198 days, 8 hours, 7 minutes until the end of the Bush presidency.
Linux Home Networking
Author: Michael Minn (see michaelminn.com for contact info)
December 31, 2007
An overview of hardware and techniques for networking Linux computers in a home or small business environment
1. Introduction
From it's origins, the UNIX operating system has been oriented around networking and UNIX machines are generally very easy to network and use on networks. Networking is a huge topic, but the following contains some basic information that should be helpful for configuring modest home and small business networks. Basic information is also provided for connecting your Linux box to a network associated with a larger institution (such as a university).
Although a number of graphical user interfaces are available for network configuration, use of software that shields the user from the technical workings of their system can sometimes be counterproductive. In a Linux environment where hardware and drivers are not specifically designed for the plethora of configurations, understanding the details of how a system is configured can be extremely helpful for diagnosing problems and actually save time.
With that premise in mind, all configuration in this document is performed by editing system files or using command line programs. This document is not intended to be complete and I welcome any suggestions for it's improvement.
2. Hardware
Perhaps the biggest issue facing a Linux user is finding hardware that is supported by vendor or open source drivers. Many manufacturers guard information about their hardware as trade secrets and see no need to expend effort on developing drivers for a rather small group of Linux users.
Research: However, there are numerous vendors and projects that fill some of the holes. It is therefore ESSENTIAL that before purchasing hardware that you check the hardware compatibility lists AND Google your hardware to verify that drivers are available. The following are some online resources, although they are usually behind the curve and search engines will find up-to-date information.
- Linux USB
- USB DevList
- Another Linux USB list
- Linux Laptops
- Freshmeat
- PCMCIA
- Paralell Port Support
- SANE (Scanners)
Hardware Versions: Hardware vendors often change chipsetss while keeping the same model number. This means that two cards with the same model number can actually be completely different hardware, and Linux drivers for the old model may not work for the new version. Linux drivers often trail introduction of a product by months, by which time the vendor may have moved on to yet another chip vendor.
Thankfully, many vendors issue the new hardware with a different "version" number that can be used to distinguish different releases of the same hardware. Product or serial numbers can also be used to distinguish new versions. BUYER BEWARE.
Some information for specific hardware (current at the time of this writing) are given later in this document.
Network Card: Every device on the network needs a network interface of some kind. Most new desktop and laptop computers have ethernet ports (RJ-45 connectors) and modem ports (RJ-11 or phone line connectors), although the chips driving them may not have Linux drivers. Wireless and wired cards are available as internal cards (for desktops) or PCMCIA or USB devices. Again, do your research before buying.
Switches/Routers: Once you have machines with network cards, you need some way to connect them. For a small number of machines, consumer-quality switches are usually simpler than routers. Routers are more complex and usually associated with a shared internet connection.
Switches and routers often are mixed. There is a central router connected to the internet. Multiple machines in one room can be connected to a switch, which then has a single wire connected to the central router.
Crossover Cables: If you are only connecting two machines, perhaps to share files between a laptop and a desktop, all you need is a crossover cable to connect them. Although this cable appears identical to a regular ethernet cable, the connectors are wired so the outputs of one machine go to the inputs of the other.
Access Points: For wireless networks, you need one or more access point to serve as a router between machines and between the network and an internet connection. It is possible for wireless machines to connect directly to each other (ad-hoc mode), although most networks centralize control (and internet access) through access points.
Modems: Modems are used to connect to a remote machine (such as your internet service provider) through a phone line (dial-up or DSL) or cable connection.
3. A Two Computer Network
I frequently need to share files between my laptop and desktop. One easy way to do that is to network the two together as a simple wired peer-to-peer network. This also serves as a simple example for Linux system configuration.
Crossover Cable: For hardware, each computer needs an ethernet card (10/100BaseT) and an RJ-45 CROSSOVER cable. Note that this is a crossover cable and not just a regular CAT-5 patch cable. Unless you're using a hub, the wires have to be "crossed over" to directly connect two PCs.
Device NamesAn internal, PCMCIA or USB networking device that has appropriate supporting modules installed on a machine will be recognized at boot or by hotplugging when the device plugged into the machine. Ethernet devices recieve the name ethX, where X is a number assigned by the sequence in which the device is detected. The first device is eth0, second device eth1, etc.
IP Addresses: Unless you have a DHCP server or want to set one up, you will need to choose static IP addresses. I use the Class C addresses 192.168.1.1 and 192.168.1.2 on my two machines, respectively.
