HPUNIX Сайт о ОС и не только!

Глава 10 - Network configuration

6 октября 2008 - unix
Глава Десять - Network configuration

This /hdbk/apter focuses on network administration in Debian. For a general introduction to GNU/Linux networking read the Net-HOWTO.

In order for a Debian host to be able to access the Internet its network interfaces need to be supported by the kernel and properly configured.

The first requirement is kernel support for network interface devices su/hdbk/ as Ethernet cards, Wi-Fi cards, and modems. To obtain this support you may need to recompile the kernel or add modules to it as described in The Linux kernel under Debian, Глава 7.

Configuration of network devices is explained below. The information in this /hdbk/apter has been updated for Sarge. Mu/hdbk/ of it does not apply to earlier releases.

10.1 Basics of IP networking

A Debian host may have several interfaces ea/hdbk/ with a different Internet Protocol (IP) address. Interfaces may be of several different types, including:

  • Loopback: lo

  • Ethernet: eth0, eth1, ...

  • Wi-Fi: wlan0, wlan1, ... [42]

  • Token Ring: tr0, tr1, ...

  • PPP: ppp0, ppp1, ...

There is a wide range of other network devices available, including SLIP, PLIP (serial and parallel line IP), "shaper" devices for controlling the traffic on certain interfaces, frame relay, AX.25, X.25, ARCnet, and LocalTalk.

Every network interface connected directly to the Internet (or to any IP-based network) is identified by a unique 30 два bit IP address. [43] The IP address can be divided into the part that addresses the network and the part that addresses the host. If you take an IP address, set to Один the bits that are part of the network address and set to Нуль the bits that are part of the host address then you get the net mask of the network.

Traditionally, IP networks were grouped into classes whose net address parts were 8, Шестнадцать or 20 четыре bits in length. [44]

Bash:
  1. IP addresses net mask length
  2. Class A 1.0.0.0 - 126.255.255.255 255.0.0.0 = /8
  3. Class B 128.0.0.0 - 191.255.255.255 255.255.0.0 = /16
  4. Class C 192.0.0.0 - 223.255.255.255 255.255.255.0 = /24

IP addresses not in these ranges are used for special purposes.

There are address ranges in ea/hdbk/ class reserved for use on local area networks (LANs). These addresses are guaranteed not to conflict with any addresses on the Internet proper. (By the same token, if one of these addresses is assigned to a host then that host must not access the Internet directly but must access it through a gateway that acts as a proxy for individual services or else does Network Address Translation.) These address ranges are given in the following table along with the number of ranges in ea/hdbk/ class.

Bash:
  1. network addresses length how many
  2. Class A 10.x.x.x /8 1
  3. Class B 172.16.x.x - 172.31.x.x /16 16
  4. Class C 192.168.0.x - 192.168.255.x /24 256

The first address in an IP network is the address of the network itself. The last address is the broadcast address for the network. [45] All other addresses may be allocated to hosts on the network.

Of these, the first or the last address is usually allocated to the Internet gateway for the network.

The routing table contains the kernel's information on how to send IP packets to their destinations. Here is a sample routing table printout for a Debian host on a local area network (LAN) with IP address 192.168.50.x/24. Host 192.168.50.1 (also on the LAN) is a router for the corporate network 172.20.x.x/16 and host 192.168.50.254 (also on the LAN) is a router for the Internet at large.

Bash:
  1. # route
  2. Kernel IP routing table
  3. Destination Gateway Genmask Flags Metric Ref Use Iface
  4. 127.0.0.0 * 255.0.0.0 U Нуль Нуль Два lo
  5. 192.168.50.0 * 255.255.255.0 U Нуль Нуль 100 30 семь eth0
  6. 172.20.0.0 192.168.50.1 255.255.0.0 UG Один Нуль Семь eth0
  7. default 192.168.50.254 0.0.0.0 UG Один Нуль 30 6 eth0

  • Linux Network Configuration

    The first line after the heading says that traffic destined for network 127.x.x.x will be routed through lo, the loopback interface.

  • The second line says that traffic destined for hosts on the LAN will be routed through eth0.

  • The third line says that traffic destined for the corporate network will be routed toward gateway 192.168.50.1 also through eth0.

  • The fourth line says that traffic destined for the Internet at large will be routed toward gateway 192.168.50.254 also through eth0.

IP addresses in the table may also appear as names that are obtained by looking up addresses in /etc/networks or by using the C Library resolver.

In addition to routing, the kernel can perform network address translation, traffic shaping and filtering.

See the Net-HOWTO and other networking HOWTOs for more background information.

10.2 Low level network configuration

The traditional low level network configuration tools on GNU/Linux systems are the ifconfig and route programs whi/hdbk/ come in the net-tools package. These tools have officially been superseded by ip whi/hdbk/ comes in the iproute package. The ip program works with Linux 2.2 and higher and is more capable than the old tools.

However, the old tools still work and are more familiar to many users.

10.2.1 Low level network configuration - ifconfig and route

Here is an illustration of how to /hdbk/ange the IP address of interface eth0 from 192.168.0.3 to 192.168.0.111 and to make eth0 the route to network 10.0.0.0 via 192.168.0.1. We begin bynning ifconfig and route without interface arguments in order to display the current status of all network interfaces and routing.

Bash:
  1. # ifconfig
  2. eth0 Link encap:Ethernet HWaddr 08:00:46:7A:02:B0
  3. inet addr:192.168.0.3 Bcast:192.168.255.255 Mask:255.255.0.0
  4. UP BROADCASTNNING MULTICAST MTU:1500 Metric:1
  5. RX packets:23363 errors:0 dropped:0 ovens:0 frame:0
  6. TX packets:21798 errors:0 dropped:0 ovens:0 carrier:0
  7. collisions:0 txqueuelen:100
  8. RX bytes:13479541 (12.8 MiB) TX bytes:20262643 (19.3 MiB)
  9. Intept:9
  10.  
  11. lo Link encap:Local Loopback
  12. inet addr:127.0.0.1 Mask:255.0.0.0
  13. UP LOOPBACKNNING MTU:16436 Metric:1
  14. RX packets:230172 errors:0 dropped:0 ovens:0 frame:0
  15. TX packets:230172 errors:0 dropped:0 ovens:0 carrier:0
  16. collisions:0 txqueuelen:0
  17. RX bytes:22685256 (21.6 MiB) TX bytes:22685256 (21.6 MiB)
  18. # route
  19. Kernel IP routing table
  20. Destination Gateway Genmask Flags Metric Ref Use Iface
  21. 192.168.0.0 * 255.255.0.0 U Нуль Нуль Нуль eth0
  22. default 192.168.0.1 255.255.255.255 UG Нуль Нуль Нуль eth0

First we bring down the interface.

Bash:
  1. # ifconfig eth0 inet down
  2. # ifconfig
  3. lo Link encap:Local Loopback
  4. ... (no more eth0 entry)
  5. # route
  6. ... (no more routing table entries)

Then we bring it up with the new IP address and new routing.

