2008年12月3日 (三) 09:14的版本

文章出处:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch03_:_Linux_Networking

点击翻译:

English  • 中文

Introduction

Now that you have a firm grasp of many of the most commonly used networking concepts, it is time to apply them to the configuration of your server. Some of these activities are automatically covered during a Linux installation, but you will often find yourself having to know how to modify these initial settings whenever you need to move your server to another network, add a new network interface card or use an alternative means of connecting to the Internet.

In Chapter 2, "Introduction to Networking", we started with an explanation of TCP/IP, so we'll start this Linux networking chapter with a discussion on how to configure the IP address of your server.

How to Configure Your NIC's IP Address

You need to know all the steps needed to configure IP addresses on a NIC card. Web site shopping cart applications frequently need an additional IP address dedicated to them. You also might need to add a secondary NIC interface to your server to handle data backups. Last but not least, you might just want to play around with the server to test your skills.

This section shows you how to do the most common server IP activities with the least amount of headaches.

Determining Your IP Address

Most modern PCs come with an Ethernet port. When Linux is installed, this device is called eth0. You can determine the IP address of this device with the ifconfig command.

[root@bigboy tmp]# ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0x1820

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:787 errors:0 dropped:0 overruns:0 frame:0
TX packets:787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:82644 (80.7 Kb) TX bytes:82644 (80.7 Kb)

wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47379 errors:0 dropped:0 overruns:0 frame:0
TX packets:107900 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4676853 (4.4 Mb) TX bytes:43209032 (41.2 Mb)
Interrupt:11 Memory:c887a000-c887b000

wlan0:0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5
inet addr:192.168.1.99 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Memory:c887a000-c887b000
 
[root@bigboy tmp]#

In this example, eth0 has no IP address because this box is using wireless interface wlan0 as its main NIC. Interface wlan0 has an IP address of 192.168.1.100 and a subnet mask of 255.255.255.0

You can see that this command gives good information on the interrupts, or PCI bus ID, used by each card. On very rare occasions you might find that your NIC card doesn't work because it shares both an interrupt and memory access address with some other device. You can look at the contents of the /proc/interrupts file to get a listing of all the interrupt IRQs used by your system. In the example below we can see that there are no conflicts with each IRQ from 0 to 15 having only a single entry. Devices eth0 and eth1 use interrupts 10 and 5, respectively:

[root@bigboy tmp]# cat /proc/interrupts
             CPU0
   0:  2707402473          XT-PIC  timer
   1:          67          XT-PIC  i8042
   2:           0          XT-PIC  cascade
   5:      411342          XT-PIC  eth1
   8:           1          XT-PIC  rtc
  10:     1898752          XT-PIC  eth0
  11:           0          XT-PIC  uhci_hcd
  12:          58          XT-PIC  i8042
  14:     5075806          XT-PIC  ide0
  15:         506          XT-PIC  ide1
NMI:           0
ERR:          43
[root@bigboy tmp]#

If there are conflicts, you might need to refer to the manual for the offending device to try to determine ways to either use another interrupt or memory I/O location.

Changing Your IP Address

If you wanted, you could give this eth0 interface an IP address using the ifconfig command.

[root@bigboy tmp]# ifconfig eth0 10.0.0.1 netmask 255.255.255.0 up

The "up" at the end of the command activates the interface. To make this permanent each time you boot up you'll have to add this command in your /etc/rc.local file which is run at the end of every reboot.

Fedora Linux also makes life a little easier with interface configuration files located in the /etc/sysconfig/network-scripts directory. Interface eth0 has a file called ifcfg-eth0, eth1 uses ifcfg-eth1, and so on. You can place your IP address information in these files, which are then used to auto-configure your NICs when Linux boots. See Figure 3-1 for two samples of interface eth0. One assumes the interface has a fixed IP address, and the other assumes it requires an IP address assignment using DHCP.

Figure 3-1 - File formats for network-scripts

[root@bigboy tmp]# cd /etc/sysconfig/network-scripts
[root@bigboy network-scripts]# cat ifcfg-eth0

#
# File: ifcfg-eth0
#
DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
BOOTPROTO=static
ONBOOT=yes
#
# The following settings are optional
#
BROADCAST=192.168.1.255
NETWORK=192.168.1.0

[root@bigboy network-scripts]#

[root@bigboy tmp]# cd /etc/sysconfig/network-scripts
[root@bigboy network-scripts]# cat ifcfg-eth0

#
# File: ifcfg-eth0
#
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

[root@bigboy network-scripts]#

As you can see eth0 will be activated on booting, because the parameter ONBOOT has the value yes and not no. You can read more about netmasks and DHCP in Chapter 2, "Introduction to Networking", that acts as an introduction to networking.

The default RedHat/Fedora installation will include the broadcast and network options in the network-scripts file. These are optional.