Configuration File: A configuration file is needed for each device. Configuration files are located in /etc/sysconfig/network or /etc/sysconfig/network-scripts and named ifcfg-XXXX, where XXXX is the name of the device. For example, my /etc/sysconfig/network/ifcfg-eth0 file for an internal card on a network with statically assigned IP addresses:
DEVICE=eth0 STARTMODE=onboot BOOTPROTO=static IPADDR=192.168.1.1 NETMASK=255.255.255.0
Accordingly, the /etc/sysconfig/network-scripts/ifcfg-eth1 file for a second PCMCIA card:
DEVICE=eth1 NAME=eth1 STARTMODE=hotplug BOOTPROTO=static IPADDR=192.168.1.2 NETMASK=255.255.255.0
Start The Interface: To start and stop the interface, there are two scripts: ifup and ifdown.
/sbin/ifup eth0
/etc/fstab: To tell the Linux file system how to mount the network, edit the /etc/fstab file and add the following line on the 192.168.1.2 machine, pointing to the 192.168.1.1 machine. On the 192.168.1.1 machine, the address would be changed to point to the 192.168.1.2 machine. The options in fourth column indicate not to try to mount at boot time (noauto), to allow a regular user (not just superuser) to mount the drive (user) and to timeout rather than retrying indefinitely if there is a problem accessing the device (soft). The given mount point (/mnt/network) can be any directory you prefer. If there is a confusion about protocols with the serve, and explicit version option may also be necessary (i.e. nfsvers=2)
192.168.1.1:/home /mnt/network nfs noauto,user,exec,soft 0 0
Firewall Configuration: NFS uses TCP/IP port 2049. The default firewalls on many distributions will cause mounting a drive on a remote machine to fail with the message "RPC: Port mapper failure - RPC: Unable to receive". If the firewall is left on the receiving machine, the mount will delay and finally issue the message "RPC: Timed out"
Firewall - SuSE: SuSE provides a utility that handles the otherwise difficult configuration of iptables. For a simple home network with no serious security risk, you can just specify which device is your internal device and turn off protection from the internal network. You SHOULD NOT do this if your internal network is used to share an internet connection. The SuSE configuration file is /etc/sysconfig/SuSEfirewall2. Modify the following entries
FW_DEV_INT="eth0" FW_PROTECT_FROM_INTERNAL="no" # this is the key
Firewall - iptables: Non-SuSE machines require direct configuration of iptables. On both machines, add a new iptables rule that accepts all input on the eth0 interface from both 192.168.1.1 and 192.168.1.2. List the new table and if everything looks good, save it to the /etc/sysconfig/iptables file.
/sbin/iptables -I INPUT -p ALL -s 127.0.0.1 -j ACCEPT /sbin/iptables -I INPUT -p ALL -i eth0 -s 192.168.1.1 -j ACCEPT /sbin/iptables -I INPUT -p ALL -i eth0 -s 192.168.1.2 -j ACCEPT /sbin/iptables -L /sbin/iptables-save > /etc/sysconfig/iptables
Firewall - ipchains: Some machines use ipchains, a separate but similar firewall service. There are syntactical differences in configuration since the two programs handle forwarded packets differently.
/sbin/ipchains -I input -p ALL -i eth0 -s 192.168.1.1 -j ACCEPT /sbin/ipchains-save > /etc/sysconfig/ipchains
Test the Connection: If the system is configured properly, you should be able to ping one system from the other. You can also ping yourself. If you're on 192.168.1.1:
ping 192.168.1.2
Should give something like this:
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.895 ms 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.435 ms 64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.430 ms
A machine can also ping itself to verify that it's own interface is working.
4. NFS
To provide mutual access to files between both machines, you will need to set both machines up as Network File System file servers and clients.
NFS Exports: The /etc/exports file tells NFS which directories to make visible to network systems. To make the /home directory visible to both machines with the IP addresses given above, the /etc/exports file on both machines would have one line:
/home 192.168.1.1(rw) 192.168.1.2(rw)
Export these file systems after modifying /etc/exports. The file systems will subsequently be exported each time the system is rebooted.
/usr/sbin/exportfs -a -v
Configure NFS to Start On Boot: This will cause the NFS daemons to be started at boot time. Since this opens potential vulnerability to hackers, you should not do this if you do not plan to use NFS regularly.
