Linux Home Networking

Author: Michael Minn (see michaelminn.com for contact info)

10 March 2012

A brief introduction of hardware and techniques for networking Linux computers in a home environment

1. Introduction

From it's origins, the UNIX operating system has been oriented around networking and UNIX machines are generally very easy to network and use on networks. Networking is a huge topic, but the following page contains some basic information that should be helpful for configuring modest home and small business networks. Basic information is also provided for connecting your Linux box to a network associated with a larger institution (such as a university).

Although a number of graphical user interfaces are available for network configuration, use of software that shields the user from the technical workings of their system can sometimes be counterproductive. In a Linux environment where hardware and drivers are not specifically designed for the plethora of configurations, understanding the details of how a system is configured can be extremely helpful for diagnosing problems and actually save time.

With that premise in mind, all configuration in this document is performed by editing system files or using command line programs. This document usually assumes a Ubuntu 8.04, although the commands will usually be valid on other Linux distributions. This document is not intended to be complete and I welcome any suggestions for it's improvement.

2. Hardware

Perhaps the biggest issue facing a Linux user is finding hardware that is supported by vendor or open source drivers. Many manufacturers guard information about their hardware as trade secrets and see no need to expend effort on developing drivers for a rather small group of Linux users.

Research: However, there are numerous vendors and projects that fill some of the holes. It is therefore ESSENTIAL that before purchasing hardware that you check the hardware compatibility lists AND Google your hardware to verify that drivers are available. The following are some online resources, although they are usually behind the curve and search engines will find up-to-date information.

Hardware Versions: Hardware vendors often change chipsetss while keeping the same model number. This means that two cards with the same model number can actually be completely different hardware, and Linux drivers for the old model may not work for the new version. Linux drivers often trail introduction of a product by months, by which time the vendor may have moved on to yet another chip vendor.

Thankfully, many vendors issue the new hardware with a different "version" number that can be used to distinguish different releases of the same hardware. Product or serial numbers can also be used to distinguish new versions. BUYER BEWARE.

Some information for specific hardware (current at the time of this writing) are given later in this document.

Network Card: Every device on the network needs a network interface of some kind. Most new desktop and laptop computers have Ethernet ports (RJ-45 connectors) and modem ports (RJ-11 or phone line connectors), although the chips driving them may not have Linux drivers. Wireless and wired cards are available as internal cards (for desktops) or PCMCIA or USB devices. Again, do your research before buying.

Switches/Routers: Once you have machines with network cards, you need some way to connect them. For a small number of machines, consumer-quality switches are usually simpler than routers. Routers are more complex and usually associated with a shared internet connection.

Switches and routers often are mixed. There is a central router connected to the internet. Multiple machines in one room can be connected to a switch, which then has a single wire connected to the central router.

Crossover Cables: If you are only connecting two machines, perhaps to share files between a laptop and a desktop, all you need is a crossover cable to connect them. Although this cable appears identical to a regular Ethernet cable, the connectors are wired so the outputs of one machine go to the inputs of the other.

Access Points: For wireless networks, you need one or more access point to serve as a router between machines and between the network and an internet connection. It is possible for wireless machines to connect directly to each other (ad-hoc mode), although most networks centralize control (and internet access) through access points.

Modems: Modems are used to connect to a remote machine (such as your internet service provider) through a phone line (dial-up or DSL) or cable connection.

4. Single Computer With a DSL or Cable Modem

If you have a single computer and a single high-speed Internet connection, setup is probably described by your ISP. Most common contemporary Linux distributions have daemons that detect Ethernet connections and automatically activate the network interfaces. However, it is possible to manually configure, start and stop interfaces without the aid of mysterious background processes.

Device NamesAn internal, PCMCIA or USB networking device that has appropriate supporting modules installed on a machine will be recognized at boot or by hotplugging when the device plugged into the machine. Ethernet devices recieve the name ethX, where X is a number assigned by the sequence in which the device is detected. The first device is eth0, second device eth1, etc.