After you change the values in the configuration files for the NIC you have to deactivate and activate it for the modifications to take effect. The ifdown and ifup commands can be used to do this:

[root@bigboy network-scripts]# ifdown eth0
[root@bigboy network-scripts]# ifup eth0

Your server will have to have a default gateway for it to be able to communicate with the Internet. This will be covered later in the chapter.

How DHCP Affects the DNS Server You Use

Your DHCP server not only supplies the IP address your Linux box should use, but also the desired DNS servers. When using DHCP for an interface, make sure your /etc/resolv.conf file has the servers configuration lines commented out to prevent any conflicts.

Multiple IP Addresses on a Single NIC

In the previous section "Determining Your IP Address" you may have noticed that there were two wireless interfaces: wlan0 and wlan0:0. Interface wlan0:0 is actually a child interface wlan0, a virtual subinterface also known as an IP alias. IP aliasing is one of the most common ways of creating multiple IP addresses associated with a single NIC. Aliases have the name format parent-interface-name:X, where X is the sub-interface number of your choice.

The process for creating an IP alias is very similar to the steps outlined for the real interface in the previous section, "Changing Your IP Address":

• First ensure the parent real interface exists
• Verify that no other IP aliases with the same name exists with the name you plan to use. In this we want to create interface wlan0:0.
• Create the virtual interface with the ifconfig command

[root@bigboy tmp]# ifconfig wlan0:0 192.168.1.99 netmask 255.255.255.0 up

• You should also create a /etc/sysconfig/network-scripts/ifcfg-wlan0:0 file so that the aliases will all be managed automatically with the ifup and ifdown commands. Here is a sample configuration:

DEVICE=wlan0:0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.1.99
NETMASK=255.255.255.0

The commands to activate and deactivate the alias interface would therefore be:

[root@bigboy tmp]# ifup wlan0:0
[root@bigboy tmp]# ifdown wlan0:0

Note: Shutting down the main interface also shuts down all its aliases too. Aliases can be shutdown independently of other interfaces.

After completing these four simple steps you should be able to ping the new IP alias from other servers on your network.

IP Address Assignment for a Direct DSL Connection

If you are using a DSL connection with fixed or static IP addresses, then the configuration steps are the same as those outlined earlier. You plug your Ethernet interface into the DSL modem, configure it with the IP address, subnet mask, broadcast address, and gateway information provided by your ISP and you should have connectivity when you restart your interface. Remember that you might also need to configure your DNS server correctly.

If you are using a DSL connection with a DHCP or dynamic IP address assignment, then the process is different. Your ISP will provide you with a PPP authentication over Ethernet (PPPoE) username and password which will allow your computer to login transparently to the Internet each time it boots up. Fedora Linux installs the rp-pppoe RPM software package required to support this.

Note: Unless you specifically request static IP addresses, your ISP will provide you with a DHCP based connection. The DHCP IP address assigned to your computer and/or Internet router will often not change for many days and you may be fooled into thinking it is static.

Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", on RPMs, covers how to do this in detail. When searching for the file, remember that the PPPoE RPM's filename usually starts with the word rp-pppoe followed by a version number like this: rp-pppoe-3.5-8.i386.rpm.

After installing the RPM, you need to go through a number of steps to complete the connection. The PPPOE configuration will create a software-based virtual interface named ppp0 that will use the physical Internet interface eth0 for connectivity. Here's what you need to do:

• Make a backup copy of your ifcfg-eth0 file.

[root@bigboy tmp]#
[root@bigboy tmp]# cd /etc/sysconfig/network-scripts/
[root@bigboy network-scripts]# ls ifcfg-eth0
ifcfg-eth0
[root@bigboy network-scripts]# cp ifcfg-eth0 DISABLED.ifcfg-eth0

• Edit your ifcfg-eth0 file to have no IP information and also to be deactivated on boot time.

DEVICE=eth0
ONBOOT=no

• Shutdown your eth0 interface.

[root@bigboy network-scripts]# ifdown eth0
[root@bigboy network-scripts]#

• Run the adsl-setup configuration script

[root@bigboy network-scripts]# adsl-setup

It will prompt you for your ISP username, the interface to be used (eth0) and whether you want to the connection to stay up indefinitely. We'll use defaults wherever possible.

Welcome to the ADSL client setup.� First, I will run some checks on

your system to make sure the PPPoE client is installed properly...

LOGIN NAME

Enter your Login Name (default root): bigboy-login@isp

INTERFACE

Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0):

Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped.� If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses.  You might have some problems with demand-activated links.

Enter the demand value (default no):

It will then prompt you for your DNS server information. This step edits your /etc/resolv.conf file. If you're running BIND on your server in a caching DNS mode then you might want to leave this option blank. If you want your ISP to provide the IP address of its DNS server automatically then enter the word server.

Please refer to Chapter 18, "Configuring DNS", for more information on BIND and DNS.