/sbin/chkconfig nfs on /sbin/chkconfig nfslock on
NFS Configurations: Start the NFS daemons
/etc/init.d/nfs start /etc/init.d/nfslock start /etc/init.d/portmap restart
Mount: Network file systems just like physical drives:
mount /mnt/network
Network file systems can also be mounted explicitly (without an entry in the /etc/fstab file:
mount 192.168.1.1:/home /mnt/network
Debugging - Server Is Down: The error message "mount to NFS server 'x.x.x.x' failed: server is down" may, in fact, mean that the server is not running or that you do not have connectivity to the server (see below for ping). It can also be caused if the server does not have an entry in /etc/exports giving you permission to mount the requested resource (see above).
However, this message may also be caused by a NFS protocol version mismatch. The Linux NFS client supposedly supports NFS protocol versions 2, 3, and 4 but the server doesn't seem quite so robust. Use the nfsvers=2 option on the mount command (or in /etc/fstab) to force use of NFSv2.
mount -o nfsvers=2 192.168.1.1:/home /mnt/network
Much love to Sergejs Svitnevs for pointing this out on an HP IT Resource Center Forum.
Debugging - NFS Server Not Up: Error message "RPC: Program not registered" or "RPC: Unable to receive; errno = Connection refused" on the client machine may mean the NFS server not started
/etc/init.d/nfs start
Debugging - Connectivity: If you are still having problems, you should try pinging the other machine to make sure it can be reached. Failure on the ping indicates a IP connection problem.
ping 192.168.1.1
Debugging - Ports: NFS uses TCP port 2049. rpcinfo can be used to list available ports. Problems with rpcinfo indicates a machine is not accepting NFS requests.
/usr/sbin/rpcinfo -p 192.168.1.1 /usr/sbin/rpcinfo -p 192.168.1.2
You can also verify open ports with netstat. nfs should be listed for both tcp and udp, although only the tcp port will be in LISTEN state
# netstat -tul Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:nfs *:* LISTEN tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:676 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:ha-cluster *:* LISTEN tcp 0 0 *:32893 *:* LISTEN tcp 0 0 *:32894 *:* LISTEN udp 0 0 *:nfs *:* udp 0 0 *:32782 *:* udp 0 0 *:32783 *:* udp 0 0 *:673 *:* udp 0 0 *:691 *:* udp 0 0 *:bootpc *:* udp 0 0 *:727 *:* udp 0 0 *:sunrpc *:*
Debugging - iptables Firewall: If all else fails, you can simply stop the firewall. It can be restarted by replacing stop with restart.
/etc/init.d/iptables stop
FYI, the important line in /etc/sysconfig/iptables is the rejection of port 2049, used by NFS:
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
Debugging - SuSE Firewall
/etc/init.d/SuSEfirewall2_setup stop
10. Samba
The Windoze operating system shares files through Server Message Blocks (SMB) and Network Message Blocks (NMB). Directories on a Windoze system that are made available for network access are called Shares.
Samba is an open source package that provides file access between Windoze and Linux machines using SMB/NMB. Samba configuration is a huge topic, but some basic configuration information is given here for a simple home network. The utilities provided with Samba permit both access of Windoze shares from Linux systems and sharing of Linux directories with Windoze systems.
10.1 Sharing Linux Files with Windoze Systems
useradd: Samba users from Windoze should have user accounts on the Linux machine. Usernames are added with the useradd command and passwords are set/changed with passwd. All users should have directories in /home as well.
useradd (username) passwd (username) mkdir /home/(username)
This can be combined into a single useradd request
useradd -m -d /home/(username) -p (password) (username)
smbpasswd: Samba keeps usernames and passwords in a separate file from regular Linux passwords. The smbpasswd command is uaed to add/delete Samba users.
smbpasswd -a (username)
/etc/samba/smb.conf: security: The type of access available for ALL samba shares are defined in the [global] section of /etc/samba/smb.conf. "share" security is read only, "user" security is read-write.