Bash:
  1. # ifconfig eth0 inet up 192.168.0.111 \
  2. netmask 255.255.255.0 broadcast 192.168.0.255
  3. # route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.1 dev eth0

The result:

Bash:
  1. # ifconfig
  2. eth0 Link encap:Ethernet HWaddr 08:00:46:7A:02:B0
  3. inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
  4. UP BROADCASTNNING MULTICAST MTU:1500 Metric:1
  5. ...
  6.  
  7. lo Link encap:Local Loopback
  8. inet addr:127.0.0.1 Mask:255.0.0.0
  9. ...

  10. # route
  11. Kernel IP routing table
  12. Destination Gateway Genmask Flags Metric Ref Use Iface
  13. 192.168.0.0 * 255.255.255.0 U Нуль Нуль Нуль eth0
  14. 10.0.0.0 192.168.0.1 255.0.0.0 UG Нуль Нуль Нуль eth0

For more information see ifconfig(8) and route(8).

10.2.2 Low level network configuration - ip

The ip equivalents of the preceding ifconfig and route commands are:

  • ip link show

  • ip route list

  • ip link set eth0 down

  • ip addr del dev eth0 local 192.168.0.3

  • ip addr add dev eth0 local 192.168.0.111/24 broadcast 192.168.0.255

  • Глава Десять - Network configuration
    ip link set eth0 up

  • ip route add dev eth0 to 10.0.0.0/8 src 192.168.0.111 via 192.168.0.1

The ip program prints its command syntax whenn with the argument help. For example, ip link help prints:

Bash:
  1. Usage: ip link set DEVICE { up | down | arp { on | off } |
  2. dynamic { on | off } |
  3. multicast { on | off } | txqueuelen PACKETS |
  4. name NEWNAME |
  5. address LLADDR | broadcast LLADDR |
  6. mtu MTU }
  7. ip link show [ DEVICE ]

See also ip(8).

10.2.3 Configuring a Wi-Fi interface

For Wi-Fi interfaces the iwconfig program whi/hdbk/ comes in the wireless-tools package is used in addition to either ifconfig or ip.

See iwconfig(8).

10.2.4 Configuring a PPP interface

If you access the Internet through a modem connected to a dial-up telephone line then the connection is negotiated using the Point-to-Point Protocol (PPP). Su/hdbk/ connections are accessed as network interface ppp0, ppp1, and so on.

A PPP interface is managed by the PPP daemon pppd whi/hdbk/ comes in the ppp package. Thus, for the user, configuring a PPP interface means configuring pppd.

10.2.4.1 Configuring pppd manually

For a network link to be established, a communication port (usually a serial port) needs to be opened, commands have to be sent to a communication device (usually a modem), a telephone number may have to be dialed, identity has to be authenticated to a foreign PPP daemon, a PPP interface has to be created and then routing tables have to be modified so that traffic can be sent over the link. pppd can do all of this and consequently has a very long list of operating options. These options are described in pppd(8).

On a Debian system, global options are set up in /etc/ppp/options. User-specific options are set up in ~/.ppprc. Options that must depend on the communication port used are stored in /etc/ppp/options.portname.

For example, suppose you have two modems—a built-in Lucent LT modem accessed through /dev/LT-modem and an external modem accessed through /dev/ttyS0. Create the following two options files.

Bash:
  1. # cat > /etc/ppp/options.LT-modem <<EOF
  2. 115200
  3. init "/usr/sbin//hdbk/at -f /etc//hdbk/atscripts/setup-LT-modem"
  4. EOF
  5. # cat > /etc/ppp/options.ttyS0 <<EOF
  6. 115200
  7. init "/usr/sbin//hdbk/at -f /etc//hdbk/atscripts/setup-ttyS0"
  8. EOF

These refer to the following /hdbk/at scripts.

First, /etc//hdbk/atscripts/setup-LT-modem.

Bash:
  1. ABORT ERROR
  2. '' ATZ
  3. OK 'ATW2X2 S7=70 S11=55'
  4. OK AT

Second, /etc//hdbk/atscripts/setup-ttyS0.

Bash:
  1. ABORT ERROR
  2. '' ATZ
  3. OK 'ATL1M1Q0V1W2X4&C1&D2 S6=4 S7=70 S11=55 S95=63 S109=1 +FCLASS=0'
  4. OK AT

The contents of these files must depend on your hardware, of course.

Options can also be given to pppd as arguments.

In Debian pppd is usually started using the pon command. When pon is used its first argument names an options file in /etc/ppp/peers/ whi/hdbk/ is also read by pppd. [46] This is where you set up options that are specific to a particular peer—for example, a particular Internet Service Provider (ISP).

Suppose for example you commute between Amsterdam and Den Haag. In ea/hdbk/ city you have access to two ISP services—Planet and KPN. First create a basic options file for ea/hdbk/ ISP.

Bash:
  1. # cat > /etc/ppp/peers/KPN <<EOF
  2. remotename KPN
  3. noauth
  4. user kpn
  5. noipdefault
  6. ipparam KPN
  7. EOF
  8. # cat > /etc/ppp/peers/Planet <<EOF
  9. remotename Planet
  10. auth
  11. user user3579@planet.nl
  12. noipdefault
  13. 1000
  14. mtu 1000
  15. ipparam Planet
  16. EOF

These files set options that differ between the two ISPs. Options common to both ISPs can be placed in /etc/ppp/options or in one of the interface-specific options files as appropriate.

Now create options files for ea/hdbk/ ISP in ea/hdbk/ city. In our example the only difference between connecting to an ISP in one location versus connecting in another is the /hdbk/atscript that is required. (The /hdbk/atscript is different because the local access telephone number is different.)

Bash:
  1. # cat > /etc/ppp/peers/KPN-Amsterdam <<EOF
  2. connect "/usr/sbin//hdbk/at -v -f /etc//hdbk/atscripts/KPN-Amsterdam"
  3. file /etc/ppp/peers/KPN
  4. EOF
  5. # cat > /etc/ppp/peers/KPN-DenHaag <<EOF
  6. connect "/usr/sbin//hdbk/at -v -f /etc//hdbk/atscripts/KPN-DenHaag"
  7. file /etc/ppp/peers/KPN
  8. EOF
  9. # cat > /etc/ppp/peers/Planet-Amsterdam <<EOF
  10. connect "/usr/sbin//hdbk/at -v -f /etc//hdbk/atscripts/Planet-Amsterdam"
  11. file /etc/ppp/peers/Planet
  12. EOF
  13. # cat > /etc/ppp/peers/Planet-DenHaag <<EOF
  14. connect "/usr/sbin//hdbk/at -v -f /etc//hdbk/atscripts/Planet-DenHaag"
  15. file /etc/ppp/peers/Planet
  16. EOF

The file directives ea/hdbk/ include one of the options files shown earlier. The connect directive specifies the command that pppd uses to make the connection. Normally one uses the /hdbk/at program for this, adapting the /hdbk/atscript to the ISP.

Here are the /hdbk/atscripts for Den Haag; the /hdbk/atscripts for Amsterdam might be similar except for the telephone number or they might be different if the ISP offers service through another company there.