DNS

Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses', enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are doing and not modify your DNS setup.
Enter the DNS information here:

The script will then prompt you for your ISP password

PASSWORD

Please enter your Password:
Please re-enter your Password:

Then it will ask whether you want regular users (not superuser root) to be able to activate/deactivate the new ppp0 interface. This may be required if non-root members of your family or home office need to get access to the Internet:

USERCTRL

Please enter 'yes' (two letters, lower-case.) if you want to allow normal user to start or stop DSL connection (default yes):

The rp-pppoe package has two sample iptables firewall scripts located in the /etc/ppp directory named firewall-standalone and firewall-masq. They are very basic and don't cover rules to make your Linux box a web server, DNS server, or mail server. I'd recommend selecting none and using a variant of the basic script samples in Chapter 14, "Linux Firewalls Using iptables", or the more comprehensive one found in Appendix II, "Codes, Scripts, and Configurations".

FIREWALLING

Please choose the firewall rules to use.  Note that these rules are very basic.  You are strongly
encouraged to use a more sophisticated firewall setup; however, these will provide basic security. 
If you are running any servers on your machine, you must choose 'NONE' and set up firewalling
yourself. Otherwise, the firewall rules will deny access to all standard servers like Web, e-mail,
ftp, etc.  If you are using SSH, the rules will block outgoing SSH connections which allocate a
privileged source port.

The firewall choices are:

0 - NONE: This script will not set any firewall rules.  You are responsible
         for ensuring the security of your machine.  You are STRONGLY
         recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
                for a LAN

Choose a type of firewall (0-2): 0

You'll then be asked whether you want the connection to be activated upon booting. Most people would say yes.

Start this connection at boot time

Do you want to start this connection at boot time?
Please enter no or yes (default no):yes

Just before exiting, you'll get a summary of the parameters you entered and the relevant configuration files will be updated to reflect your choices when you accept them:

** Summary of what you entered **


Ethernet Interface: eth0

User name:          bigboy-login@isp
Activate-on-demand: No
DNS:                Do not adjust
Firewalling:        NONE
User Control:       yes
Accept these settings and adjust configuration files (y/n)? y

Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
 (But first backing it up to /etc/ppp/chap-secrets.bak)
 (But first backing it up to /etc/ppp/pap-secrets.bak)

At the very end it will tell you the commands to use to activate /deactivate your new ppp0 interface and to get a status of the interface's condition.

Congratulations, it should be all set up!

Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0' to see the link status.

Note: This example recommends using the adsl-status command with the name of the PPPoE interface configuration file. This command defaults to show information for interface ppp0, and therefore listing the ifcfg-ppp0 filename won't be necessary in most home environments.

After you have completed installing rp-pppoe you should be able to access the Internet over your DHCP DSL connection as expected.

Some Important Files Created By adsl-setup

The adsl-setup script creates three files that will be of interest to you. The first is the ifcfg-ppp0 file with interface's link layer connection parameters

[root@bigboy network-scripts]# more ifcfg-ppp0
USERCTL=yes
BOOTPROTO=dialup
NAME=DSLppp0
DEVICE=ppp0
TYPE=xDSL
ONBOOT=yes
PIDFILE=/var/run/pppoe-adsl.pid
FIREWALL=NONE
PING=.
PPPOE_TIMEOUT=20
LCP_FAILURE=3
LCP_INTERVAL=80
CLAMPMSS=1412
CONNECT_POLL=6
CONNECT_TIMEOUT=60
DEFROUTE=yes 
SYNCHRONOUS=no
ETH=eth0
PROVIDER=DSLppp0
USER= bigboy-login@isp
PEERDNS=no
[root@bigboy network-scripts]#

The others are the duplicate /etc/ppp/pap-secrets and /etc/ppp/chap-secrets files with the username and password needed to login to your ISP:

[root@bigboy network-scripts]# more /etc/ppp/pap-secrets
# Secrets for authentication using PAP
# client        server  secret                  IP addresses
"bigboy-login@isp" *       "password"
[root@bigboy network-scripts]#

Simple Troubleshooting

You can run the adsl-status command to determine the condition of your connection. In this case the package has been installed but the interface hasn't been activated.

[root@bigboy tmp]# adsl-status
Note: You have enabled demand-connection; adsl-status may be inaccurate.
adsl-status: Link is attached to ppp0, but ppp0 is down
[root@bigboy tmp]#

After activation, the interface appears to work correctly.

[root@bigboy tmp]# ifup ppp0
[root@bigboy tmp]# adsl-status
adsl-status: Link is up and running on interface ppp0
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1462 inet
...
...
[root@bigboy tmp]#

For further troubleshooting information you can visit the Web site of rp-ppoe at Roaring Penguin (www.roaringpenguin.com). There are some good tips there on how to avoid problems with VPN clients.

IP Address Assignment for a Cable Modem Connection

Cable modems use DHCP to get their IP addresses so you can configure your server's Ethernet interface accordingly.

