Network

MichaelšZabalujev

Network Interface Setup

Introduction

A network is a system of nodes, such as computers, designed to exchange data. It is impossible to describe all the methods of accessing networks, as well as all the different network configuration options in this manual. Instead, the manual only covers network access methods for the Compact distribution only for the most commonly used types of networks.

The manual contains a set of general recommendations and pieces of advice related to this particular distribution. You may find fuller documentation both in various printed books and in electronic documents.

For working with the network in the Compact distribution, you can use both the commands common to all UNIX-like systems (for example, ifconfig, ping, traceroute ɚÔ.šÄ.), and the system of scripts specially designed to simplify the work with the network (for example, the draknet utility described below).

In any case you should remember that both the manual and the automatic configuration of network connections in Linux are carried out by means of changing a number of configuration files, which are subsequently used by different programs. System administrators should know the location and functions of these files:

/etc/sysconfig/network

This file contains basic network settings, in particular the hostname of the computer and its domain name.

/etc/sysconfig/network-scripts

This directory contains system configuration files and scripts needed to work with different types of network devices and connections. For example, the file /etc/sysconfig/network-scripts/ifcfg-eth0 contains the settings for an Ethernet card with the eth0 interface, /etc/sysconfig/network-scripts/ifcfg-ppp0 contains the settings for a PPP modem connection.

/etc/ppp

This directory contains configuration files for PPP remote access to the Internet.

/etc/init.d/

This is a directory with various scripts that are activated during system startup. For example, network, firewall and some others are designed to set up the network at the moments when a computer starts up and shuts down.

Generally, in order to start all the network connections configured to be automatically launched on system startup, the following command should be issued:

# /etc/init.d/network start

To stop and restart, the stop and restart options are used, correspondingly.

To run an individual interface, commands such as # ifup interface, for example, # ifup eth0, should be issued.

To switch off an interface, you may command: # ifdown interface.

Network Setup

The Linux system contains a full implementation of the TCP/IP (Transport Control Protocol/Internet Protocol) protocol. TCP/IP appears to be the most successful tool for connecting computers all over the world in one network. If you have a computer with a Linux installation and an Ethernet network card, you can connect your computer to a local network or (if the corresponding connection is available) to the Internet, that is, to the world-wide network where the TCP/IP protocol is used for data exchange.

The Linux operating system allows to use the TCP/IP protocol without any network devices, since the network “loopback interface” enables the system to communicate to itself. This is required for some games and programs that use the “loopback”.

Before starting to configure TCP/IP, you should know certain network parameters. You will need the following:

IP address

This is a unique name of the computer in the format of four three-digit decimal numbers, separated by periods, for example, 128.253.153.54.

If you need to configure the loopback mode only, i.e. if you do not plan to connect to remote computers and you have no network card, but a connection of the TCP/IP computer to itself is modelled, then the IP address of the computer will be 127.0.0.1.

Netmask

The netmask format is identical to the one of the IP address. The netmask defines which part of the IP address corresponds to the subnetwork number, and which to the number of your computer on the network.[7]Netmask is a bit pattern. Imposing this pattern on the host computer address enables you to find out the number of the network segment to which this address belongs. This is very important for sending messages. Therefore if, for example, you are able to connect to someone outside the local network, but cannot connect to anyone inside it, this can mean that a wrong mask has been specified.

The mask is defined by the network administrator when the network is first established, which means that the administrator must know it for sure. Most local networks are class C and use the mask 255.255.255.0. Class B networks have the mask 255.255.0.0. The program NET-3 selects the mask automatically. It assumes, by default, that unspecified subnetworks are absent.

The same can be said about the loopback address. Since the address in this case is always 127.0.0.1, the mask is also always 255.0.0.0. This can be specified explicitly, or you can use the default mask parameters.

Network Address

This address is the result of a binary AND operation of two values: computer IP address and the mask. For example, if the mask has the following format: 255.255.255.0, and the IP address is 128.253.154.32, then the network address is 128.253.154.0. If the mask is 255.255.0.0, then the network address is 128.253.0.0.

If you only use the loopback, no network address is present.

