interface: identifies the hardware interface to which the command applies
  • Address: the IP address of the interface, many versions of ifconfig accept hostname for this parameter.
ifconfig examples
ifconfig Examples

Ifconfig eth0 128.138.240.1 netmask 255.255.255.0 up

Ifconfig interface

Ifconfig –a

Netstat –I

  • Options:
    • Up: turns the interface on (default)
    • Down : turns the interface off
    • Netmask: set the subnet mask for the network, used if subnetting isused , the network part is set to ones , the host part is set to zero
    • Broadcast : IP broadcast address for the interface, expressed in either hex or dotted quad notation.
  • Broadcast address is, in most systems, found by setting host part to all 1s.
  • Most systems used the netmask and ip address to calculate the broadcast address.
ifconfig examples1
ifconfig Examples
  • Red Hat% /sbin/ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:02:b3:19:C8:86

inet addr:192.168.1.13 Bcast:192.168.1.255

UP BRADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets 206983 errors:0 dropped:0 overruns:0 frame:0

TX packets 218292 errors:0 dropped:0 overruns:0 frame:0

collisions:0 txqueuelen:100

interrupt:7 Base address:0xef00

  • Ifconfig eth0 128.138.243.151 netmask 255.255.255.192 broadcast 128.138.243.191 up
mii tool configure autonegotiation and other media specific options
Mii-tool: configure autonegotiation and other media-specific options
  • Autonegotiation mode: both the card and its upstream connection (usually a switch port) try to guess what the other wants to use.
  • Problem: high packet loss
  • It is better to lock the interface speed and duplex both on servers and on the switch ports they are connected to.
  • Mii-tool sets Media specific parameters such as link speed and duplex
  • Mii-tool –force=100BaseTx-FD eth0
route configure static routes
Route: configure static routes
  • If a packet is destined for some host on a directly connected network, the “next-hop gateway” address in the routing table will be one of the local host’s own interfaces.
  • If no route matches the destination address, the default route is invoked if one exists, otherwise, an ICMP “netrwork unreachable” or “host unreachable”.

route [op][type] destination gw gateway [metric] [dev interface]

  • Op:
    • Add: add a route
    • Del : remove a route
route cont
Route (cont.)
  • Destination : host address (type – host) or a network address (type –net)
  • Gateway: the machine to which packets should be forwarded.it must be on a directly connected network.
  • Dev is optional and can be ommited
  • Metric: the number of forwardings (the hop count) required to reach the destinaction.
  • Type: optional “-net” or “-host”. If not specified then check the host part (is it all zeros), route may also check the /etc/networks
route examples
Route examples
  • Route –f ,or route –flush : completely flushes the routing tables and starts over.
  • Netstat –nr : inspect existing routes
  • netstat –r : see names instead of numbers.

redhat% netstat -nr

Kernel IP routing table

route examples1
Route examples

redhat% netstat -r

Kernel IP routing table

  • Genmask: the netmask associated with the destination
  • Flags: status of the route, how is was learned and other parameters
  • Iface: the interface through which the packets using the route are sent.
default routes
Default routes
  • All packets whose destination network is not found in the kernels routing table are sent to the default route.
  • route add default gwgateway-ip-address
  • How to set default route
configuring dns
Configuring DNS

To configure a machine as a DNS client:

  • Modify /etc/resolv.conf,
    • this file lists the domains that should be searched to resolve names that are incomplete(not fully qualified)
    • It lists the IP addresses of the name servers to contact for name lookups.
  • Some requires modification of “service switch” file
modify etc resolv conf
Modify /etc/resolv.conf

Search cs.clorado.edu colorado.edu

Nameserver 128.138.242.1

Nameserver 128.138.234.151

Nameserver 192.108.21.1

  • Domain is sometimes used instead of search in ancient resolve,conf file.
  • Search is preferred, but Red Hat defaults tp resolv.conf file that uses domain instead of search
service switch
service switch
  • Some systems have a “service switch” file that determines which mechanism will be used to resolve hostname-to-IP-address mappings. See page 498 for prioritization .
  • Allow specification of the order in which DNS, NIS, and /etc/hosts should be consulted.
the linux networking stack
The Linux networking stack
  • Includes support for virtual network interfaces, selective acknowledgments as well as a new IP feature , Explicit Congestion Notification (NCF)
  • ECN marks TCP packets to notify the sender of congestion. It is a good thing for both bulk transfers of data and transactional data such as web requests and responses.
distributed specific network configuration
Distributed-Specific Network Configuration
  • Linuxconf: module-based utility that provides a simple interface for managing a number of system administration tasks, including most network-related configuration.
  • Three interfaces: text-based, web, and X windows.
  • Reboot or bring the network interface down or up to see for a change to a configuration file to take effect.
    • Red Hat and Debian ifup and ifdown
    • SuSE reboot the machine
etc sysconfig network example
etc/sysconfig/networkexample

