Changing Your IP AddressIf you wanted, you could give this eth0 interface an IP address using the ifconfig command.
[root@bigboy tmp]# ifconfig eth0 10.0.0.1 netmask 255.255.255.0 upThe "up" at the end of the command activates the interface. To make this permanent each time you boot up you'll have to add this command in your /etc/rc.local file which is run at the end of every reboot.
How to View Your Current Routing Table
[root@bigboy tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 255.255.255.255 0.0.0.0 255.255.255.255 UH 40 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 wlan0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 192.168.1.1 0.0.0.0 UG 40 0 0 wlan0
How to Configure Two GatewaysSome networks may have multiple router/firewalls providing connectivity. Here's a typical scenario:
- You have one router providing access to the Internet that you'd like to have as your default gateway (see the default gateway example earlier)
- You also have another router providing access to your corporate network using addresses in the range 10.0.0.0 to 10.255.255.255. Let's assume that this router has an IP address of 192.168.1.254
There are a number of ways to add this new route.
Adding Temporary Static RoutesThe route add command can be used to add new routes to your server that will last till the next reboot. It has the advantage of being univeral to all versions of Linux and is well documented in the man pages. In our example the reference to the 10.0.0.0 network has to be preceded with a -net switch and the subnet mask and gateway values also have to be preceded by the netmask and gw switches respectively.
[root@bigboy tmp]# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 wlan0 If you wanted to add a route to an individual server, then the "-host" switch would be used with no netmask value. (The route command automatically knows the mask should be 255.255.255.255). Here is an example for a route to host 10.0.0.1.
[root@bigboy tmp]# route add -host 10.0.0.1 gw 192.168.1.254 wlan0 A universal way of making this change persistent after a reboot would be to place this route add command in the file
/etc/rc.d/rc.local, which is always run at the end of the booting process.
Adding Permanent Static RoutesIn Fedora Linux, permanent static routes are added on a per interface basis in files located in the
/etc/sysconfig/network-scriptsdirectory. The filename format is route-interface-name so the filename for interface
The format of the file is quite intuitive with the target network coming in the first column followed by the word via and then the gateway's IP address. In our routing example, to set up a route to network 10.0.0.0 with a subnet mask of 255.0.0.0 (a mask with the first 8 bits set to 1) via the 192.168.1.254 gateway, we would have to configure file
/etc/sysconfig/network-scripts/route-wlan0to look like this:
# # File /etc/sysconfig/network-scripts/route-wlan0 # 10.0.0.0/8 via 192.168.1.254 Note: The
/etc/sysconfig/network-scripts/route-*filename is very important. Adding the wrong interface extension at the end will result in the routes not being added after the next reboot. There will also be no reported errors on the screen or any of the log files in the
You can test the new file by running the
/etc/sysconfig/network-scripts/ifup-routescommand with the interface name as the sole argument. In the next example we check the routing table to see no routes to the 10.0.0.0 network and execute the
ifup-routescommand, which then adds the route:
[root@bigboy tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 [root@bigboy tmp]# ./ifup-routes wlan0 [root@bigboy tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0 10.0.0.0 192.168.1.254 255.0.0.0 UG 0 0 0 wlan0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 [root@bigboy tmp]# Note: In Debian based systems, permanent static routes are configured using the
/etc/network/interfacesfile. See the section "Debian / Ubuntu Network Configuration" later in this chapter for more details.
How to Delete a RouteHere's how to delete the routes added in the previous section.
[root@bigboy tmp]# route del -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 wlan0 The file
/etc/sysconfig/network-scripts/route-wlan0will also have to be updated so that when you reboot the server will not reinsert the route. Delete the line that reads:
10.0.0.0/8 via 192.168.1.254
Changing NIC Speed and DuplexThere is no better Linux investment than the purchase of a fully Linux compatible NIC card. Most Linux vendors will have a list of compatible hardware on their Web sites: read this carefully before you start hooking up you machine to the network. If you can't find any of the desired models in your local computer store, then a model in the same family or series should be sufficient. Most cards will work, but only the fully compatible ones will provide you with error-free, consistent throughput.
Linux defaults to automatically negotiating the speed and duplex of it's NIC automatically with that of the switch to which it is attached. Configuring a switch port to auto-negotiate the speed and duplex often isn't sufficient because there are frequently differences in the implementation of the protocol standard.