Broadcast Address

This address is used to broadcast message packages to all computers united on a (sub)network. Therefore, if the IP address of a computer on the network is determined by the last byte (in other words, if the mask is 255.255.255.0), then the broadcast address is the result of binary OR operation of two values: the expression 0.0.0.255 and the host IP address. For example, if the host IP address is 128.253.154.32, and the mask is 255.255.255.0, then the broadcast address is 128.253.154.255.

For historical reasons, some networks use the network address instead of the broadcast address. You should know this fact and if any doubts arise, you can ask your network administrator for help. Of course, in order to configure the network, it is in most cases sufficient to take the appropriate files from other computers on the same network, changing only the IP address of the computer.

If only the loopback is used, no broadcast address is present.

Gateway Address

This is the address of a computer which acts as an actual “gateway” to the outside world (i. e. to the computers that are outside of the local network). In many cases, the gateway address is drawn out from the host IP address, by replacing the last group of digits with .1. For instance, if the host IP address is 128.253.154.32, then the gateway address may be 128.253.154.1.

In real life, several gateways can be used at once. A gateway is actually a computer located in two different networks simultaneously (i.e., it has IP addresses in different subnetworks). The purpose of the gateway is to forward message packages between one network and the other. Many networks only have one gateway to the “outside world” (which in fact is represented by an immediately adjacent network). But in some cases several other networks may border the local network with separate gateways to connect to each one of them.

If only a loopback is used, no gateway is present. This is also true for the case when the local network is isolated from all other networks.

Name Server Address

Most computers in a network have a server that transforms host names into IP addresses. This server is known as a Domain Name Server, abbreviated as DNS. The address of this server should be obtained from a network administrator or an Internet provider. Such a server can also be established on your own computer (the program that launches it is called named). In this case, the address of the name server on the network is 127.0.0.1. With the exception of those cases when it is absolutely necessary for you to have your own name server, it is recommended to use the one already available (if one exists).

If only a loopback is used, the name server address is not needed.

The most commonly used network setup options in Compact can be chosen using the draknet utility. Therefore, it is recommended to try using it first, and only in the case when its functionality is not sufficient, you should try to set up the network manually.

After draknet starts, the program offers to try to identify network devices installed on your computer automatically. After this, you can set up one of the network cards (the devices identified automatically are marked in a special way). After this you should answer several questions (specify the required parameters), and then your network will be completely set up.

If the automatic network setup carried out by draknet does not satisfy you or does not work for some reason, you can set up the network manually.

The network is set up in several steps.

  1. Network Interface Definition

    To make the system work with the network, enter the string NETWORKING=yes into the file /etc/sysconfig/network (usually this is done during the installation). Network interfaces found by the system during its startup may or may not be involved in networking.

  2. Matching of Interfaces to IP Networks

    If an interface is used by the system, it should be registered: the directory /etc/sysconfig/network-scripts/ should contain the file ifcfg-interface_name (generally, these files are named ifcfg-eth0, ifcfg-eth1 etc.). In this file, you should define the network configuration of an interface string by string. Parameters IPADDR, NETWORK and NETMASK identify the host address, the network address and the network mask, correspondingly. If these parameters are to be obtained by the system automatically, they are replaced by the string BOOTPROTO=receipt_method (=dhcp for setup using DHCP). String ONBOOT=yes means that network initialization should be performed during the system startup (this is the common method for Ethernet networks).

    Pay your attention to the fact that the file /etc/sysconfig/network-scripts/ifcfg-device_name must contain the string DEVICE=device_name. The contents of this file are used as parameters for the ifconfig network interface configuration utility. Parameters of this utility must certainly contain the name of the interface.

    The system must always contain the lo0 network interface (loopback) with the address 127.0.0.1. The purpose of this interface is to connect to your own computer via the network. Hence the programs that utilize networking can work properly even when no network connection actually exists.