NETWORKING=yes

HOSTNAME=redhat.toadranch.com

DOMAINNAME=toadranch.com ###OPTIONAL

GATEWAY=192.168.1.254

etc sysconfig network scripts ifcfg ifname examples
/etc/sysconfig/network-scripts/ifcfg-ifnameexamples

DEVICE=eth0

IPADD=192.168.1.13

NETMASK=255.255.255.0

NETWORK=192.168.1.0

BROADCAST=192.168.1.255

ONBOOT=yes

DEVICE=lo

IPADD=127.0.0.1

NETMASK=255.0.0.0

NETWORK=172.0.0.0

BROADCAST=127.255.255.255

ONBOOT=yes

NAME=loopback

Ifcfg-eth0 file

Ifcfg-lo file

network configuration for red hat cont
Network Configuration for Red Hat(cont.)
  • Ifupifname : brings an interface up
  • Ifdownifname : brings an interface down
  • /etc/rc.d/init.d/network
    • script that accepts the argument start, stop, restart, and status
    • Manage all the interfaces at once
    • Invoked at boot time
  • Any routes added to the file /etc/sysconfig/static-routes are entered into the routing table at root time

eth0 net 130.255.204.48 netmask 255.255.255.248 gw 130.255.204.49

eth1 net 192.38.8.0 netmask 255.255.255.224 gw 192.38.8.9

Arguments are provided to route add

network configuration for suse
Network Configuration for SuSE
  • /sbin/SuSEconfig: a tool that uses scripts in /sbin/conf.d and /etc/rc.config.d to do configuration stuff.
  • /etc/rc.config contains all network-related parameters except routing information and DNS information. Example

START_LOOPBACK=“yes”

NETCINFIG=“_0”

IPADDR_0=“192.168.1.101”

NETDEV_0=“eth0”

IFCONFIG_0=“192.168.1.101 broadcast 192.168.1.255 netmask 255.255.255.0”

FQHOSTNAME=“inura.toadranch.com”

DISABLE_ECN=“yes”

dynamic routing in suse
Dynamic Routing in SuSE
  • Dynamic routing is also configured in with rc.config

Example

START_ROUTED=“no” ### RIP (Routing Information Protocol) version 1 daemon

START_ZEBRA=“no” ### zebra routing manager

START_BGPD=“no” ### BGB (Border Gateway Protocol)daemon

START_RIPING=“no” ### RIP version 2 daemon

START_OSPFD=“no” ### OSPF (Open Shortest Path First) daemon

START_MRTD=“no” ### Multithreaded routing daemon

network configuration for debian
Network configuration for Debian

Example of /etc/network/interfaces file

Iface lo inet loopback

Iface eth0 inet static

address 192.168.1.102

netmask 255.255.255.0

gateway 192.168.1.254

slide30
The interfaces file is read by ifup and ifdown that prings the interfaces up and down respectively.
  • The inetkeyword in the iface line is the address family, this will always be inet.
  • static specifies that the IP address and netmask lines are required for static configuration
  • gatway specifies the address of the default gateway and is used to install default route

The options file allows some network variables to be set at boot time.

network configuration with gui
Network Configuration with GUI
  • Red Hat include a tool called neat (Network administration Tool) that can perform Ethernet, modem, ISDN, xDSL, and wireless configuration.
  • To run
    • Select Main menu  programs  system  network configuration

Or

    • type neat in a shell
security issues
Security Issues

IP forwarding

  • let the linux box acts as a router.
  • Turn this feature off unless you have multiple network interfaces and intend to have a the Linux box as router.
  • Hosts with this feature enabled can compromise security by making external packets appear to have come inside local network which can enables naughty packets evade network scanners and packet filters
security issues1
Security issues