Typically, NICs with failed negotiation will work, but this is usually accompanied by many collision type errors being seen on the NIC when using the ifconfig -a command and only marginal performance. Don't limit your troubleshooting of these types of errors to just failed negotiation; the problem could also be due to a bad NIC card, switch port, or cabling.
Using mii-toolOne of the original Linux tools for setting the speed and duplex of your NIC card was the mii-tool command. It is destined to be deprecated and replaced by the newer ethtool command, but many older NICs support only mii-tool so you'll need to be aware of it. Issuing the command without any arguments gives a brief status report, as seen in the next example, with unsupported NICs providing an Operation not supported message. NICs that are not compatible with mii-tool often will still work, but you have to refer to the manufacturer's guides to set the speed and duplex to anything but auto-negotiate.
[root@bigboy tmp]# mii-tool SIOCGMIIPHY on 'eth0' failed: Operation not supported eth1: 100 Mbit, half duplex, link ok [root@bigboy tmp]# By using the verbose mode -v switch you can get much more information. In this case, negotiation was OK, with the NIC selecting 100Mbps, full duplex mode (FD):
[root@bigboy tmp]# mii-tool -v eth1: negotiated 100baseTx-FD, link ok product info: vendor 00:10:18, model 33 rev 2 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control [root@bigboy tmp]#
Setting Your NIC's Speed Parameters with mii-toolYou can set your NIC to force itself to a particular speed and duplex by using the -F switch with any of the following options: 100baseTx-FD, 100baseTx-HD, 10baseT-FD, or 10baseT-HD. Remember that you could lose all network connectivity to your server if you force your NIC to a particular speed/duplex that doesn't match that of your switch:
[root@bigboy tmp]# mii-tool -F 100baseTx-FD eth0 Unfortunately there is no way to set this on reboot permanently except by placing it the command in the /etc/rc.local file to let it be run at the very end of the booting process or by creating your own startup script if you need it set earlier. Creating your own startup scripts is covered in Chapter 7, "The Linux Boot Process".
Using ethtoolThe ethtool command is slated to be the replacement for mii-tool in the near future and tends to be supported by newer NIC cards.
The command provides the status of the interface you provide as its argument. Here we see interface eth0 not doing autonegotiation and set to a speed of 100 Mbps, full duplex. A list of supported modes is also provided at the top of the output.
[root@bigboy tmp]# ethtool eth0 Settings for eth0: Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Advertised auto-negotiation: No Speed: 100Mb/s Duplex: Full Port: MII PHYAD: 1 Transceiver: internal Auto-negotiation: off Supports Wake-on: g Wake-on: g Current message level: 0x00000007 (7) Link detected: yes [root@bigboy tmp]#
Setting Your NIC's Speed Parameters with ethtoolUnlike mii-tool, ethtool settings can be permanently set as part of the interface's configuration script with the ETHTOOL_OPTS variable. In our next example, the settings will be set to 100 Mbps, full duplex with no chance for auto-negotiation on the next reboot:
# # File: /etc/sysconfig/network-scripts/ifcfg-eth0 # DEVICE=eth0 IPADDR=192.168.1.100 NETMASK=255.255.255.0 BOOTPROTO=static ONBOOT=yes ETHTOOL_OPTS="speed 100 duplex full autoneg off" You can test the application of these parameters by shutting down the interface and activating it again with the ifup and ifdown commands. These settings can also be changed from the command line using the -s switch followed by the interface name and its desired configuration parameters.
[root@bigboy tmp]# ethtool -s eth1 speed 100 duplex full autoneg off [root@bigboy tmp]# The Linux man pages give more details on other ethtool options, but you can get a quick guide by just entering the ethtool command alone, which provides a quicker summary.
[root@bigboy tmp]# ethtool ... ... ethtool -s DEVNAME \ [ speed 10|100|1000 ] \ [ duplex half|full ] \ [ port tp|aui|bnc|mii|fibre ] \ ... ... [root@bigboy tmp]#
A Note About Duplex SettingsBy default, Linux NICs negotiate their speed and duplex settings with the switch. This is done by exchanging electronic signals called Fast Link Pulses (FLP). When the speed and duplex are forced to a particular setting the FLPs are not sent. When a NIC is in auto-negotiation mode and detects a healthy, viable link but receives no FLPs, it errs on the side of caution and sets its duplex to half-duplex and sometimes it will also set its speed to the lowest configurable value. It is therefore possible to force a switch port to 100 Mbps full duplex, but have the auto-negotiating server NIC set itself to 100Mbps half-duplex which will result in errors. The same is true for the switch if the switch port is set to auto-negotiate and server NIC is set to 100 Mbps full duplex. It is best to either force both the switch port and server NIC to either auto-negotiate or the same forced speed and duplex values.