How to Activate/Shut Down Your NIC

The ifup and ifdown commands can be used respectively to activate and deactivate a NIC interface. You must have an ifcfg file in the /etc/sysconfig/network-scripts directory for these commands to work. Here is an example for interface eth0:

[root@bigboy tmp]# ifdown eth0
[root@bigboy tmp]# ifup eth0

How to View Your Current Routing Table

The netstat -nr command will provide the contents of the touting table. Networks with a gateway of 0.0.0.0 are usually directly connected to the interface. No gateway is needed to reach your own directly connected interface, so a gateway address of 0.0.0.0 seems appropriate. The route with a destination address of 0.0.0.0 is your default gateway.

• In this example there are two gateways, the default and one to 255.255.255.255 which is usually added on DHCP servers. Server bigboy is a DHCP server in this case.

[root@bigboy tmp]# netstat -nr

Kernel IP routing table
Destination     Gateway     Genmask         Flags MSS Window irtt Iface
255.255.255.255 0.0.0.0     255.255.255.255 UH    40  0      0    wlan0
192.168.1.0     0.0.0.0     255.255.255.0   U     40  0      0    wlan0
127.0.0.0       0.0.0.0     255.0.0.0       U     40  0      0    lo
0.0.0.0         192.168.1.1 0.0.0.0         UG    40  0      0    wlan0
[root@bigboy tmp]#

• In this example, there are multiple gateways handling traffic destined for different networks on different interfaces.

[root@bigboy tmp]# netstat -nr

Kernel IP routing table
Destination   Gateway       Genmask         Flags MSS Window irtt Iface
172.16.68.64  172.16.69.193 255.255.255.224 UG    40  0      0    eth1
172.16.11.96  172.16.69.193 255.255.255.224 UG    40  0      0    eth1
172.16.68.32  172.16.69.193 255.255.255.224 UG    40  0      0    eth1
172.16.67.0   172.16.67.135 255.255.255.224 UG    40  0      0    eth0
172.16.69.192 0.0.0.0       255.255.255.192 U     40  0      0    eth1
172.16.67.128 0.0.0.0       255.255.255.128 U     40  0      0    eth0
172.160.0     172.16.67.135 255.255.0.0     UG    40  0      0    eth0
172.16.0.0    172.16.67.131 255.240.0.0     UG    40  0      0    eth0
127.0.0.0     0.0.0.0       255.0.0.0       U     40  0      0    lo
0.0.0.0       172.16.69.193 0.0.0.0         UG    40  0      0    eth1
[root@bigboy tmp]#

How to Change Your Default Gateway

Your server needs to have a single default gateway. DHCP servers will automatically assign a default gateway to DHCP configured NICs, but NICs with configured static IP addresses will need to have a manually configured default gateway. This can be done with a simple command. This example uses a newly installed wireless interface called wlan0, most PCs would be using the standard Ethernet interface eth0.

[root@bigboy tmp]# route add default gw 192.168.1.1 wlan0

In this case, make sure that the router/firewall with IP address 192.168.1.1 is connected to the same network as interface wlan0!

Once done, you'll need to update your /etc/sysconfig/network file to reflect the change. This file is used to configure your default gateway each time Linux boots.

NETWORKING=yes
HOSTNAME=bigboy
GATEWAY=192.168.1.1

Note: In Debian based systems the default gateway is permanently defined in the /etc/network/interfaces file. See the section "Debian / Ubuntu Network Configuration" later in this chapter for more details.

Some people don't bother modifying network specific files and just place the route add command in the script file /etc/rc.d/rc.local which is run at the end of each reboot.

It is possible to define default gateways in the NIC configuration file in the /etc/sysconfig/network-scripts directory, but you run the risk of inadvertently assigning more than one default gateway when you have more than one NIC. This could cause connectivity problems. If one of the default gateways has no route to the intended destination, every other packet will become lost. Firewalls that are designed to block packets with irregular sequence numbers and unexpected origins could also obstruct your data flow.

How to Configure Two Gateways

Some networks may have multiple router/firewalls providing connectivity. Here's a typical scenario:

• You have one router providing access to the Internet that you'd like to have as your default gateway (see the default gateway example earlier)

• You also have another router providing access to your corporate network using addresses in the range 10.0.0.0 to 10.255.255.255. Let's assume that this router has an IP address of 192.168.1.254

The Linux box used in this example uses interface wlan0 for its Internet connectivity. You might be most likely using interface eth0, please adjust your steps accordingly.

There are a number of ways to add this new route.

Adding Temporary Static Routes

The route add command can be used to add new routes to your server that will last till the next reboot. It has the advantage of being univeral to all versions of Linux and is well documented in the man pages. In our example the reference to the 10.0.0.0 network has to be preceded with a -net switch and the subnet mask and gateway values also have to be preceded by the netmask and gw switches respectively.

[root@bigboy tmp]# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 wlan0

If you wanted to add a route to an individual server, then the "-host" switch would be used with no netmask value. (The route command automatically knows the mask should be 255.255.255.255). Here is an example for a route to host 10.0.0.1.