[global] # read only access security = share # security = user
/etc/samba/smb.conf: shares: Samba "shares" are configured in /etc/samba/smb.conf. To configure a share named (sharename), add the following section to the file
[(sharename)]
comment = Shared directory named (sharename)
path = (filepath)
valid users = (username)
read only = No
Starting Samba Services: The rcnmb and rcsmb scripts start Samba filesharing and naming services:
rcnmb start rcsmb start
Firewall
Mounting Samba Shares: Samba shares on other Linux or Windoze systems can be mounted just like other file systems and /etc/fstab can be used to define mount points and options. Example line in /etc/fstab:
//(server)/(sharename) /(mountpoint) smb noauto,user,soft,ip=192.168.1.1,username=(user) 0 0
testparm: lists Samba shares and verifies correct syntax of configuration files
smbstatus: a simple program to list currently open Samba connections.
10.2 Accessing Windoze Shares from Linux
It is possible to access shares on a Windoze system from a Linux box either through smbclient (a program similar to FTP) or by mounting the shares as an SMB filesystem on Linux.
The following examples presume unprotected shares. You may need additional workgroup/username/password information if the share is protected.
Find the IP address of the server: You should be able to get the IP address of the computer hosting the shares by simply viewing the network properties of the host. However, if you are in an unfamiliar environment, you can use NMAP to find valid IP addresses on a network. If the network is set up with DHCP, you can get the IP info for the network with ifconfig. Assuming a 192.168.0.0 network with a mask of 255.255.255.0
nmap -sP 192.168.0.0/24
List services on the computer: You can get the network name of the host computer by listing available services with nmblookup. Assuming the host computer IP is 192.168.0.1:
nmblookup -A 192.168.0.1
List shares on a computer: Assuming that you found the 192.168.0.1 computer is named "mainserver", you can list the available shares with smbclient. Note that server names are normally preceded with "\\", but because the UNIX shell uses the slash as a special character, you use \\ to represent \\ UNLESS you put quotes around the whole name.
smbclient -L \\\\mainserver -I 192.168.0.1
Connect to a share: If you only need to do simple transfer of files from/to the share, you can use the smbclient as a simple FTP-like program. Assuming a share named "sharedirectory" on computer "mainserver":
smbclient "\\mainserver\sharedirectory" "" -I 192.168.0.1
smbmount mounts a share so it can be accessed through the Linux filesystem.
The findsmb and smbtree commands are available for viewing networks, although they requre additional configuration to work properly
11. DHCP
DHCP (Dynamic Host Configuration Protocol) is a service provided by a server for assigning IP addresses to network hosts dynamically and eliminating the need to manually assign IP addresses to each computer on a network. The DHCP server needs a static IP address, but all hosts can have their network interface configurations set to get an IP address from the DHCP server.
11.1 DHCP Client
Most non-trivial networks, including networks that have access points or use routers to connect to the internet, have DHCP servers of some kind. A network card will get an address when the interface is brought up. Therefore dhcp must be specified in the config file for the particular interface. For a simple network card on eth0, the /etc/sysconfig/network-scripts/ifcfg-eth0 file will be:
DEVICE=eth0 NAME=eth0 BOOTPROTO=dhcp ONBOOT=yes
You can verify successful assignment of a dynamic IP address with ifconfig. You can also see diagnostic messages issued when seeking a DHCP address at the end of /var/log/messages
DHCP addresses are "leased" for a set duration. There may be situations (such as DHCP server testing) where you need to relinquish a DHCP lease and acquire a new IP address. This can be done with dhclient. To release an IP address
/sbin/dhclient -r
To acquire a lease for one new IP address:
/sbin/dhclient -1
11.2 DHCP Server
/etc/sysconfig/dhcpd: Setup for a simple network is quite easy. Add an entry to /etc/syconfig/dhcpd for the network interface that will be be connected to hosts:
DHCPD_INTERFACE="eth0"
/etc/sysconfig/dhcpd.conf: Add a range of addresses that can be allocated to /etc/dhcpd.conf
ddns-update-style none;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.3 192.168.1.3;
}
iptables: Configure the firewall config file to permit incoming DHCP requests. (FYI: DHCP utilizes UDP on ports 67 and 68)
/sbin/iptables -I INPUT -p ALL -i wlan0 -s 192.168.2.3 -j ACCEPT /sbin/iptables-save > /etc/sysconfig/iptables
SuSE Firewall: If you're using SuSe, modify the following line in the /etc/sysconfig/SuSEfirewall2 file:
FW_SERVICE_DHCPD="yes"
Lease Info: Information about current DHCP leases is listed in /var/lib/dhcp/dhcpd.leases
12. Dialup Access
Although dialup access to the internet is rapidly going the way of buggy whips, millions of people still connect to the internet via analog phone lines. And travelers who stay in cheap hotels often find it necessary to get a dialup connection.