How to Convert Your Linux Server into a Simple RouterRouter/firewall appliances that provide basic Internet connectivity for a small office or home network are becoming more affordable every day, but when budgets are tight you might seriously want to consider modifying an existing Linux server to do the job.
Details on how to configure Linux firewall security are covered in Chapter 14, "Linux Firewalls Using iptables", but you need to understand how to activate routing through the firewall before it can become a functioning networking device.
Configuring IP ForwardingFor your Linux server to become a router, you have to enable packet forwarding. In simple terms packet forwarding enables packets to flow through the Linux box from one network to another. The Linux kernel configuration parameter to activate this is named
net.ipv4.ip_forwardand can be found in the file
/etc/sysctl.conf. Remove the "#" from the line related to packet forwarding.
Before: # Disables packet forwarding net.ipv4.ip_forward=0 After: # Enables packet forwarding net.ipv4.ip_forward=1 This enables packet forwarding only when you reboot at which time Linux will create a file in one of the subdirectories of the special RAM memory-based
/procfilesystem. To activate the feature immediately you have to force Linux to read the
/etc/sysctl.conffile with the sysctl command using the
-pswitch. Here is how it's done:
[root@bigboy tmp] sysctl -p sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 kernel.sysrq = 0 kernel.core_uses_pid = 1 [root@bigboy tmp]#
Configuring Proxy ARPIf a server needs to send a packet to another device on the same network, it sends out an ARP request to the network asking for the MAC address of the other device.
If the same server needs to send a packet to another device on a remote network the process is different. The server first takes a look at its routing table to find out the IP address of the best router on its network that will be able to relay the packet to the destination. The server then sends an ARP request for the MAC address that matches the router's IP address. It then sends the packet to the router using the router's MAC address and a destination IP address of the remote server.
If there is no suitable router on its network, the server will then send out an ARP request for the MAC address of the remote server. Some routers can be configured to answer these types of ARP requests for remote networks. This feature is called proxy ARP. There are some disadvantages with this. One of the most common problems occurs if two routers are on the network configured for proxy ARP. In this scenario there is the possibility that either one will answer the local server's ARP request for the MAC address of the remote server. If one of the routers has an incorrect routing table entry for the remote network, then there is the risk that traffic to the remote server will occasionally get lost. In other words you can lose routing control.
Note: It is for this and other reasons that it is generally not a good idea to configure proxy ARP on a router. It is also good to always configure a default gateway on your server and use separate routing entries via other routers for all networks your default gateway may not know about.
Some types of bridging mode firewalls need to have proxy ARP enabled to operate properly. These devices are typically inserted as part of a daisy chain connecting multiple network switches together on the same LAN while protecting one section of a LAN from traffic originating on another section. The firewall typically isn't configured with an IP address on the LAN and appears to be an intelligent cable capable of selectively blocking packets.
If you need to enable proxy ARP on a Linux server the /proc filesystem comes into play again. Proxy ARP is handled by files in the
/proc/sys/net/ipv4/conf/directory. This directory then has subdirectories corresponding to each functioning NIC card on your server. Each subdirectory then has a file called
proxy_arp. If the value within this file is 0, then proxy ARP on the interface is disabled; if the value is
1then it is enabled.
You can use the
/etc/sysctl.conf filementioned in " Appendix I, Miscellaneous Linux Topics" to activate or disable proxy ARP. The next example activates proxy ARP, first for all interfaces and then for interfaces
# # File: /etc/sysctl.conf # # Enables Proxy ARP on all interfaces net/ipv4/conf/all/proxy_arp = 1 # Enables Proxy ARP on interfaces eth1 and wlan0 net/ipv4/conf/eth1/proxy_arp = 1 net/ipv4/conf/wlan0/proxy_arp = 1 You can then activate these settings with the sysctl command.
[root@bigboy tmp] sysctl -p
Configuring Your /etc/hosts FileThe /etc/hosts file is just a list of IP addresses and their corresponding server names. Your server will typically check this file before referencing DNS. If the name is found with a corresponding IP address then DNS won't be queried at all. Unfortunately, if the IP address for that host changes, you also have to also update the file. This may not be much of a concern for a single server, but can become laborious if it has to be done companywide. For ease of management, it is often easiest to limit entries in this file to just the loopback interface and also the server's own hostname, and use a centralized DNS server to handle most of the rest. Sometimes you might not be the one managing the DNS server, and in such cases it may be easier to add a quick /etc/hosts file entry till the centralized change can be made.