[root@bigboy tmp]# route add -host 10.0.0.1 gw 192.168.1.254 wlan0

A universal way of making this change persistent after a reboot would be to place this route add command in the file /etc/rc.d/rc.local, which is always run at the end of the booting process.

Adding Permanent Static Routes

In Fedora Linux, permanent static routes are added on a per interface basis in files located in the /etc/sysconfig/network-scripts directory. The filename format is route-interface-name so the filename for interface wlan0 would be route-wlan0.

The format of the file is quite intuitive with the target network coming in the first column followed by the word via and then the gateway's IP address. In our routing example, to set up a route to network 10.0.0.0 with a subnet mask of 255.0.0.0 (a mask with the first 8 bits set to 1) via the 192.168.1.254 gateway, we would have to configure file /etc/sysconfig/network-scripts/route-wlan0 to look like this:

#
# File /etc/sysconfig/network-scripts/route-wlan0
#
10.0.0.0/8 via 192.168.1.254

Note: The /etc/sysconfig/network-scripts/route-* filename is very important. Adding the wrong interface extension at the end will result in the routes not being added after the next reboot. There will also be no reported errors on the screen or any of the log files in the /var/log/ directory.

You can test the new file by running the /etc/sysconfig/network-scripts/ifup-routes command with the interface name as the sole argument. In the next example we check the routing table to see no routes to the 10.0.0.0 network and execute the ifup-routes command, which then adds the route:

[root@bigboy tmp]# netstat -nr

Kernel IP routing table

Destination  Gateway       Genmask       Flags MSS Window irtt Iface
192.168.1.0  0.0.0.0       255.255.255.0 U     0   0      0    wlan0
169.254.0.0  0.0.0.0       255.255.0.0   U     0   0      0    wlan0
0.0.0.0      192.168.1.1   0.0.0.0       UG    0   0      0    wlan0
[root@bigboy tmp]# ./ifup-routes wlan0
[root@bigboy tmp]# netstat -nr
Kernel IP routing table
Destination  Gateway       Genmask       Flags MSS Window irtt Iface
192.168.1.0  0.0.0.0       255.255.255.0 U     0   0      0    wlan0
169.254.0.0  0.0.0.0       255.255.0.0   U     0   0      0    wlan0
10.0.0.0     192.168.1.254 255.0.0.0     UG    0   0      0    wlan0
0.0.0.0      192.168.1.1   0.0.0.0       UG    0   0      0    wlan0
[root@bigboy tmp]#

Note: In Debian based systems, permanent static routes are configured using the /etc/network/interfaces file. See the section "Debian / Ubuntu Network Configuration" later in this chapter for more details.

How to Delete a Route

Here's how to delete the routes added in the previous section.

[root@bigboy tmp]# route del -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 wlan0

The file /etc/sysconfig/network-scripts/route-wlan0 will also have to be updated so that when you reboot the server will not reinsert the route. Delete the line that reads:

10.0.0.0/8 via 192.168.1.254

Changing NIC Speed and Duplex

There is no better Linux investment than the purchase of a fully Linux compatible NIC card. Most Linux vendors will have a list of compatible hardware on their Web sites: read this carefully before you start hooking up you machine to the network. If you can't find any of the desired models in your local computer store, then a model in the same family or series should be sufficient. Most cards will work, but only the fully compatible ones will provide you with error-free, consistent throughput.

Linux defaults to automatically negotiating the speed and duplex of it's NIC automatically with that of the switch to which it is attached. Configuring a switch port to auto-negotiate the speed and duplex often isn't sufficient because there are frequently differences in the implementation of the protocol standard.

Typically, NICs with failed negotiation will work, but this is usually accompanied by many collision type errors being seen on the NIC when using the ifconfig -a command and only marginal performance. Don't limit your troubleshooting of these types of errors to just failed negotiation; the problem could also be due to a bad NIC card, switch port, or cabling.

Using mii-tool

One of the original Linux tools for setting the speed and duplex of your NIC card was the mii-tool command. It is destined to be deprecated and replaced by the newer ethtool command, but many older NICs support only mii-tool so you'll need to be aware of it. Issuing the command without any arguments gives a brief status report, as seen in the next example, with unsupported NICs providing an Operation not supported message. NICs that are not compatible with mii-tool often will still work, but you have to refer to the manufacturer's guides to set the speed and duplex to anything but auto-negotiate.

[root@bigboy tmp]# mii-tool
SIOCGMIIPHY on 'eth0' failed: Operation not supported
eth1: 100 Mbit, half duplex, link ok
[root@bigboy tmp]#

By using the verbose mode -v switch you can get much more information. In this case, negotiation was OK, with the NIC selecting 100Mbps, full duplex mode (FD):

[root@bigboy tmp]# mii-tool -v
eth1: negotiated 100baseTx-FD, link ok
  product info: vendor 00:10:18, model 33 rev 2
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
[root@bigboy tmp]#

Setting Your NIC's Speed Parameters with mii-tool

You can set your NIC to force itself to a particular speed and duplex by using the -F switch with any of the following options: 100baseTx-FD, 100baseTx-HD, 10baseT-FD, or 10baseT-HD. Remember that you could lose all network connectivity to your server if you force your NIC to a particular speed/duplex that doesn't match that of your switch:

[root@bigboy tmp]# mii-tool -F 100baseTx-FD eth0

Unfortunately there is no way to set this on reboot permanently except by placing it the command in the /etc/rc.local file to let it be run at the very end of the booting process or by creating your own startup script if you need it set earlier. Creating your own startup scripts is covered in Chapter 7, "The Linux Boot Process".