ICMP redirectors

  • Can be used maliciously to reroute the traffic and mess with the networking table.
  • Most operating systems listen to them and follow their instructions
  • It is recommended to configure routers and hosts acting as routers to ignore and perhaps log ICMP
security issues2
Security issues

Source routing

  • IP source routing mechanism let the series of gateways for a packet to transit on the way to its destination.
  • It can create security problems because packets are often filtered to their origin
  • If some one can cleverly route a packet to make it appear to have originated from your network instead of the internet, it might slip through your firewall.
  • It is recommended to not accept neither forward source routed packets
security issues3
Security issues

Broadcast pings and other forms of directed broadcast

  • Ping packets addressed to a network’s broadcast address (instead of to a particular host address).
  • Can be used in denial of service attacks
  • Most hosts have a way to diable broadcast pings
  • The router can also be configured not to filter out broadcast pings
security issues4
Security issues

IP spoofing

  • If the software creating the packet uses a raw socket, it can fill in any source address it likes.
  • Te machine identified by the spoofed source address (if it is a real address) is often the victim in this scheme. Error and return packets can disrupt or flood the victims network connections.
  • IP spoofing should be denied at border router by blocking outgoing packets whose source address is not within your address space.
  • If a network uses private address space, addresses escaping to the internet can be filtered and caught since private addresses are not routable.
security issues5
Security issues

IP spoofing (cont.)

  • Linux-based firewalls provide a way to implement filtering, however, most sites prefer to implement this type of filtering at their border routers.
  • Protect against a hacker forging the source address on external packets to fool the firewall into thinking that they originated on your internal network. Rp_filter kernel parameter(settable in the /proc/sys/net/ipv4/conf/ifnamedirectory) can help detecting these packets. set rp (reversed path) to 1.
  • If the site has multiple connections to the internet, rp has to be set to 0 if inbound and outbound routes are different (preferred to be different)
security issues6
Security issues

Host-based firewalls

  • Packet filtering (aka “firewall”) software
  • Linux security is weak and NT’s security is worse.
  • It is recommended to buy a dedicated hardware solution to use as a firewall.

Go to page 676 to read more about firewall-related issues.

security issues7
Security issues

Virtual private networks (VPN)

  • Private networks that include a series secure, encrypted “tunnels”.
  • These “tunnels” allow using the internet as if it were a private data line
  • Used to connect several parts of the world as if they are within a one pig private network
  • Some VPNs use the IPSEC protocol (standarized by the IETF in 1998. other use proprietary solutions.
  • Examples: Cisco’s 3660 router and the Watchguard FireBox provide VPN. They provide tunneling and encryption.
security issues8
Security issues

Security-related kernel variables

security issues9
Security issues

Changing of Security-related kernel variables

  • Red hat :
    • Add values to /etc/sysctl.conf, which is read by sysctl command ar boot time.
    • Format of sysctl.conf is variable=value
    • Net.ipv4.ip_forward=0 (turn off IP forwarding)
  • SuSE
    • sysctl doesn’t run at boot process
    • Edit rc.config(in /etc/init.d/boot) or add a call to the sysctl command somewhere in the startup sequence
  • Debian
    • It provides a sample sysctl.conf file nad also calls sysctl during startup
linux nat ip masquerading
Linux NAT (IP MASQUERADING)
  • Linux provides limited form of NAT (Network Address Translation) that is more properly called PAT (Port Address Translation) or “IPMASQUERADING”
  • The predominant Linux software (up to writing of this book) for setting up NAT is called ipchains .However,
  • A new improved package called iptables uses the “netfilter” feature in linux 2.4 kernel and is the current release of Red Hat.
  • For IP masquerading to work
    • Enable IP forwarding
    • Build the kernel with CONFIG_IP_MASQUERADING defined
    • It is helpful to set the kernel variable ip_masq_debug
ip masquerading examples
IP MASQUERADING Examples
  • To disguise the private address space used on the internal network 192.168.1.0/24, you could use the following command

Ipchains –A forward –i ppp0 –s 192.168.1.0/24 –d ! 192.168.1.0 –j MASQ

  • To map packets from 192.168.1.0/24 network to a range of 10 addresses in the routable network 128.138.198.0 ,

Iptables –A POSTROUTING SNAT –to-source 128.138.198.1-128.138.198.0

ad