Internal Modems: Finding a modem that works with Linux is actually a bit harder than it would seem. Most laptop and external modem designers have chosen to simplify their designs by moving some of the analog signal processing out of hardware and into the driver software. Since these drivers are almost never written for Linux, this presents a severe problem. However, there are a relatively small number of manufacturers making the chips used in these WinModems and, thankfully, SOME manufacturers and private developers have developed Linux drivers.
Some resources for finding Linmodem info:
- Linmodems.org
- Linmodem Search
- Winmodem page
- Linmodem Search Engine
- Linmodems.org
- Italian Linmodem Page
- Linux on Laptops page
To know which driver to use, you need to know what chip the modem uses. This can be especially difficult on laptops or external devices where it is not easy to pop the case open and see the hardware. For internal modems, if you have Windoze installed, you can get the Properties of your LAN connection for detailed info.
Lacking Windoze info, you may also be able to use the /sbin/lspci -vv command, although this may not be of value since dial-up modems are often hidden behind AC'97 chips, such as this listing from my Toshiba 1905 laptop:
00:1f.6 Modem: Intel Corp. 82801BA/BAM AC'97 Modem (rev 05) (prog-if 00 [Generic]) Subsystem: Toshiba America Info Systems: Unknown device 0001 Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- Status: Cap- 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR-Destination Gateway Genmask Flags Metric Ref Use Iface nas31.newyork1. * 255.255.255.255 UH 0 0 0 ppp0 default nas31.newyork1. 0.0.0.0 UG 0 0 0 ppp0The Windoze info indicates the modem chip is and HSF winmodem from Compal:
Driver Provider: Agere Driver Date 6/21/2002 Driver Version 2.1.15.0 I/O Range 2400-24FF I/O Range 2000-207F IRQ 11 Intel AC97 Conexant SmartMC II Device Manager- >Modems->toshiba Software Modem->Diagnostics PCI\VEN_8086&DEV_2446&SUBSYS_00011179\REV 05 8086:2446 VENDOR ID 8086 (Intel Corporation) Device ID 2446 SUBVENDOR ID 1179 SUBDEVICE ID 0001 REVISION ID 05 VENDOR NAME ICH DEVICE NAME ICH2 SUBVENDOR NAME COMPAL MODEM TYPE HSF WINXP INBUILD SUPPORT NOExternal Modems: If you have an internal modem that is not supported or you don't feel like fighting with a driver, you might consider an external modem although that presents more problems.
- Most external USB modems are WinModems, and unsupported.
- External hardware modems usually require RS-232 serial connections and most new laptops do not have RS-232 ports
- Although USB/Serial convertors are availble, many are not supported
A case study for using a USB/Serial convertor with an external modem is given below.
PCMCIA modems are available, although they all seem to use the same driver, which is buggy
wvdial: Once you have a modem, you need software to dial out and establish a connection. Wvdial is an excellent, no-nonsense ppp connection program that can be used for dial-up networking. It can be invoked from the command line without any options. The network device created by wvdial with PPPD is ppp0. Dialing information is given in the /etc/wvdial.conf file. An example is given below. You should modify the phone number, username and password to ones appropriate to your ISP. The modem device may also differ depending on your hardware or winmodem configuration. Usually it is /dev/modem, although my winmodems have names like /dev/ttySL0 and /dev/ttyLT0
Modem = /dev/modem Init1 = ATZ Phone = (access number) Username = (username provided by ISP) Password = (password provided by ISP)
14. Wireless
Creation of and connecting to wireless networks is generally as easy as with wired networks.
Hardware: As before, one of the biggest problems with Linux wireless is finding a card with Linux drivers. Some resourses are listed below. As usual, information gleaned with Google can often be more up-to-date than info contained on web list pages.
- NDIS Wrapper: A driver that permits use on Linux of Windoze drivers that implemented with the NDIS API
- Linux WLAN-NG Driver: Driver for cards based on the Prism 2 and Prism 3 chipsets
- List of supported cards
Modes: There are two common wireless network configurations:
- Managed Mode involves having a central Access Point device that manages the network and routes messages between nodes on the network. All devices on a managed mode network communicate via the access point, even when communicating with each other. The access point serves as a router and, usually, as a DHCP server. Managed mode is used on most wireless networks
- Ad-Hoc Mode involves computers on the network communicating directly with each other. Setup of this kind of network is a bit more complicated (including static IP addresses), although if you do not have an access point, this is the way to go. Computers set up to work in Ad-Hoc mode cannot communicate with Managed networks, and vice-versa.