Using ethtool

The ethtool command is slated to be the replacement for mii-tool in the near future and tends to be supported by newer NIC cards.

The command provides the status of the interface you provide as its argument. Here we see interface eth0 not doing autonegotiation and set to a speed of 100 Mbps, full duplex. A list of supported modes is also provided at the top of the output.

[root@bigboy tmp]# ethtool eth0
Settings for eth0:
       Supported ports: [ TP MII ]
       Supported link modes:   10baseT/Half 10baseT/Full
                               100baseT/Half 100baseT/Full
       Supports auto-negotiation: Yes
       Advertised link modes:  10baseT/Half 10baseT/Full
                               100baseT/Half 100baseT/Full
       Advertised auto-negotiation: No
       Speed: 100Mb/s
       Duplex: Full
       Port: MII
       PHYAD: 1
       Transceiver: internal
       Auto-negotiation: off
       Supports Wake-on: g
       Wake-on: g
       Current message level: 0x00000007 (7)
       Link detected: yes
[root@bigboy tmp]#

Setting Your NIC's Speed Parameters with ethtool

Unlike mii-tool, ethtool settings can be permanently set as part of the interface's configuration script with the ETHTOOL_OPTS variable. In our next example, the settings will be set to 100 Mbps, full duplex with no chance for auto-negotiation on the next reboot:

#
# File: /etc/sysconfig/network-scripts/ifcfg-eth0
#
DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
BOOTPROTO=static
ONBOOT=yes
ETHTOOL_OPTS="speed 100 duplex full autoneg off"

You can test the application of these parameters by shutting down the interface and activating it again with the ifup and ifdown commands. These settings can also be changed from the command line using the -s switch followed by the interface name and its desired configuration parameters.

[root@bigboy tmp]# ethtool -s eth1 speed 100 duplex full autoneg off
[root@bigboy tmp]#

The Linux man pages give more details on other ethtool options, but you can get a quick guide by just entering the ethtool command alone, which provides a quicker summary.

[root@bigboy tmp]# ethtool
...
...
        ethtool -s DEVNAME \
                [ speed 10|100|1000 ] \
                [ duplex half|full ]    \
                [ port tp|aui|bnc|mii|fibre ] \
...
...
[root@bigboy tmp]#

A Note About Duplex Settings

By default, Linux NICs negotiate their speed and duplex settings with the switch. This is done by exchanging electronic signals called Fast Link Pulses (FLP). When the speed and duplex are forced to a particular setting the FLPs are not sent. When a NIC is in auto-negotiation mode and detects a healthy, viable link but receives no FLPs, it errs on the side of caution and sets its duplex to half-duplex and sometimes it will also set its speed to the lowest configurable value. It is therefore possible to force a switch port to 100 Mbps full duplex, but have the auto-negotiating server NIC set itself to 100Mbps half-duplex which will result in errors. The same is true for the switch if the switch port is set to auto-negotiate and server NIC is set to 100 Mbps full duplex. It is best to either force both the switch port and server NIC to either auto-negotiate or the same forced speed and duplex values.

How to Convert Your Linux Server into a Simple Router

Router/firewall appliances that provide basic Internet connectivity for a small office or home network are becoming more affordable every day, but when budgets are tight you might seriously want to consider modifying an existing Linux server to do the job.

Details on how to configure Linux firewall security are covered in Chapter 14, "Linux Firewalls Using iptables", but you need to understand how to activate routing through the firewall before it can become a functioning networking device.

Configuring IP Forwarding

For your Linux server to become a router, you have to enable packet forwarding. In simple terms packet forwarding enables packets to flow through the Linux box from one network to another. The Linux kernel configuration parameter to activate this is named net.ipv4.ip_forward and can be found in the file /etc/sysctl.conf. Remove the "#" from the line related to packet forwarding.

Before:
 
# Disables packet forwarding 
net.ipv4.ip_forward=0
 
After:
 
# Enables packet forwarding 
net.ipv4.ip_forward=1

This enables packet forwarding only when you reboot at which time Linux will create a file in one of the subdirectories of the special RAM memory-based /proc filesystem. To activate the feature immediately you have to force Linux to read the /etc/sysctl.conf file with the sysctl command using the -p switch. Here is how it's done:

[root@bigboy tmp] sysctl -p
sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
kernel.sysrq = 0
kernel.core_uses_pid = 1
[root@bigboy tmp]#

Please refer to Appendix I for more information on adjusting kernel parameters.