192.168.1.101 smallfry In the example above server smallfry has an IP address of 192.168.1.101. You can access 192.168.1.101 using the ping, telnet or any other network aware program by referring to it as smallfry. Here is an example using the ping command to see whether smallfry is alive and well on the network:
[root@bigboy tmp]# ping smallfry PING zero (192.168.1.101) 56(84) bytes of data. 64 bytes from smallfry (192.168.1.101): icmp_seq=0 ttl=64 time=0.197 ms 64 bytes from smallfry (192.168.1.101): icmp_seq=1 ttl=64 time=0.047 ms --- smallfry ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2017ms rtt min/avg/max/mdev = 0.034/0.092/0.197/0.074 ms, pipe 2 [root@bigboy tmp]# You can also add aliases to the end of the line which enable you to refer to the server using other names. Here we have set it up so that smallfry can also be accessed using the names
192.168.1.101 smallfry tiny littleguy You should never have an IP address more than once in this file because Linux will use only the values in the first entry it finds.
192.168.1.101 smallfry # (Wrong) 192.168.1.101 tiny # (Wrong) 192.168.1.101 littleguy # (Wrong)
The loopback Interface's localhost EntryUsually the first entry in /etc/hosts defines the IP address of the server's virtual loopback interface. This is usually mapped to the name localhost.localdomain (the universal name used when a server refers to itself) and localhost (the shortened alias name). By default, Fedora inserts the hostname of the server between the 127.0.0.1 and the localhost entries like this:
127.0.0.1 bigboy localhost.localdomain localhost When the server is connected to the Internet this first entry after the 127.0.0.1 needs to be the fully qualified domain name (FQDN) of the server. For example,
bigboy.mysite.com, like this:
127.0.0.1 bigboy.my-site.com localhost.localdomain localhost Some programs such as Sendmail are very sensitive to this and if they detect what they feel is an incorrect FQDN they will default to using the name localhost.localdomain when communicating with another server on the network. This can cause confusion, as the other server also feels it is localhost.localdomain.
Note: You must always have a localhost and localhost.localdomain entry mapping to 127.0.0.1 for Linux to work properly and securely.
Creating Interface AliasesIP aliases can be easily created in the /etc/network/interfaces file once the main interface has already been defined. A modified duplicate of the main interfaces' iface stanza is required. A colon followed by the sub interface number needs to be added to the first line, and only the subnet mask and the new IP address needs to follow as can be seen in this example for interface eth1:1 with the IP address 188.8.131.52.
auto eth1:1 iface eth1:1 inet static address 184.108.40.206 netmask 255.255.255.224
Adding Permanent Static RoutesThe
upoption in the appropriate
ifacestanza of the
/etc/network/interfacesfile allows you to selectively run commands once the specified interface becomes activated with the
ifupcommand. This makes it useful when adding permanent static routes.
In this example, a route to the 10.0.0.0/8 network via router address 220.127.116.11 has been added. Remember, the
upoption and the command must reside on the same line of the stanza.
# The primary network interface auto eth1 iface eth1 inet static ... ... ... up route add -net 10.0.0.0 netmask 255.0.0.0 gw 18.104.22.168 eth1
A complete /etc/network/interfaces fileWe can now construct a complete file based on the previous examples we discussed. Just like in Fedora, interfaces can be activated with the ifup and ifdown commands.
# # Debian / Ubuntu # # # File: /etc/network/interfaces # # The loopback network interface auto lo iface lo inet loopback # This is a list of hotpluggable network interfaces. # They will be activated automatically by the hotplug subsystem. mapping hotplug script grep map eth0 eth0 map eth1 eth1 # The primary network interface auto eth1 iface eth1 inet static address 22.214.171.124 netmask 255.255.255.224 network 126.96.36.199 broadcast 188.8.131.52 gateway 184.108.40.206 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 220.127.116.11 wireless-key 98d126d5ac wireless-essid schaaffe up route add -net 10.0.0.0 netmask 255.0.0.0 gw 18.104.22.168 eth1 auto eth1:1 iface eth1:1 inet static address 22.214.171.124 netmask 255.255.255.224 # The secondary network interface auto eth0 iface eth0 inet dhcp For more information on the
/etc/network/interfacesfile just issue the command
man interfacesfrom the command line.