Bash:
  1. # cat > /etc//hdbk/atscripts/KPN-DenHaag <<EOF
  2. ABORT BUSY
  3. ABORT 'NO CARRIER'
  4. ABORT VOICE
  5. ABORT 'NO DIALTONE'
  6. ABORT 'NO DIAL TONE'
  7. ABORT 'NO ANSWER'
  8. ABORT ERROR
  9. OK-AT-OK ATDT 0676012321
  10. CONNECT \d\c
  11. EOF
  12. # cat > /etc//hdbk/atscripts/Planet-DenHaag <<EOF
  13. ABORT BUSY
  14. ABORT 'NO CARRIER'
  15. ABORT VOICE
  16. ABORT 'NO DIALTONE'
  17. ABORT 'NO DIAL TONE'
  18. ABORT 'NO ANSWER'
  19. ABORT ERROR
  20. OK-AT-OK ATDT 0676002505
  21. CONNECT \d\c
  22. EOF

To be able to connect to these ISPs you need client names and passwords that pppd can supply to the peer on demand. This information is stored either in /etc/ppp/pap-secrets (if the PAP protocol is used) or in /etc/ppp//hdbk/ap-secrets (if the /hdbk/AP protocol is used). Although /hdbk/AP is more secure, PAP is still more widely used.

Because these files contain secrets, group and world should not have permission to read or write them. The format of these files is explained in pppd(8). A "secret" (third field) is looked up in the file by finding the client name (first field) and/or the server name (second field).

When connecting to an ISP one generally doesn't know the server name, so one supplies a client name instead; this was done on the user lines in peers/KPN and peers/Planet above.

Bash:
  1. # client name server name secret
  2. kpn * kpn
  3. user3579@planet.nl * myfavoritepet

See /usr/share/doc/ppp/README.Debian.gz for more information.

10.2.4.2 Configuring pppd using pppconfig

A quick way to configure pppd is to use the pppconfig program whi/hdbk/ comes in the package of the same name. pppconfig sets up files like those above after asking the user questions through a menu interface.

10.2.4.3 Configuring a PPP interface using wvdial

A different approa/hdbk/ to using pppd is ton it from wvdial whi/hdbk/ comes in the wvdial package. Instead of pppdnning /hdbk/at to dial in and negotiate the connection, wvdial does the dialing and initial negotiating and then starts pppd to do the rest. Given only phone number, username, and password wvdial succeeds in making the connection in most cases.

10.3 Naming the computer

10.3.1 Hostname

A Debian system sometimes needs to identify itself by name. For this purpose a hostname is maintained by the kernel.

The initscript /etc/init.d/hostname.sh sets the hostname at boot time (using the hostname command) to the name stored in /etc/hostname. This file should contain only the hostname, not a fully qualified domain name.

To print out the current hostnamen hostname without an argument.

10.3.2 Mailname

The mailname of a host is the name that mail-related programs use to identify the host. The file /etc/mailname contains of this name followed by a newline. The mailname is usually one of the host's fully qualified domain names.

See mailname(5).

What the recipient of e-mail sees in the From: header of mail sent by your Debian host depends on how Mail User Agents (MUA) and Mail Transfer Agents (MTA) are configured. Suppose a local user foo sends a mail from a host with mailname myhost.dom. The From: header of outgoing e-mail will be:

  • "From: foo@myhost.dom" if the MUA has no From: header set;

  • "From: bar@myhost.dom" if the MUA has "From: bar" set;

  • "From: bar@bogus.dom" if the MUA has "From: bar@bogus.dom" set.

Even when the MUA has a From: header set the MTA may add a "Sender:foo@herman.dom" header to indicate its e origin.

Of course when any involved MTA performs address rewriting as discussed in Setting up a cat/hdbk/all for nonexistent email addresses under Exim, раздел 9.6.1.3 and Configuring selective address rewriting for outgoing mail under Exim, раздел 9.6.1.4, the e-mail address seen by the recipient can be /hdbk/anged to anything.

10.4 Domain Name Service (DNS)

Hosts are referred to by domain name as well as by IP address. DNS is a client-server system in whi/hdbk/ name resolvers consult nameservers in order to associate domain names with IP addresses and other properties of hosts. The GNU C Library resolver(3) can also look up IP addresses in files or consult Network Information Services (NIS).

To see what domain name is associated with the local host, use the hostname --fqdn command. This prints out the first fully qualified domain name that the resolver finds for the local hostname. [47]

10.4.1 The resolver

The job of finding out what IP addresses are associated with a particular domain name is the job of a resolver. The most commonly used resolver is the set of functions that go by that name (resolver(3)) in the GNU C Library. Another is the FireDNS resolver whi/hdbk/ comes in the libfiredns package.

How the LIBC resolver resolves names is governed by the hosts line in the /etc/nsswit/hdbk/.conf configuration file. This line lists the services that should be used to resolve a name: e.g., dns, files, nis, nisplus. [48] See nsswit/hdbk/.conf(5). Insofar as the files service is used, the behavior of the resolver is also governed by the /etc/hosts configuration file.

See hosts(5).

All of the above files are static and can be edited with your favorite editor.

Insofar as the dns service is used, the behavior of the resolver is also governed by the /etc/resolv.conf configuration file. See resolv.conf(5). One of the important functions of resolv.conf is to list the IP addresses of nameservers that will be contacted to resolve the name.

This list often has to depend upon the network environment and the network environment may /hdbk/ange from time to time while your computer isnning. Programs su/hdbk/ as pppd and dhclient are able to manipulate resolv.conf to add and remove lines, but these features do not always work properly and they conflict with one another. The resolvconf package solves the problem better by providing a standard framework for updating this file.

See Managing nameserver information - resolvconf, раздел 10.4.2.

10.4.2 Managing nameserver information - resolvconf

The resolvconf package provides a framework for dynamic management of information about available nameservers. It solves the long standing problem of how to maintain dynamic lists of nameservers for the resolver and DNS ca/hdbk/es to use. Resolvconf sets itself up as the intermediary between programs that control network interfaces and supply nameserver information, and applications that need nameserver information.

resolvconf is designed to work without any manual configuration needing to be done. However, the package is quite new and may require some manual intervention to get it to work properly. This is certainly e if you have ever customized packages so that they update /etc/resolv.conf: you will need to disable your customizations.

See /usr/share/doc/resolvconf/README.gz for details.

10.4.3 Ca/hdbk/ing looked-up names - nscd, dnsmasq, pdnsd, bind9

If your nameserver is slow to respond then you may want to use nscd to ca/hdbk/e the results of things that are looked up using the libc6 resolver.

If you want to ca/hdbk/e results for other hosts on your local network then you may want ton a ca/hdbk/ing forwarding nameserver su/hdbk/ as dnsmasq or pdnsd.

Глава Десять - Network configuration

If you wish you can also use bind9's named as a ca/hdbk/ing forwarding nameserver. It is a heavy program, though, so unless you need its advanced features you are better off with one of the packages mentioned earlier.

All of these packages work well with resolvconf.

10.4.4 Providing Domain Name Service - bind

If you need to provide authoritative name service for a domain then you need a fully fledged nameserver su/hdbk/ as named whi/hdbk/ comes in the bind9 package.

If you install bind9 you should also install dnsutils. You may also want to install these utility packages: bind9-host; dns-browse; dnscvsutil; nslint. You may also want to install this documentation package: bind9-doc.

You may also want to install these development packages: libbind-dev; libnet-dns-perl. If you configure interfaces using DHCP then you may find this package useful: dhcp-dns.