Configuring Proxy ARP

If a server needs to send a packet to another device on the same network, it sends out an ARP request to the network asking for the MAC address of the other device.

If the same server needs to send a packet to another device on a remote network the process is different. The server first takes a look at its routing table to find out the IP address of the best router on its network that will be able to relay the packet to the destination. The server then sends an ARP request for the MAC address that matches the router's IP address. It then sends the packet to the router using the router's MAC address and a destination IP address of the remote server.

If there is no suitable router on its network, the server will then send out an ARP request for the MAC address of the remote server. Some routers can be configured to answer these types of ARP requests for remote networks. This feature is called proxy ARP. There are some disadvantages with this. One of the most common problems occurs if two routers are on the network configured for proxy ARP. In this scenario there is the possibility that either one will answer the local server's ARP request for the MAC address of the remote server. If one of the routers has an incorrect routing table entry for the remote network, then there is the risk that traffic to the remote server will occasionally get lost. In other words you can lose routing control.

Note: It is for this and other reasons that it is generally not a good idea to configure proxy ARP on a router. It is also good to always configure a default gateway on your server and use separate routing entries via other routers for all networks your default gateway may not know about.

Some types of bridging mode firewalls need to have proxy ARP enabled to operate properly. These devices are typically inserted as part of a daisy chain connecting multiple network switches together on the same LAN while protecting one section of a LAN from traffic originating on another section. The firewall typically isn't configured with an IP address on the LAN and appears to be an intelligent cable capable of selectively blocking packets.

If you need to enable proxy ARP on a Linux server the /proc filesystem comes into play again. Proxy ARP is handled by files in the /proc/sys/net/ipv4/conf/ directory. This directory then has subdirectories corresponding to each functioning NIC card on your server. Each subdirectory then has a file called proxy_arp. If the value within this file is 0, then proxy ARP on the interface is disabled; if the value is 1 then it is enabled.

You can use the /etc/sysctl.conf file mentioned in Appendix II to activate or disable proxy ARP. The next example activates proxy ARP, first for all interfaces and then for interfaces eth0 and wlan0.

#
# File: /etc/sysctl.conf
#
 
# Enables Proxy ARP on all interfaces
net/ipv4/conf/all/proxy_arp   = 1
 
# Enables Proxy ARP on interfaces eth1 and wlan0
net/ipv4/conf/eth1/proxy_arp  = 1
net/ipv4/conf/wlan0/proxy_arp = 1

You can then activate these settings with the sysctl command.

[root@bigboy tmp] sysctl -p

Configuring Your /etc/hosts File

The /etc/hosts file is just a list of IP addresses and their corresponding server names. Your server will typically check this file before referencing DNS. If the name is found with a corresponding IP address then DNS won't be queried at all. Unfortunately, if the IP address for that host changes, you also have to also update the file. This may not be much of a concern for a single server, but can become laborious if it has to be done companywide. For ease of management, it is often easiest to limit entries in this file to just the loopback interface and also the server's own hostname, and use a centralized DNS server to handle most of the rest. Sometimes you might not be the one managing the DNS server, and in such cases it may be easier to add a quick /etc/hosts file entry till the centralized change can be made.

192.168.1.101  smallfry

In the example above server smallfry has an IP address of 192.168.1.101. You can access 192.168.1.101 using the ping, telnet or any other network aware program by referring to it as smallfry. Here is an example using the ping command to see whether smallfry is alive and well on the network:

[root@bigboy tmp]# ping smallfry
PING zero (192.168.1.101) 56(84) bytes of data.
64 bytes from smallfry (192.168.1.101): icmp_seq=0 ttl=64 time=0.197 ms
64 bytes from smallfry (192.168.1.101): icmp_seq=1 ttl=64 time=0.047 ms


--- smallfry ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2017ms
rtt min/avg/max/mdev = 0.034/0.092/0.197/0.074 ms, pipe 2
[root@bigboy tmp]#

You can also add aliases to the end of the line which enable you to refer to the server using other names. Here we have set it up so that smallfry can also be accessed using the names tiny and littleguy.

192.168.1.101  smallfry  tiny  littleguy

You should never have an IP address more than once in this file because Linux will use only the values in the first entry it finds.

192.168.1.101  smallfry    # (Wrong)
192.168.1.101  tiny        # (Wrong)
192.168.1.101  littleguy   # (Wrong)

The loopback Interface's localhost Entry

Usually the first entry in /etc/hosts defines the IP address of the server's virtual loopback interface. This is usually mapped to the name localhost.localdomain (the universal name used when a server refers to itself) and localhost (the shortened alias name). By default, Fedora inserts the hostname of the server between the 127.0.0.1 and the localhost entries like this:

127.0.0.1     bigboy    localhost.localdomain    localhost

When the server is connected to the Internet this first entry after the 127.0.0.1 needs to be the fully qualified domain name (FQDN) of the server. For example, bigboy.mysite.com, like this:

127.0.0.1     bigboy.my-site.com    localhost.localdomain    localhost

Some programs such as Sendmail are very sensitive to this and if they detect what they feel is an incorrect FQDN they will default to using the name localhost.localdomain when communicating with another server on the network. This can cause confusion, as the other server also feels it is localhost.localdomain.