Access Point: For a managed network, you will need an access point. In a home network, this is usually a separate box that is also used as a router for sharing a high-speed internet connection. Most Linux wireless cards cannot be configured to function as access-points. Consumer-quality access points are usually configured from a web interface that can be accessed through the gateway IP address. Type "192.168.0.1" in a browser from a computer connected to the access point.
Configuration: As with ethernet cards, configuration information for a wireless cards is contained in the /etc/sysconfig/network-scripts/ifcfg-xxx file, where xxx is the name of the interface. Wireless cards almost always connect as wlan0, wlan1, etc.
There are additional parameters in the ifcfg files specific to wireless cards although some drivers (notably the linux-wlan-ng driver) ignore these parameters and use separate configuration files.
ESSID indicates the name of the network you wish to connect to. This is especially valuable in situations (such as apartment buildings) where there may be multiple access points functioning. If no ESSID entry is given or no network with the ID is found, the card will connect to the access point with the strongest signal. The ESSID is configured in the access point.
DEVICE=wlan0 NAME=wlan0 BOOTPROTO=dhcp ONBOOT=yes ESSID=MYNETWORK461AP is an alternate way of specifying the MAC hardware address of the access point you wish to use. As with ESSID, this will be ignored if the device is not found
DEVICE=wlan0 NAME=wlan0 BOOTPROTO=dhcp ONBOOT=yes AP=xx:xx:xx:xx:xx:xx KEY=s:networkkeyWhen connecting to networks with WEP encryption, you will also need to specify an encryption key. Keys can be specified as hexadecimal digits or as more readable ASCII strings (with a "s:" prefix as in the example above)
Wireless Utilities: In addition to /sbin/ifconfig, there are two separate utilities for configuring wireless access. iwconfig changes wireless configuration parameters. One common use is for changing the ESSID of an active card if it connected to the wrong network.
/sbin/iwconfig wlan0 essid nameYou can also set the encryption key with a syntax similar to the ifcfg file.
/sbin/iwconfig wlan0 key s:networkkeyiwlist lists information about the wireless network. One useful use is to list available access points. This command is not avaialable with cards that use the linux-wlan-ng driver.
/sbin/iwlist wlan0 scanSecurity: The major issue with wireless is security. Radio signals are visible to anyone and the available wireless encryption scheme (WEP) can be easily cracked using the AirSnort program. While complex security techniques used in professional settings are necessary for a professional leel of security, there are a number of steps that can be taken to dramatically improve home wireless network security. Security is, unfortunately, a process, not a step.
- Change the factory default SSID in your access point
- Disable SSID Broadcasts
- Change the default password for the access point Administrator account
- Enable MAC Address Filtering. This allows only computers from a given set of MAC hardware addresses to connect to your network
- Enable WEP 128-bit Encryption (This will slow network access somewhat)
- Enable the firewalls on all machines connected to your wireless network
- Change the network SSID periodically
- Change the WEP encryption keys periodically
Additional Wireless Utilities:
- Kismet: an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Will not work with ndiswrapper cards or any wireless card that does not support raw monitoring (rfmon) mode
- AirSnort: another sniffer that can also be used to crack WEP encryption keys
Regular wired network sniffers like Ethereal and TCPDUMP can also be used to sniff packets on a wireless network.
15. Using A Linux Box as a Router
You can use a Linux box as a router and firewall between an internet connection and an internal network. The examples below assume a dialup connection to the internet (ppp0) that can changed to any network connection (e.g. wlan0, eth1)
Configure default gateway: Add a gateway to /etc/sysconfig/network
GATEWAYDEV=ppp0Enable IP Packet Forwarding: Modify the existing entry in /etc/sysctl.conf
net.ipv4.ip_forward 1Configure your firewall for IP masquerading: Masquerading is also known as Network Address Translation (NAT). Since internal private network addresses are not valid on the public internet, connections to and from the internet must translate the private IP address to the public IP address of the internet interface card. The following example assumes the internal network is 192.168.1.0/24
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT /sbin/iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT /sbin/iptables -A FORWARD -s ! 192.168.1.0/24 -j DROP /sbin/iptables-save > /etc/sysconfig/iptablesAllow Firewall Input: If not already configured to do so, the firewall must be configured to accept messages from the internal network. The following example assumes the internal network is on eth0
/sbin/iptables -I RH-Firewall-1-INPUT -p ALL -i eth0 -s 192.168.1.0/24 -j ACCEPTSave firewall settings
cp -p /etc/sysconfig/iptables /etc/sysconfig/iptables.old /sbin/iptables-save > /etc/sysconfig/iptablesRestart network services and the firewall
/etc/init.d/network restart /etc/init.d/iptables restartRestart outgoing interface: If using a dial-up outgoing interface, dial out with wvdial. Other types of connection may need to be brought up with /etc/ifup.