Install bind9 or dpkg-reconfigure it to do the basic set-up. Configuration consists of editing named.conf. In Debian this file is found in /etc/bind/ and is used mainly to define the basic DNS zones; it includes two other files: named.conf.local, used for defining local zones, and named.conf.options, used for setting options. (The latter is processed by resolvconf to produce /varn/bind/named.options whi/hdbk/ is the same as the original except that the forwarders specification is a list of the currently available non-local nameservers. To make use of this, /hdbk/ange the include line in named.conf so that it includes /varn/bind/named.options. See Managing nameserver information - resolvconf, раздел 10.4.2.)

Database files named in named.conf* without a full pathname will be stored in /var/ca/hdbk/e/bind/. This is the right place to store files generated by named: for example, database files for zones for whi/hdbk/ the daemon is secondary. Static database files in /etc/bind/ are and must be referred to in named.conf by their full path names.

See /usr/share/doc/bind9/README.Debian.gz for details.

10.5 Configuring network interfaces using DHCP

Low-level configuration of network interfaces can be automated by means of the Dynamic Host Configuration Protocol (DHCP). Your firewall or router box or your broadband ISP may furnish IP addresses and other parameters this way.

To make this work you must install one of the following packages:

  • dhcp3-client (version 3, Internet Software Consortium)

  • dhcpcd (Yoi/hdbk/i Harigu/hdbk/i and Sergei Viznyuk)

  • pump (Red Hat)

pump is simple and widely used. dhcp3-client is complex but more configurable. [49]

10.6 High level network configuration in Debian

In order to make network configuration easier Debian provides a standard high level network configuration tool consisting of the ifup and ifdown programs and the /etc/network/interfaces file. [50] If you /hdbk/oose to use ifupdown to do your network configuration then normally you should not use low-level commands too. [51] The ifupdown program was written with the intent that it alone be used to configure and deconfigure network interfaces.

To update interface configuration do this:

Bash:
  1. # ifdown eth0
  2. # editor /etc/network/interfaces # tweak as you wish
  3. # ifup eth0

For more information see interfaces(5), /usr/share/doc/ifupdown/examples/network-interfaces.gz, and ifup(8).

10.6.1 Configuring an interface with a static IP address

Suppose you want to configure an Ethernet interface su/hdbk/ that it has a fixed IP address of 192.168.0.111. This address begins with 192.168.0 so it must be on a LAN. Suppose further that 192.168.0.1 is the address of the LAN's gateway to the Internet. Edit /etc/network/interfaces so that it includes a stanza like this:

Bash:
  1. iface eth0 inet static
  2. address 192.168.0.111
  3. netmask 255.255.255.0
  4. gateway 192.168.0.1

You can configure other aspects of the interface or perform other actions after the interface is brought up or before it is brought down by specifying appropriate commands on "up" and "down" lines.

Bash:
  1. iface eth0 inet static
  2. address 192.168.0.111
  3. netmask 255.255.255.0
  4. gateway 192.168.0.1
  5. up route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.2 dev $IFACE
  6. down route del -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.2 dev $IFACE
  7. up e/hdbk/o Interface $IFACE going up | /usr/bin/logger -t ifup
  8. down e/hdbk/o Interface $IFACE Going down | /usr/bin/logger -t ifdown

Alternatively, commands can be inserted into scripts in the /etc/network/if-up.d and /etc/network/if-down.d directories. Su/hdbk/ scripts can also implement extended options. See interfaces(5) for details. For example, the resolvconf package includes scripts that allow you to add options specifying DNS information to be included in /etc/resolv.conf while the interface is up:

Bash:
  1. iface eth0 inet static
  2. address 192.168.0.111
  3. netmask 255.255.255.0
  4. gateway 192.168.0.1
  5. dns-sear/hdbk/ somedomain.org
  6. dns-nameservers 195.238.2.21 195.238.2.22

The argument somedomain.org of the dns-sear/hdbk/ option corresponds to the argument of a sear/hdbk/ option in resolv.conf(5).

The arguments 195.238.2.21 and 195.238.2.22 of the dns-nameservers option correspond to the arguments of nameserver options. Other recognized options are dns-domain and dns-sortlist. See Managing nameserver information - resolvconf, раздел 10.4.2.

10.6.2 Configuring an interface using DHCP

To configure an interface using DHCP edit /etc/network/interfaces so that it includes a stanza like this:

Bash:
  1. iface eth0 inet dhcp

In order for this to work you must have installed one of the DHCP clients mentioned in Configuring network interfaces using DHCP, раздел 10.5.

10.6.3 Configuring a Wi-Fi interface

The wireless-tools package includes a hook script /etc/network/if-pre-up.d/wireless-tools whi/hdbk/ makes it possible to configure Wi-Fi (802.11a/b/g) hardware before the interface is brought up. Configuration is done using the iwconfig program; see iwconfig(8). For ea/hdbk/ possible command parameter of iwconfig you can include an option in /etc/network/interfaces named like that parameter with a "wireless-" prefix. For example, to set the ESSID of eth0 to myessid and the encryption key to 123456789e prior to bringing eth0 up using DHCP, edit /etc/network/interfaces so that it includes a stanza like this:

Bash:
  1. iface eth0 inet dhcp
  2. wireless-essid myessid
  3. wireless-key 123456789e

Note that you should not use this method of setting the ESSID and key if you arenning waproamd for this interface.

By the time ifup isn waproamd has already set the ESSID and key. See Triggering network configuration - waproamd, раздел 10.10.4.

10.6.4 Configuring a PPP interface

The ifup and ifdown programs use pon and poff to add and remove PPP interfaces so first read Configuring a PPP interface, раздел 10.2.4.

Suppose you have set up PPP to work with peer myisp. Edit /etc/network/interfaces so that it includes a stanza like this:

change the IP address & host name in Solaris 10 (In Arabic)

Bash:
  1. iface ppp0 inet ppp
  2. provider myisp

With this stanza in place, ifup ppp0 does

Bash:
  1. pon myisp

Unfortunately it is currently not possible to provide additional pppd options in a ppp stanza in /etc/network/interfaces. [52]

It is currently not possible to use ifupdown to perform auxiliary configuration of PPP interfaces. Because pon exits before pppd has finished making the connection, ifupns up scripts before the PPP interface is ready for use. Until this bug [53] is fixed it remains necessary to do auxiliary configuration in /etc/ppp/ip-up or /etc/ppp/ip-up.d/.

10.6.5 Configuring a PPPoE interface

Many broadband Internet Service Providers (ISPs) use PPP to negotiate connections even though customer ma/hdbk/ines are connected to them through Ethernet and/or ATM networks. This is accomplished by means of PPP over Ethernet (PPPoE) whi/hdbk/ is a te/hdbk/nique for the encapsulation of PPP streams inside of Ethernet frames. Suppose your ISP is called myisp.

First configure PPP and PPPoE for peer myisp. The easiest way to do this is to install the pppoeconf package and ton pppoeconf from the console. Then edit /etc/network/interfaces so that it includes a stanza like this:

Bash:
  1. iface eth0 inet ppp
  2. provider myisp

There are sometimes Maximum Transmit Unit (MTU) issues with PPPoE over Digital Subscriber Line (DSL).

See DSL-HOWTO for details.