  3. IP Setup (Routing)

    In order to be able to transfer data to the outside of the local networks accessible to your computer, routing must be set up. In the system, routing is implemented as a table: any recipient IP address and any recipient subnetwork address may have their own router, responsible for sending data to the corresponding recipient. The more digits there are in a network mask, the higher the priority of the record in the routing table is. When determining the router for a certain package intended to be sent outside the local network, the system first tries to find it among records in the computer — computer format (network mask 255.255.255.255), then among records in the subnetwork — computer format (in the order of network mask decrease), and, finally, in the record of the 0.0.0.0 — computer form (network mask 0.0.0.0 means the entire network).

    To view the routing table, use the netstat -rn command. Aside from this, for each connected network the corresponding network interface (the one that handles the connection) is given in the table. In its simplest form, such a table should contain one record in the form network — device per each local network (usually — for lo0 and eth0) and one record in the form 0.0.0.0 — computer to specify the default router.

    The default router address is specified in the file /etc/sysconfig/network by the string GATEWAY=address.

    More information about network and network interface configuration parameters can be found in the /etc/sysconfig/network-scripts/README file.

  4. DNS Setup

    A computer connected to the Internet can use the Domain Name Service (DNS) to transform symbolic IP addresses (domain names) to numeric IP addresses and vice versa. For instance, the domain name www.org corresponds to the address 18.29.1.73, which can be seen by running the command host www.org. The address of the DNS server used for this operation is specified in the file /etc/resolv.conf by a string in the format nameserver address (the file may contain several such strings). Names of domains in which the symbolic name will be searched for are contained in the same file in the following format: domain=domain_name or search=domain_name1 domain_name2 .... For example, if /etc/resolv.conf contains search=office.altlinux.org, the command host workstation2 will first try to identify the address workstation2, and then the address workstation2.office.altlinux.org.

    Transformation of IP addresses is necessary even when no DNS server is available. Instead of calling the DNS service, the system can resort to the file /etc/hosts, which contains strings (in the form IP address name1 name2 ...) that create the correspondence between symbolic and numeric IP's. The file /etc/hosts can be used in an autonomous local network. The file /etc/nsswitch.conf, among other records, contains a string that starts with hosts:, such as hosts: files dns. This string means that in order to transform an IP address from one form to the other, the system will first try to use the file /etc/hosts, and if the required string is not found, a DNS request will be sent.

  5. Setup of Available Network Services

    Usually, the configuration procedure for a specific network service (mail, WWW server, etc.) is described in the documentation for this service. However, the “light” network services (such as cups-lpd or tftpd) may not manage the network setup routine by themselves. Instead, they can be started by the network metadaemon inetd (or xinetd). The metadaemon is designed to receive network requests for connections sent to any of these services, to set up connections and to run the service, which only receives and sends data. These services need the metadaemon to be launched during system startup and the service setup file /etc/xinetd.d/service_name to contain the disable=no parameter. Besides this, accessibility of a service from external networks is controlled by the string only_from=network_address in this file and in /etc/xinetd.conf file (general setup parameters of xinetd).

To check whether the TCP/IP network works, the following schema may be used.

First ensure that the interface that you have just set up works. To this end, use the command $ ping interface_ip_address.

After a response has been received, you can use the ping command to check the availability of any external interface on the same subnetwork as the interface that has just been set up. After this you should check the availability of DNS servers using the command $ host host_name DNS_server_name.

To check the Internet access, the command ping internet_server may be used, for example, ping www.altlinux.org.

Internet Connection

First you should install and turn on the modem. If the modem is installed and turned on, go to the point Dial-up Connection Setup.

Modem Installation

First ensure that the modem was turned on during the operating system startup. If you have a hardware modem (not a winmodem), then in the vast majority of cases the operating system can automatically identify and set up the modem. Modem diagnostics and the changes of COM ports are handled in the following way:

  1. Run the kppp utility (Menu Networking->Remote access->KPPP or just enter the command kppp in a terminal). A program window appears, containing the following panes «Connect to», «Login ID», and «Password» (empty for now).

  2. Click on the «Setup...» button.

  3. Proceed to the «Modem» tab.

  4. Click on the button titled «Query Modem». If a window with the query results appears after a while, relax, click on the «Close» button and stop reading this section.