Client Configuration: Gateway: Client computers on the network will need to be configured to use the router computer as the default gateway. Edit the /etc/sysconfig/network file and add an entry. This example assumes the router computer is 192.168.1.1
GATEWAY=192.168.1.1Client Configuration: Nameservers: Client computers need to be configured with a computer that will be used to resolve internet names into IP addresses. Direct connections modify this file automatically, but the router computer must be specified in this situation
192.168.1.1
16. Local Web Server
Linux is widely used on Internet web servers. Most ISPs provide home users with dynamic IP addresses, making it impossible to use your home machine as an web server. However, you can still service your home network as an intranet or use your local machine to test web pages before uploading them to a public server.
Apache: The web server used on almost all Linux systems is Apache and it comes with almost all distributions.
Starting Apache: The Apache daemon goes by it's old name httpd and can be started with the standard init script:
/etc/init.d/httpd startTo configure Apache to start at boot time:
/sbin/chkconfig httpd onApache Configuration File: The configuration file for Apache is /etc/httpd/conf/httpd.conf. The basic configuration file that comes with the installation should be suitable for simple server configurations. It contains extensive commentary documentation if you need to change anything.
Document Root: The document root is the root directory used by Apache for serving pages - this is where the base index.html is located. By default the document root is /var/www/html/. The document root can be changed, although it is safest if you just link /var/www/html to the desired directory if you need to change it.
Creating A Temporary domain Alias: If you are testing a website offline before uploading it to a public server, you can use the /etc/hosts file to temporarily alias a domain name to point to your local machine. For example, when testing michaelminn.net, I point michaelminn.net to the loopback address so it will be served by Apache on my machine:
127.0.0.1 localhost.localdomain localhost michaelminn.netAccessing the Web Server: With Apache running, you can then access your web pages through the loopback address or any of the configured aliases:
http://127.0.0.1 http://localhostSELinux: Security Enhanced Linux provides enhanced security, but can be a pain. When configuring Apache to use a DocumentRoot other than the default, httpd may fail to start and will leave a message in /var/log/messages like:
audit(1162480826.087:2): avc: denied { getattr } for pid=2004 comm="httpd" name="michaelminn.dom" dev=hda6 ino=4517569 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dirThis can be fixed by changing the security context for your directory:
chcon -v -R -h -t httpd_user_content_t /home/michaelminn.netPassword Protecting Files: Apache provides a facility for password-protecting files and directories using the .htaccess. While .htaccess files can be quite complex and perform numerous other functions, rudamentary password protection for all files in a directory can be implemented with the following steps:
Create a .htaccess file in the directory you want to protect. Note that the name of the password file must be a full path to the password file in the directory; replace <path> with the full path to the directory.
AuthType Basic AuthName "Enter Password" AuthUserFile <path>/password.file Require valid-userIn the directory you want to protect run the htpasswd command. Replace <username> with the username of your choice and enter the password of your choice when prompted:
htpasswd -c password.file <username>You can password-protect specific files by specifying them in <Files" directives. For example, to protect just the .mp3 files in the directory, your .htaccess would be:
AuthType Basic AuthName "Enter Password" AuthUserFile <path>/password.file <Files *.mp3> Require valid-user </Files>Whenever access is attempted to files in that directory, the user will be prompted for a password.
Note that apache will not do authentication when accessing a directory locally via localhost.
A nice .htaccess tutorial is HERE.