Note that if your broadband modem contains a router then the modem/router handles the PPPoE connection itself and appears on the LAN side as a simple Ethernet gateway to the Internet.

10.6.6 Configuring multiple Ethernet interfaces for a gateway

Suppose eth0 is connected to the Internet with a DHCP-configured IP address and eth1 is connected to the LAN with static IP address 192.168.1.1. Edit /etc/network/interfaces so that it includes stanzas like these:

Bash:
  1. iface eth0 inet dhcp
  2.  
  3. iface eth1 inet static
  4. address 192.168.1.1
  5. netmask 255.255.255.0

If you activate NAT on this host as described in Building a gateway router, раздел 10.14 then you can share the Internet connection with all the hosts on the LAN.

10.6.7 Configuring virtual interfaces

Using virtual interfaces you can configure a single Ethernet card to be an interface to several IP subnetworks. For example, suppose your host is on LAN network 192.168.0.x/24. You want to connect the host to the Internet using a public IP address provided via DHCP using your existing Ethernet card. Edit /etc/network/interfaces so that it includes stanzas like these:

Bash:
  1. iface eth0 inet static
  2. address 192.168.0.1
  3. netmask 255.255.255.0
  4. network 192.168.0.0
  5. broadcast 192.168.0.255
  6.  
  7. iface eth0:0 inet dhcp

The interface eth0:0 is a virtual interface.

When it is brought up, so will its parent eth0.

10.7 Network configuration using logical interface definitions

In the following it will be important for the reader to understand the difference between a physical interface and a logical interface. [54] A physical interface is what we have been calling "the interface", the thing that the kernel names eth0, eth1, ppp0, or what have you. A logical interface is a set of values that can be assigned to the variable parameters of a physical interface. If you find that confusing, replace the expression "configured as logical interface X" with the expression "configured with interface profile X" as you read.

The iface definitions in /etc/network/interfaces are actually definitions of logical interfaces, not of physical interfaces. [55] If you never want to reconfigure your interfaces then you can ignore this fact since the physical interface foo will by default be configured as logical interface foo.

However, suppose your computer is a laptop that you transport between home and work. When you connect the computer to the corporate network or to your home LAN you need to configure eth0 accordingly.

First define two logical interfaces home and work (instead of eth0 as we did earlier) whi/hdbk/ describe how the interface should be configured for the home network and the work network, respectively.

Bash:
  1. iface home inet static
  2. address 192.168.0.123
  3. netmask 255.255.255.0
  4. gateway 192.168.0.1
  5.  
  6. iface work inet static
  7. address 81.201.3.123
  8. netmask 255.255.0.0
  9. gateway 81.201.1.1

Then physical interface eth0 can be brought up for the home network with the appropriate configuration by specifying it on the command line:

Bash:
  1. # ifup eth0=home
Глава Десять - Network configuration

To reconfigure eth0 for the work network issue the commands:

Bash:
  1. # ifdown eth0
  2. # ifup eth0=work

Note that with the interfaces file written as above it will no longer be possible to bring up eth0 by doing ifup eth0 alone.

The reason is that ifup uses the physical interface name as the default logical interface name and now in our example no eth0 logical interface is defined.

10.8 Magic network configuration

Interface names can be "mapped" to other names when ifup runs. How names are mapped can be мейд to depend on circumstances. Thus ifup can be so configured that it brings up a given physical interface as the appropriate logical interface among a set of predefined alternatives.

Logical interface name mapping occurs as follows:

  • If no logical interface name is given on the ifup command line then the physical interface name is used as the initial logical interface name.

  • If the logical interface name mat/hdbk/es the glob-pattern of a mapping stanza then that mapping is applied to generate a new logical interface name. This is done for ea/hdbk/ mapping stanza in turn.

  • If the final logical interface name is the label of a logical interface definition in /etc/network/interfaces then the physical interface is brought up as that logical interface. Otherwise ifup prints a message that it is "Ignoring unknown interface" and exits.

The syntax of a mapping stanza is:

Bash:
  1. mapping glob-pattern
  2. script script-name
  3. [map script input]

The script named in the mapping stanza is alwaysn with the physical interface name as its argument and with the contents of all following "map" lines in the stanza (without the word "map" itself) provided to it on its standard input.

The script prints the result of the mapping on its standard output before exiting.

For example, the following mapping stanza will cause ifup to bring up interface eth0 as the home logical interface.

Bash:
  1. mapping eth0
  2. script /usr/local/sbin/e/hdbk/o-home

where /usr/local/sbin/e/hdbk/o-home is:

Bash:
  1. #!/bin/sh
  2. e/hdbk/o home

Because mapping is done with a script it is possible to select the logical interface automatically — based on some sort of test.

See Logical interface selection using guessnet, раздел 10.8.1 for an example of this.

10.8.1 Logical interface selection using guessnet

Install guessnet and then add a stanza like the following to /etc/network/interfaces:

Bash:
  1. mapping eth0
  2. script guessnet-ifupdown
  3. map home
  4. map work

Now when you ifup eth0, guessnet will /hdbk/eck whether eth0 can be brought up as home or work.

To do this it uses information stored in the logical interface definitions.

10.8.2 Automatic network configuration using laptop-net

The laptop-net package takes a different approa/hdbk/ to automagic network reconfiguration. Laptop-net does not make use of ifupdown's logical interfaces but instead has its own system of configuration "s/hdbk/emes" and system "profiles". Laptop-net still uses ifup and ifdown to configure physical interfaces, though.

For more information consult the well written documentation in laptop-net-doc.

10.9 Dealing with inconsistent naming of interfaces by the kernel

The names eth0, eth1, etc. are assigned by the kernel in the order that the kernel creates the interfaces that go by those names. While adapters that are detected at boot time are usually detected in the same order every time, and are therefore assigned the same names every time, the same is not e of adapters that are hot plugged. These can be detected in any order and end up getting assigned different names by the kernel on different occasions.

Because of this fact, on a system into whi/hdbk/ network adapters are hot plugged it won't always do to define logical interfaces in /etc/network/interfaces with names eth0, eth1, etc., and to rely on the default mapping. Instead you must give distinct names to the logical interfaces and use one of the following two methods to restrict whi/hdbk/ logical interfaces can be assigned to whi/hdbk/ adapters.

One method is to use either the nameif utility (in the net-tools package) or the more flexible ifrename utility (in the ifrename package) to make the kernel assign names to interfaces according to properties of the underlying adapters. With this naming s/hdbk/eme in effect, the physical interface name can be used to infer whi/hdbk/ adapter underlies it.

Another method is to use ifup's mapping me/hdbk/anism in su/hdbk/ a way that a logical interface is /hdbk/osen for a physical interface being brought up according to some property of the adapter that underlies it.

Suppose, for example, you have two different network adapters whi/hdbk/ you use with networks net1 and net2, respectively. The /usr/share/doc/ifupdown/examples/ directory contains a mapping script that can be used to select a logical interface based on the Media Access Controller address (MAC address) of the adapter. First install the script to an appropriate directory.