Note: You must always have a localhost and localhost.localdomain entry mapping to 127.0.0.1 for Linux to work properly and securely.

Debian / Ubuntu Network Configuration

Many of the core Fedora / Redhat commands and configuration files covered in this chapter can be used in Debian based operating systems, but there are some key differences.

The /etc/network/interfaces File

The main network configuration file is the /etc/network/interfaces file in which all the network interface parameters are defined. The file is divided into stanzas:

The auto Stanza

The auto stanza defines the interfaces that should be automatically initialized when the system boots up.

The mapping Stanza

This stanza maps configuration parameters for an interface depending on the output of a script. For example, on booting the script could prompt you as to whether your laptop Linux system is at home or work with the mapping statement using the answer to configure the appropriate IP address.

By default the much simpler hotplug system is used which assumes that the interfaces will have only one purpose. Typical hotplug configurations simply assign each physical interface with a matching logical interface name (nick name).

mapping hotplug
        script grep
        map eth0 eth0
        map eth1

In this case interface eth0 is specifically given the logical name eth0, while the logical name for eth1 is implied to be the same.

The iface Stanza

The iface stanza defines the characteristics of a logical interface. Typically the first line of these stanzas starts with the word iface, followed by the logical name of the interface, the protocol used, and finally the type of addressing scheme to be used, such as DHCP or static. Protocol keywords include inet for regular TCP/IP, inet6 for IPv6, ipx for the older IPX protocol used by Novell, and loopback for loopback addresses.

Subsequent lines in the stanza define protocol characteristics such as addresses, subnet masks, and default gateways. In this example, interface eth1 is given the IP address 216.10.119.240/27 while interface eth0 gets its IP address using DHCP.

# The primary network interface
auto eth1
iface eth1 inet static
        address 216.10.119.240
        netmask 255.255.255.224
        network 216.10.119.224
        broadcast 216.10.119.255
        gateway 216.10.119.241
        dns-nameservers 216.10.119.241

# The secondary network interface
auto eth0
iface eth0 inet dhcp

Note: When static IP addresses are used, a default gateway usually needs to be defined. Remember to place the gateway statement in the correct stanza with the appropriate router IP address.

Creating Interface Aliases

IP aliases can be easily created in the /etc/network/interfaces file once the main interface has already been defined. A modified duplicate of the main interfaces' iface stanza is required. A colon followed by the sub interface number needs to be added to the first line, and only the subnet mask and the new IP address needs to follow as can be seen in this example for interface eth1:1 with the IP address 216.10.119.239.

auto eth1:1
iface eth1:1 inet static
       address 216.10.119.239
       netmask 255.255.255.224

Adding Permanent Static Routes

The up option in the appropriate iface stanza of the /etc/network/interfaces file allows you to selectively run commands once the specified interface becomes activated with the ifup command. This makes it useful when adding permanent static routes.

In this example, a route to the 10.0.0.0/8 network via router address 216.10.119.225 has been added. Remember, the up option and the command must reside on the same line of the stanza.

# The primary network interface
auto eth1
iface eth1 inet static
        ...
        ...
        ...
        up route add -net 10.0.0.0 netmask 255.0.0.0 gw 216.10.119.225 eth1

A complete /etc/network/interfaces file

We can now construct a complete file based on the previous examples we discussed. Just like in Fedora, interfaces can be activated with the ifup and ifdown commands.

# 
# Debian / Ubuntu 
#

#
# File: /etc/network/interfaces
#

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
        script grep
        map eth0 eth0
        map eth1 eth1

# The primary network interface
auto eth1
iface eth1 inet static
        address 216.10.119.240
        netmask 255.255.255.224
        network 216.10.119.224
        broadcast 216.10.119.255
        gateway 216.10.119.241
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 216.10.119.241
        wireless-key 98d126d5ac
        wireless-essid schaaffe

        up route add -net 10.0.0.0 netmask 255.0.0.0 gw 216.10.119.225 eth1

auto eth1:1
iface eth1:1 inet static
        address 216.10.119.239
        netmask 255.255.255.224

# The secondary network interface
auto eth0
iface eth0 inet dhcp

For more information on the /etc/network/interfaces file just issue the command man interfaces from the command line.

Conclusion

As you can imagine, configuring Linux networking is just a first step in providing Internet access to your server. There always things that can go wrong that may be totally out of your control. Good systems administrators know the tools needed to be able to identify the probable causes of these types of problem which enables them to know the type of help they need to fix it. The next two chapters show you how to confidently test your network and Linux server applications confidently when things appear to go wrong. The skills you develop to identify and rectify these issues could prove to be invaluable to your company and career.