  5. If you see a message saying that no modem is found, open the «Device» tab.

  6. From the Modem device drop-down list, select the port to which your modem is connected. To this end, use the following table:

    Windows port name: Com1

    Linux port name: /dev/ttyS0

    Windows port name: Com2

    Linux port name: /dev/ttyS1

    Windows port name: Com 3

    Linux port name: /dev/ttyS2

    Windows port name: Com 4

    Linux port name: /dev/ttyS3

  7. If after all this your modem did not start working, make sure that the modem you have is not a winmodem (also called softmodem), or read a detailed reference for KPPP in the KDE Help Center.

  8. If you have a so-called winmodem installed, prepare for certain inevitable problems, and visit the site http://www.linmodems.org/.

Dial-up Connection Setup

  1. Run KPPP and click on the «Setup...» button.

  2. In the window that appears, click on the «New...» button.

  3. Reject the option of using a wizard by clicking on the «Dialog Setup...» button. If you do not want to see this window any more, select the «Do not ask again » checkbox.

  4. In the «Connection Name» field, enter any name which you would like to use for your connection, and click on the «Add» button to add a telephone number. You can add alternative telephone numbers in the same way, if your provider offers more than one dialup number. To remove a telephone number, click on the «Remove» button.

  5. If your provider requires an explicit DNS entry to connect to the Internet, open the «DNS» tab, and in the «DNS IP address » field enter the DNS address. Click on the «Add» button. Usually ISP's offer two DNS server addresses, so you have to repeat the procedure for the second address. After this, click on the «OK» button. In most cases, DNS servers are automatically assigned by providers, and this step is not required.

  6. Click on the «OK» button once more.

  7. Now you should enter a user name (login), and a password. After this, click on the «Connect» button.

  8. When the connection is established, a connection indicator appears in the lower right corner of the screen. Now you can run a browser (Mozilla or Konqueror), and surf the Internet.

Electronic Mail

MichaelšZabalujev

This section describes how to organize e-mail exchange both over the Internet and inside the local area network with the postfix e-mail server. This section does not describe how to create and read electronic messages . But even if you have a personal computer with a dial-up Internet connection, you should look through this section.

You may be surprised by the fact that the postfix e-mail server is recommended for installation in any configuration of ALT Linux. This is so because in UNIX-like systems, the ability to send e-mail with a simple command-line call from the command shell is practically a must. Some programs (for instance, the cron service) use this to send messages to users. All electronic mail that passes through the computer is forwarded by an MTA (Mail Transport Agent), in our case this is postfix. Although many e-mail programs are capable of sending messages to remote SMTP servers, it is reasonable to charge the system mail server with this task too, so that you will not need to monitor the delivery of sent messages. Other popular MTA's also exist (for instance, qmail, exim), but they have not been included in the current version of the distribution because of several reasons. Sendmail, a veteran of the Internet, is inferior to postfix in a number of parameters, including security. Besides, it is also extremely difficult to configure. In this manual, we will limit ourselves to recommendations for setting up postfix in a few typical situations. More detailed information can be obtained from the excellent documentation that is a part of the postfix package.

postfix Packages

The name of the basic RPM package for postfix server setup in ALT Linux is, as you could have guessed, postfix. There is also a number of additional packages that provide services for receiving and sending messages in the network with various security levels. One of SMTP server packages, postfix-smtpd or postfix-smtpd-sasl, is required by postfix to receive messages via the SMTP (or ESMTP) protocol both from the outside and locally. The second one of these packages implements SASL extensions, which are described further. There also exists a package postfix-sasl, which extends message delivery capabilities in the case when some receiving servers that the given server interacts with use SASL authorization.

Configuration Files

postfix configuration files are located in the /etc/postfix folder. Basic parameters are defined in main.cf file. Specifically, all the parameters discussed further in this section are defined in this file, unless specified otherwise.

In its original form, this file contains a configuration that allows the server to operate within the computer where it is installed, and some detailed comments with examples. After the configuration settings of a working postfix server are edited, the new configuration should be activated using the command service postfix reload, or, simply, postfix reload.