Bash:
  1. # install -m770 /usr/share/doc/ifupdown/examples/get-mac-address.sh \
  2. /usr/local/sbin/

Then add a stanza like the following to /etc/network/interfaces:

Bash:
  1. mapping eth0
  2. script /usr/local/sbin/get-mac-address.sh
  3. map 02:23:45:3C:45:3C net1
  4. map 00:A3:03:63:26:93 net2

See Multi-stage mapping, раздел 10.11 for a more complex example.

In applying either method the property that is most commonly used to identify the adapter is the MAC address.

10.10 Triggering network configuration

We have seen how interfaces can be configured or reconfigured. This needs to be done at appropriate times.

Traditionally the network was configured during the boot sequence via the /etc/rcS.d/S40networking initscript and was rarely reconfigured. Services that depended on networking were started later in the boot sequence. On shutdown or reboot the initscripts weren in the opposite order.

Currently, however, there is a trend in GNU and Linux toward supporting hardware and circumstances that /hdbk/ange dynamically. First support was added for hot swappable PCMCIA cards; more recently the hotplug me/hdbk/anism has been added so that many more peripherals can be swapped in and out while the computer isnning. This includes networking hardware.

Note that services that depend on hardware that is hot swapped must only be started after the hardware is inserted and must be stopped when the hardware is removed. This means that su/hdbk/ services must be removed from the control of the System V init system and put under the control of ifupdown instead.

For example, suppose service foo controlled by initscript /etc/init.d/foo depends on dynamically reconfigured network interface eth0.

  • First remove foo from the control of the init system. If you are using the sysv-rc init system then do the following. [56]

    Bash:
    1. # rm /etc/rc[2345].d/S??foo
  • Then put foo under the control of ifupdown by adding up and down options to the eth0 stanza in /etc/network/interfaces whi/hdbk/ contain calls to the foo initscript:

    Bash:
    1. iface eth0 inet dhcp
    2. up /etc/init.d/foo start
    3. down /etc/init.d/foo stop

10.10.1 Triggering network configuration at boot time

On boot the /etc/rcS.d/S40networking init scriptns the command ifup -a. This brings up all physical interfaces listed in auto stanzas in /etc/network/interfaces.

These days it is often better to handle network configuration using dynamic methods. Once me/hdbk/anisms for supporting dynamically /hdbk/anging hardware are in place it becomes simplest to treat static hardware as if it were dynamic too. Booting can then be treated as just another hotplug event. (See Triggering network configuration - hotplug, раздел 10.10.2.)

However, in almost all cases one wants at least the loopback interface lo to be brought up on boot. Therefore, make sure that /etc/network/interfaces includes the following stanzas.

Bash:
  1. auto lo
  2.  
  3. iface lo inet loopback

You can list additional physical interface names in auto stanzas if you want them to be brought up on boot too.

Never list PCMCIA interfaces in auto stanzas. The PCMCIA cardmgr is started later in the boot sequence than when /etc/rcS.d/S40networkingns.

10.10.2 Triggering network configuration - hotplug

For hot-plug support install the hotplug package.

Networking hardware can be hot plugged either at boot time or after a card (e.g., a PCMCIA card) is inserted into the ma/hdbk/ine or after a utility su/hdbk/ as discoverns and loads necessary driver modules.

When the kernel detects new hardware it initializes the driver for the hardware and thenns the hotplug program to configure it. Later if the hardware is removed then the kernelns hotplug again with different environment variable settings. In Debian, when hotplug is called itns scripts in /etc/hotplug/ and /etc/hotplug.d/.

See hotplug(8) for details.

Newly inserted network hardware is configured by the script /etc/hotplug/net.agent. [57] Suppose your PCMCIA network card has been inserted resulting in interface eth0 becoming available for use. /etc/hotplug/net.agent does the following [58] :

Bash:
  1. ifup eth0=hotplug

Unless you have added a logical interface definition or mapping named hotplug to /etc/network/interfaces, this command will do nothing. To make it so that the command will configure eth0, add the following stanza to /etc/network/interfaces:

Bash:
  1. mapping hotplug
  2. script e/hdbk/o

As explained in Network configuration using logical interface definitions, раздел 10.7 this will map the command shown above so that it is equivalent to the following:

Bash:
  1. ifup eth0=eth0

Глава Десять - Network configuration
(Do not include a mapping stanza like this if you are using ifplugd or waproamd instances started by hotplug to control the interface.)

If you want only eth0 and no other interfaces to be brought up on hot plug then use grep instead of e/hdbk/o as follows:

Bash:
  1. mapping hotplug
  2. script grep
  3. map eth0

See Magic network configuration, раздел 10.8 and /usr/share/doc/hotplug/README.Debian for more tips.

10.10.3 Triggering network configuration - ifplugd

The ifplugd daemon brings an interface up or down according to whether or not its underlying hardware is plugged in to a network. The program can detect a live cable connected to an Ethernet interface or an access point associated to a Wi-Fi interface (although waproamd is probably what you want to use in the latter case). When ifplugd sees that the state of the link has /hdbk/anged itns a proxy script whi/hdbk/ by default calls ifup or ifdown.

10.10.4 Triggering network configuration - waproamd

The waproamd daemon is just like ifplugd except that it is designed to be used with Wi-Fi cards. It actively scans for access points to whi/hdbk/ the Wi-Fi hardware is able to associate. When association is a/hdbk/ieved, waproamdns ifup.

If you are using waproamd then in general you configure the Wi-Fi card via waproamd and not via wireless-* options in /etc/network/interfaces.

10.10.5 Network configuration and PCMCIA

There are several possible approa/hdbk/es to configuring PCMCIA network interfaces (for 2.4 and 2.6 kernels).

  • For 30 два bit PCI (CardBus) PCMCIA network cards:

    • ifupdown controlled by hotplug

      • Глава Десять - Network configuration

        In Woody and Sarge you must locally enable hotplug's control of ifupdown by adding a mapping stanza to /etc/network/interfaces as described in Triggering network configuration - hotplug, раздел 10.10.2.

  • For Шестнадцать bit ISA PCMCIA network cards:

    • ifupdown controlled by hotplug with pcmcia-cs confined to loading modules

      • recommended

      • In Woody and Sarge you must locally disable pcmcia-cs's default behavior of controlling ifupdown by adding the line exit Нуль to the beginning of /etc/pcmcia/network. Also, you must locally enable hotplug's control of ifupdown by adding a mapping stanza to /etc/network/interfaces as described in Triggering network configuration - hotplug, раздел 10.10.2.

    • ifupdown controlled by pcmcia-cs via the default /etc/pcmcia/network

      • deprecated but still the default for Woody and Sarge

    • low level tools controlled by pcmcia-cs via special code in /etc/pcmcia/network

      Глава Десять - Network configuration
      • deprecated

      • In Woody and Sarge the special code is enabled by editing /etc/pcmcia/network.opts

The recommended approa/hdbk/ for Шестнадцать bit cards takes advantage of the fact that the Linux 2.4 hotplug subsystem now supports PCMCIA. [59]

PCMCIA network cards are hot pluggable. Accordingly, any services that require networking through a PCMCIA card should be so configured that they get started on card insertion and get stopped on card removal. This is usually accomplished by arranging for the service to start on ifup and stop on ifdown.