17. Diagnostic Utilities
Networks always have problems and diagnosis of those problems is the primary activity of network administrators. Diagnosing and solving network problems is a black art that can only be covered superficially here, but the following are some basic utilities for diagnosing problems. Many of these programs are mentioned in more detail above and you can get further information on the command line with the "man <command>" command.
ifconfig: The first step is to verify that the interface you are trying to connect to the network with is up and has a valid IP address. ifconfig with no arguments lists all the network interfaces on a system and allows configuration. If the interface is not displayed or does not have an IP address, your system cannot connect to the network through that interface. The example output given below shows the interface IP address as 192.168.1.47 and, with the given mask, the default gateway is 192.168.1.1. The "RX bytes" and "TX bytes" can be used to determine if there has been any traffic on an interface, implying that it is or was working at some point. lo is the loopback interface on every system that is, in essence, only connected to itself.
eth0 Link encap:Ethernet HWaddr 00:0F:B0:66:40:C2 inet addr:192.168.1.47 Bcast:255.255.255.255 Mask:255.255.255.0 inet6 addr: fe80::20f:b0ff:fe66:40c2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29369 errors:0 dropped:0 overruns:0 frame:0 TX packets:32776 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20428276 (19.4 Mb) TX bytes:21405541 (20.4 Mb) Interrupt:11 Base address:0x3000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:592 (592.0 b) TX bytes:592 (592.0 b)ping is the second most useful network diagnostic utility. ping allows you to send echo request messages to specific IP addresses and verify that they are up. Generally, in diagnosing a connectivity problem you will first try to ping the interface, then ping the gateway (which can be inferred from the output of ifconfig), and, finally, ping the destination you are trying to reach.
traceroute lists all the routers between you and a destination. This permits detection of the point in a route where there is a problem.
arp allows display and modification of the ARP caches on interfaces. If you need to determine if you have the lowest level connectivity to the network, in this case through interface eth0:
/sbin/arp -a -i eth0iwconfig is a utility for displaying and configuring wireless-specific information that is not part of ifconfig. Looking for the connected access point ESSID (or lack thereof) is a common reason to use iwconfig.
iwlist: When connecting to an unfamiliar network, you may want to use the iwlist command to see what access points are available. If no access point ESSID is specified, bringing a wireless interface up will connect to the most powerful AP it sees, which may not be the one you want.
/sbin/iwlist wlan0 scantcpdump is a program for listing network packets. The output can be rather obtuse to the uninitiated. Useful for diagnosing problems with NFS or authentication issues. For example, to display packets visible on interface ppp0
/sbin/tcpdump -i ppp0netstat lists active network connections, routing tables, interface statistics, masquerade connections, and multicast membership
- netstat -r: show routing table
- netstat -a: list connections
- netstat -s: list statistics by protocol
- netstat -n: list port numbers
host, dig and nslookup are DNS lookup utilities, with dig giving the more detailed output of the bunch. If you are having trouble connecting to a named website, you can use these utilities to try to figure out if the name is getting resolved to an IP address. You can also use these utilities to lookup addresses on specific nameservers if your currently configured nameserver is having problems.
route is a utility to list and/or manipulate the IP routing table. If you're having problems with a browser not being able to see a network, this will show if there is a problem in your routing table.
Example route output with a DSL modem
Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 default dslrouter 0.0.0.0 UG 0 0 0 eth0Example route output with a dialup modem
whois queries the Internet WhoIs database to find out who a domain name is registered to. Anonymous or third-world registrations often indicate entities that you should have no dealings with. whois can also be used to list to what organization an IP address has been assigned to, although this information will often only lead you to an ISP that controls a block of IP addresses and not to the company or individual who is actually using that IP address.
airsnort: When you need to connect to an encrypted network but do not have the encryption key, AirSnort can listen to traffic for a period of time and determine the key.
nmap is a network exporation tool and security scanner. Lots of options. The -sT option is especially useful for detecting "open ports" that represent potential entry paths for invaders and the results of this scan may indicate unnecessary services you want to shut down or unnecessary permissions in your firewall.
Example: scan a local address for open ports nmap -sT 192.168.1.1 Example: looks for hosts on a network nmap -sP 172.16.1.1-127
Netdisco is an open source web-based network management tool. It's quite complex and I mention it here only as a suggestion if you're looking for network discovery software.
nmblookup, smbstatus and findsmb are utilities for diagnosing and establishing Samba connections to Windoze systems. They are described earlier in this document.
You are 38.103.63.17
A lawn is not a thing, it is a relationship.
All content on this site (c) 2000-2008 by Michael Minn or the respective copyright owners.