Domain Information

Host and domain names that are considered local when processing e-mail addresses are required for proper functioning of the mail server. If these names for postfix must differ from those that are produced by the hostname command output, set them with the myhostname and mydomain parameters.

Postfix on a Dial-up Machine

Several problems can occur when attempts are made to send outgoing mail from computers, which are not fully functional Internet servers. For instance, in systems with modem or other unstable connections it is not always possible to send messages to remote recipients via SMTP and they have to be kept in the queue until a connection is established. To do this, defer_transports parameter should be used, for example:

defer_transports = smtp

The delivery is activated using the /usr/sbin/sendmail -q command, which is called automatically when a PPP connection is established in ALT Linux.

As a fully functional MTA, postfix is able to find servers that are used by message recipients using DNS. Nevertheless, an immediate delivery of messages on dialup computers is undesirable because connection time is limited. Besides, this is a technique commonly used by spammers, and that is why many servers check the sender's IP address against a database of known provider pool addresses, and after that messages from these addresses are rejected. Thus it is reasonable to trust the outgoing mail delivery to the SMTP server of your ISP. This is controlled by the relayhost parameter, for example:

relayhost = [smtp.provider.net]

Postfix on a Client Machine on a Local Network

Workstations on a local network or computers on a network that belongs to a certain ISP, separated from the Internet by a firewall or NAT, have to send their outgoing mail to a mail server that serves the given network. To do this, the relayhost parameter, described above, is used. If the server is defined by an IP address, you can switch off the use of DNS to increase performance:

disable_dns_lookups = yes

If you want to place your network domain rather than the specific host name of your computer in your email address, set the myorigin parameter equal to the domain name:

myorigin = $mydomain

If user mailboxes are mounted from the server using NFS, postfix on client computers is used to send e-mail only. In this configuration, it is recommended to switch off the local and smtp agents in /etc/postfix/master.cf file.

Mail Server for Small Domains and Networks

Domains other than mydomain, and not configured as virtual postfix domains (see below), for which the server receives mail, need to be listed using the mydestination parameter, or in an additional file to which this parameter refers. In the same way, mynetworks parameter describes blocks of IP addresses which are considered to be internal and from which outgoing messages are allowed to be received. Blocks of addresses that do not belong to the network served by the server should not be recorded in mynetworks parameter, because spammers can take advantage of that.

SASL authorization support can be used for SMTP authentication of external users who wish to send messages via this server. Postfix-smtpd-sasl package offers an alternative to postfix-smtpd with built-in support for SASL; a potential weakness of this extension is inclusion of code that has not been checked for security thoroughly enough. The setup of SASL authentication is described in the documentation for postfix in the SASL_README file.

Transformation of global addresses into local destination addresses is done according to tables such as virtual (see virtual(5)):

virtual_maps = hash:/etc/postfix/virtual

A sample of /etc/postfix/virtual contents:

     domain1.org # postfix-style domain (text is ignored here)
      name1@domain1.org user1
      name2@domain2.org user2@otherbox
      @domain2.org user3
    

After editing the table, you should translate it into a working image using postmap /etc/postfix/virtual command.

If some network users need to receive mail at their workstations using SMTP (this means that MTA's should work on their computers), names of computers in virtual or aliases tables (see below) should be substituted into the domain parts of their addresses.

Aliases and Address Transformations

Names of local recipients either coincide with names of the system users, or are taken from the aliases table (see aliases(5)):

      alias_maps = hash:/etc/postfix/aliases
      alias_database = hash:/etc/postfix/aliases 
    

When installing postfix from scratch, an alias for the root username is created in this table. It is used for forwarding of all mail intended for the system administrator and sent to other system addresses to the name of a real user who performs the functions of an administrator. Initially, the first real user registered in the system becomes such de facto administrator. The table of aliases differs from other tables used by postfix: names on the left side that are used as search keys are separated from values on the right side by colons. Recipients on the right side are separated by commas. These can be addresses, executable commands (denoted by the “pipe” (|) symbols at the beginning of the right part: the message is sent to the standard input stream of the command), and file names:

      John.Smith: john
      chief: chief@bosscomputer
      trio: stock, hausen, walkman
      robot: | /usr/bin/robot --process-mail
      filebox: /dir/file
    

The working image of the table is generated using the following commands: postalias /etc/postfix/aliases or newaliases. When sending a message, postfix generates the sender name from the username and from its own domain (or from the value of myorigin parameter). Even if the mail client assigned a From: header to the message, this address goes into the message information and can be used by the recipient, which is not always desirable. Transformation of senders' names to global addresses may be prescribed in a table such as canonical (see canonical(5)):

      sender_canonical_maps = hash:/etc/postfix/sender_canonical
    

An analogous table, named recipient_canonical and its corresponding parameter, recipient_canonical_maps, may be used to transform destination addresses. For the changes in the table to become effective, use the postmap table_name command.

Fighting Spam and E-Mail Saboteurs

The methods of fighting spam (mass mailing of unsolicited messages) is a big separate topic, which cannot be fully covered here. The manual only gives some practical pieces of advice related to postfix configuration. The default configuration of the server rejects attempts to forward messages from the outside to other remote servers. The spam sent to local recipients is a more complicated problem. Services such as MAPS RBL and other similar ones, organized using “black lists” of IP addresses, have made a good showing so far. To activate these services, first make yourself familiar with their terms of usage, then add the domains names that work according to the RBL principle to the configuration:

      smtpd_client_restrictions = permit_mynetworks, reject_maps_rbl
      maps_rbl_domains = relays.ordb.org, blackholes.mail-abuse.org
    

In some cases individual work with specific e-mail etiquette transgressors is needed. This work involves blocking SMTP connections from their addresses, networks or domains. To do this, tables such as the following are designed: access (see access(5)):

      smtpd_client_restrictions = permit_mynetworks, hash:/etc/postfix/access
    

Example of such a table:

      1.2.3.4 550 No more canned meat, please
      1.2.5 REJECT
      goodguy.generallybad.com OK
      .generallybad.com REJECT
    

As with any other table, after editing, make the punishment effective by issuing the command: postmap /etc/postfix/access.

Other Settings

The default size of the mailbox with local delivery is limited to 51,200,000 bytes. This limitation can be changed using the mailbox_size_limit parameter. To remove the limitation, set the parameter to 0.

Postfix Usage

After you have set up postfix and after it is started as a service with the predictable name postfix, the host name or address (for example, localhost) of your server may be specified in email client settings as SMTP server address. The program fetchmail works in conjunction with postfix, querying external user mailboxes via POP3 or IMAP protocols and forwarding received messages to the system MTA for local delivery. postfix log files may be found in /var/log/mail directory.

Remote Access and Remote Administration

One of the most common tasks encountered while working on a network is remote access to other computers, including remote administration of other computers.

To solve this problem, the SSH (Secure Shell) protocol is used, which has by now already become traditional. In contrast to outdated protocols, such as telnet and rsh/rlogin/rcp, which send data in plain text and can be intercepted or attacked in various ways, SSH establishes a connection to a remote computer that is protected from:

  • interception of data exchanged over this connection;

  • manipulation of data on the way from a client to a server;

  • substitution of either the client or the server by manipulation of IP addresses, DNS or routing.

In addition to the excellent capabilities in establishing secure client-server connections, SSH also has the following features:

  • compression of data transferred;

  • tunneling of channels inside an established connection, including connections to an X-server;

  • widespread use: implementations of SSH exist for a wide variety of hardware platforms and operating systems.

OpenSSH is an implementation of SSH, included in the distribution, that supports versions 1.3, 1.5 and 2.0 of the SSH protocol, and is distributed under the terms of the BSD license. This implementation includes:

  1. Client programs ssh, scp and sftp (used to launch programs on remote servers and to copy files over the network).

  2. Server programs sshd, sftp-server (used to grant access over the SSH protocol).

  3. Auxiliary programs (service routines): make-ssh-known-hosts, rescp, ssh-keygen, ssh-add, ssh-agent, ssh-copy-id, ssh-keyscan.



[7] If all these terms are too strange for you, you may read some introductory material in network administration.