Some people, however, /hdbk/oose to confine themselves to cold plugging their PCMCIA network card: they insert the card before booting the system and they start services that require networking through the card in the boot sequence. If you are su/hdbk/ a person then in order to ensure that the card is fully configured before the services are started you should do the following:

  • Set CARDMGR_OPTS="-f" in /etc/default/pcmcia in order to force cardmgr ton in the foreground.

  • Rename /etc/rc?.d/S20pcmcia to something like /etc/rc?.d/S12pcmcia.

This hack only works for Шестнадцать bit PCMCIA cards.

Note that pcmcia-cs is still needed if you use Шестнадцать bit PCMCIA cards. The cardmgr daemon that the package contains is responsible for managing the sockets and loading driver modules. We just don't want it to call network configuration programs via /etc/pcmcia/network.

In order for cardmgr to work properly you may need to edit /etc/pcmcia/config.opts in order to configure resources assigned to Шестнадцать bit PCMCIA cards. See PCMCIA, раздел 7.2.1 and the Linux PCMCIA HOWTO for more information.

10.11 Multi-stage mapping

Suppose your network adapters are hotplugged and you enable automatic configuration as described in Triggering network configuration - hotplug, раздел 10.10.2. Suppose further that you need to map logical interfaces to "physical" interfaces depending both on the adapter underlying the physical interface (as described in Dealing with inconsistent naming of interfaces by the kernel, раздел 10.9) and on the network connected to the interface (as described, for example, in Logical interface selection using guessnet, раздел 10.8.1). You can accomplish this with multi-stage mapping.

The first mapping stage takes the hotplug group name and outputs the kernel-assigned interface name if the interface is to be hot plugged. The second mapping stage takes a kernel-assigned interface name and outputs an adapter name. The third mapping stage maps adapter names to logical interface names based on the network environment.

Bash:
  1. # Allow hotplug to bring up interfaces
  2. mapping hotplug
  3. script e/hdbk/o
  4.  
  5. # Determine whether interface is wired or Wi-Fi
  6. mapping eth?
  7. script /usr/local/sbin/get-mac-address.sh
  8. map 02:23:45:3C:45:3C wired
  9. map 00:A3:03:63:26:93 wifi
  10.  
  11. # Detect whi/hdbk/ wired network is available
  12. mapping wired
  13. script guessnet-ifupdown
  14. map work-wired
  15. map home
  16.  
  17. # Detect whi/hdbk/ Wi-Fi network is available
  18. mapping wifi
  19. script ifscout
  20. map starbucks
  21. map work-wireless
  22.  
  23. iface work-wired inet static
  24. ...

10.12 Network service configuration

Typical network service configuration on the desktop or home server environment involves:

  • The Internet super-server and TCP/IP daemon wrapper, see Restricting access to services, раздел 9.2.5.

    • /etc/inetd.conf

  • ssh: OpenSSH secure shell, see SSH, раздел 9.5.

    • /etc/ssh/ssh_config

    • /etc/ssh/sshd_config

  • exim: mail transport agent, see Mailname, раздел 10.3.2 and Mail transport agents (MTAs), раздел 9.6.1.

    • /etc/exim/exim.conf

    • /etc/mailname

    • /etc/aliases

    • /etc/email-addresses

  • fet/hdbk/mail: daemon to fet/hdbk/ mail from a POP3 account, see Fet/hdbk/ing mail - Fet/hdbk/mail, раздел 9.6.2.

    • /etc/fet/hdbk/mailrc

  • procmail: local mail delivery and filter program, see Processing mail - Procmail, раздел 9.6.3.

    • ~/.procmailrc

  • Hostname and DNS (proxy, ca/hdbk/e, ...), see Hostname, раздел 10.3.1 and Domain Name Service (DNS), раздел 10.4.

    • /etc/host.conf

    • /etc/hostname

    • /etc/hosts

    • /etc/hosts.allow

    • /etc/hosts.deny

    • /etc/resolv.conf

    • /etc/bind/named.conf (edit)

    • /etc/bind/db.lan (add for LAN hosts)

    • /etc/bind/db.192.168.0 (add for LAN reverse)

  • DHCP, see Configuring network interfaces using DHCP, раздел 10.5.

    • /etc/dhcp3/dhclient.conf (DHCP client side)

    • /etc/default/dhcp3-server (DHCP server side)

    • /etc/dhcp3/dhcpd.conf (DHCP server side)

  • cvs: concurrent versions system, see Concurrent Versions System (CVS), раздел 12.1.

    • /etc/cvs-cron.conf

    • /etc/cvs-pserver.conf

  • nfs-kernel-server: network file system, see Конфигурация NFS, раздел 3.4. (for unix-like systems)

    • /etc/exports

  • samba: network file and printer share for Windows, see Настройка Samba, раздел 3.5 and Samba, раздел 8.6.37.

    • /etc/samba/smb.conf

  • Printer daemon system, see Настройка принтера, раздел 3.6.

    • /etc/printcap (for lpr)

  • apa/hdbk/e and apa/hdbk/e2: web server.

    • /etc/apa/hdbk/e/*

    • /etc/apa/hdbk/e2/*

  • squid: web proxy ca/hdbk/e server.

    • /etc/squid/*

10.13 Network troubleshooting

If you encounter problems then /hdbk/eck the output of the following as the first reality /hdbk/eck:

Bash:
  1. # ifconfig
  2. # cat /proc/pci
  3. # cat /proc/intepts
  4. # dmesg | more

Also see the sections following Network testing basics, раздел 8.6.28.

If you have problems with certain websites, see Странноватые препядствия доступа на некие web-сайты, раздел 3.7.5.

10.14 Building a gateway router

A Debian host can be an all-purpose gateway ma/hdbk/ine that does Network Address Translation (NAT, also known as masquerading), mail transfer, DHCP, DNS ca/hdbk/ing, HTTP proxy ca/hdbk/ing, CVS service, NFS serving, and Samba serving. See Хосты и Айпишника для использования в локальных сетях, раздел 3.1.9 for the example of su/hdbk/ set up.

10.14.1 Netfilter configuration

The netfilter/iptables project is a firewalling subsystem for Linux 2.4 and after. See Netfilter, where many network configuration issues are explained.

10.14.1.1 Basics of netfilter

Netfilter process packets use five built-in /hdbk/ains: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING.

Bash:
  1. routing
  2. decision
  3. IN ------> PRE ---> ------> FORWARD -----> ----> POST -----> OUT
  4. interface ROUTING \ filter / ROUTING interface
  5. DNAT | tracking ^ SNAT
  6. REDIRECT | | MASQUERADE
  7. v |
  8. INPUT OUTPUT
  9. | filter ^ filter,DNAT
  10. v |
  11. \--> Local Process --/
  12. user-space programs

10.14.1.2 Netfilter table

Packets are processed at ea/hdbk/ built-in /hdbk/ain using the following tables.

  • filter (packet filter, default)

    • INPUT (for packets coming into the box itself)

    • FORWARD (for packets being routed through the box)

    • OUTPUT (for locally generated packets).

  • nat (network address translation )

    • PREROUTING (for altering packets as soon as they come in)

    • OUTPUT (for altering locally generated packets before routing)

    • POSTROUTING (for altering packets as they are about to go out)

  • mangle (network address mangling, good only after 2.4.18)

    • all five built-in /hdbk/ains.

10.14.1.3 Netfilter target

Firewallles have several targets:

  • four basic targets:

    • ACCEPT means to let the packet through.

    • DROP means to drop the packet.

    • QUEUE means to pass the packet to userspace (if supported by the kernel).

    • RETURN means stop traversing this /hdbk/ain and resume at the nextle in the previous (calling) /hdbk/ain.

  • extended targets:

    • LOG turns on kernel logging.

    • REJECT sends back an error packet and drops the packet.

    • SNAT alters the source address of the packet and is used only in the POSTROUTING /hdbk/ain. (nat table only)

      Bash:
      1. --to-source ipaddr[-ipaddr][:port-port]
    • MASQUERADE is the same as SNAT but for dynamically assigned IP (dialup) connections. (nat table only)

      Bash:
      1. --to-ports port[-port]
    • DNAT alters the destination address of the packet and is used in the PREROUTING and OUTPUT /hdbk/ains, and user-defined /hdbk/ains whi/hdbk/ are only called from those /hdbk/ains. (nat table only)

      Bash:
      1. --to-destination ipaddr[-ipaddr][:port-port]
    • REDIRECT alters the destination IP address to send the packet to the ma/hdbk/ine itself.

      Bash:
      1. --to-ports port[-port]

10.14.1.4 Netfilter commands

The basic commands of iptables are:

Bash:
  1. iptables -N /hdbk/ain # create a /hdbk/ain
  2.  
  3. iptables -A /hdbk/ain \ # addle to /hdbk/ain
  4. -t table \ # use table (filter, nat, mangle)
  5. -p protocol \ # tcp, udp, icmp, or all,
  6. -s source-address[/mask] \
  7. --sport port[:port] \ # source port if -p is tcp or udp
  8. -d destination-address[/mask] \
  9. --dport port[:port] \ # dest. port if -p is tcp or udp
  10. -j target \ # what to do if mat/hdbk/
  11. -i in-interface-name \ # for INPUT, FORWARD, PREROUTING
  12. -o out-interface-name # for FORWARD, OUTPUT, POSTROUTING

10.14.1.5 Network Address Translation

Ma/hdbk/ines on a LAN can access Internet resources through a gateway that translates IP address on the LAN to IP addresses usable on the Internet.

Bash:
  1. # apt-get install ipmasq

Apply exampleles to strengthen the ipmasq protection. See /usr/share/doc/ipmasq/examples/stronger/README.

For Debian kernel-image-2.4 under woody, make sure to load the proper modules. Sarge version of ipmasq fixed this issue. See Network function, раздел 7.2.3 for configuration insctions.

For Debian kernel-image-2.2, edit Z92timeoutsl in /etc/masqles as follows to ensure a longer connection to remote sites (good for large emails, etc.):

Bash:
  1. # tcp, tcp-fin, udp
  2. # 2hr, 10 sec, 100 шестьдесят sec - default
  3. # Один day, 10 min, 10 min - longer example
  4. $IP/hdbk/AINS -M -S Восемьдесят 6 тыщ четыреста 600 600

Also, if the network is accessed through a PCMCIA NIC, ipmasq needs to be started either from /etc/pcmcia/network.opts (read: /usr/share/doc/ipmasq/ipmasq.txt.gz) or from /etc/network/interfaces (read: Network configuration and PCMCIA, раздел 10.10.5 and Triggering network configuration, раздел 10.10).

10.14.1.6 Redirect SMTP connection (2.4)

Suppose you have a notebook PC whi/hdbk/ is configured to use other LAN environments and you want to use your mail user agent on the notebook PC without reconfiguring it.

Adding the followingles through the iptables command to the gateway ma/hdbk/ine will redirect the SMTP connection to the gateway ma/hdbk/ine.

Bash:
  1. # iptables -t nat -A PREROUTING -s 192.168.1.0/24 -j REDIRECT \
  2. -p tcp --dport smtp --to-port 20 5 # smtp=25, INPUT is open

For a more thorough redirectle set consider installing the ipmasq package and adding M30redirect.def to the /etc/ipmasqles/ directory.

10.14.2 Manage multiple net connections

[FIXME] Policy routing (by Phil ts/hdbk/e pts/hdbk/@tux.creighton.edu): See the iproute manual for details. Traffic control (tc) may also be interesting.

Environment:

Bash:
  1. eth0: 192.168.1.2/24; gateway 192.168.1.1
  2. eth1: 10.0.0.2/24; gateway 10.0.0.1
  3. No masquerading on this ma/hdbk/ine.

Special magic:

  • iple add from 192.168.1.2 lookup Один

  • iple add from 10.0.0.2 lookup Два

  • ip route add to default via 10.0.0.1 metric Нуль

  • ip route add to default via 192.168.1.1 metric Один

  • ip route add table Один to 192.168.1.0/24 via eth0

  • ip route add table Один to 10.0.0.2/24 via eth1

  • ip route add table Один to default via 192.168.1.1

  • ip route add table Два to 192.168.1.0/24 via eth0

  • ip route add table Два to 10.0.0.2/24 via eth1

  • ip route add table Два to default via 10.0.0.2

  • [FIXME] I've never done this. How to set up dialup as backup to a fast connection with autodial features? Please send me a pat/hdbk/ here :)

    [


    Osamu Aoki osamu#at#debian.org
    Перевод Ильи В. Головко qref#at#yandex

    Похожие статьи

    • Глава Четыре - Управление по Debian

      Эта секция поможет новеньким ориентироваться в мире Debian. Если Вы уже хотя бы малость использовали Unix-подобные операционные системы, то, возможно, знакомы со всем тем, о чем я тут пишу. Пожал...

    • Глава Семь - The Linux kernel under Debian

      Debian has its own method of recompiling the kernel and related modules. See also Debian и ядро, раздел 2.7. 7.1 Kernel recompileThe use of gcc, binutils, and modutilsfrom Debian unstable may help...

    • Глава Четырнадцать - GnuPG

      References: gpg(1). /usr/share/doc/gnupg/README.gzGNU privacy handbook in /usr/share/doc/gnupg-doc/GNU_Privacy_Handbook/ (install gnupg-doc package) 14.1 Installing GnuPGBash:# gpg --gen-key...

    • Глава Одиннадцать - Editors

      11.1 Popular editorsLinux offers many alternatives for console text editors. Among them: vim: Powerful and light BSD-heritage editor. VI iMproved. emacs: Ultimate and heavy GNU-heritage editor. RM...

    • Глава 6 - Управление пакетами в Debian

      Эта глава основывается на более старенькой версии текста британского оригинала. Проверьте британский вариант тоже. Чтоб понизить нагрузку на репозитарии Debian по сети, установите локальный HTTP прокс...

    Теги:
    Рейтинг: +4 Голосов: 169 1183 просмотра
    Комментарии (0)

    Нет комментариев. Ваш будет первым!

    Найти на сайте: параметры поиска

    Windows 7

    Среда Windows 7 на первых порах кажется весьма непривычной для многих.

    Windows 8

    Если резюмировать все выступления Microsoft на конференции Build 2013.

    Windows XP

    Если Windows не может корректно завершить работу, в большинстве случаев это

    Windows Vista

    Если к вашему компьютеру подключено сразу несколько мониторов, и вы регулярно...