Configuration files for Fedora distributions are located in /etc/sysconfig/network-scripts. They are named ifcfg-XXXX, where XXXX is the name of the device. For example, my /etc/sysconfig/network/ifcfg-eth0 file for an internal card connected to a DSL modem that is started at boot time. The DSL modem has DHCP, which assigns my interface an IP address:


For a statically configured IP address on an interface that must be started manually:


Debian/Ubuntu distributions have a single network interface configuration file, /etc/network/interfaces. Interfaces are configured with a single line. For example, my internal network card eth0, connected to a DSL modem and getting its IP address from DHCP on the modem:

	iface eth0 inet dhcp

Interfaces can be manually started with the ifup and ifdown commands (run with superuser authority):

	sudo ifup eth0

5. A Two Computer Network with NFS

If you just need to share or transfer files between two systems, you can set up a simple network using a crossover cable or switch.

Install NFS: Files under Network File System (NFS) are served by a server and accessed by a client. If you want to provide mutual access to files between two machines you will need to set both machines up as NFS servers and clients. If only one machine is being used for file storage, you only need NFS server on the source machine and the NFS client software on the other machine.

Ubuntu distributions install the user-space NFS server (unfs3 was formerly called nfs-user-server) with:

	sudo apt-get install portmap unfs3

The NFS client software is installed with:

	sudo apt-get install nfs-common

Crossover Cable: For hardware, each computer needs an Ethernet card (10/100BaseT) and an RJ-45 CROSSOVER cable. Note that this is a crossover cable and not just a regular CAT-5 patch cable. Unless you're using a hub, the wires in the cable have to be "crossed over" to directly connect two PCs. Just plug one cable into the network port of one machine and plug the other end into the other machine.

Switch: Optionally, if you wish to share file systems AND an Internet connection, you can interconnect machines by plugging regular Ethernet cables from each machine and the modem into a switch. Consumer grade switches are inexpensive and readily available anywhere computers are sold.

IP Addresses: You will need to configure a static IP address on any machine that is configured as a server. The easiest choice is to use the Class C addresses and on the two machines, respectively.

On a console on the source machine (the one with the files to be transferred), type:

	sudo ifconfig eth0

On the other machine:

	sudo ifconfig eth0

If you are planning on a permanent network, you will want to change the network configuration files to use these static IP addresses at all times, since IP addresses can vary when using DHCP. Network interface static IP address configuration is described in the previous section.

If you also want to connect the server to the Internet through a DSL or able modem, you will have figure out a way to get a consistent IP address supplied to your server by the modem's DHCP service - such as always booting the server first when the network is restarted. This can be an issue with cable modems that assign IP addresses unpredictably and I can offer no reasonable solution.

NFS Exports: The /etc/exports file tells NFS which directories to make visible to network systems. To make the /home directory visible to all machines with the IP addresses given above, the /etc/exports file on both machines would have one line:


Mount point: The network file system will be visible through a mount point, a directory that the file system will associate with the remote machine. You can put this anywhere and call it anything you want, but /mnt or /mount are common places.

	sudo mkdir /mnt/network

/etc/fstab: To tell the Linux file system how to mount the network file system, edit the /etc/fstab file and add the following line on the machine, pointing to the machine.	/mnt/network	nfs	noauto,user,exec,soft,nfsvers=2	0  0

On the machine, the address would be changed to point to the machine. The options in fourth column indicate not to try to mount at boot time (noauto), to allow a regular user (not just superuser) to mount the drive (user) and to timeout rather than retrying indefinitely if there is a problem accessing the device (soft). The given mount point (/mnt/network) can be any directory you prefer. To avoid confusion about different versions of the NFS protocols, the explicit version option is given above (nfsvers=2)

Start NFS: Start the NFS daemons on the server

	/etc/init.d/unfs3 restart

Mount: Network file systems just like physical drives:

	mount /mnt/network

Network file systems can also be mounted explicitly (without an entry in the /etc/fstab file:

	mount -o nfsvers=2 /mnt/network

You should now be able to see your remote directories under /mnt/network.

Disabling NFS Start On Boot: If you are not planning on regularly accessing files via NFS, you should not leave the NFS server running and vulnerable to outside attacks. The startup scripts for the user-space NFS server are in the /etc/rc* directories and you should rename them with the K prefix instead of the S prefix so they do not start at boot time:

	sudo rename s/S/K/ /etc/rc*/*unfs*

6. A Two Computer Network with NFS via Wireless

A wireless connection can be used to interconnect two computers in place of an ethernet crossover cable. If you have a wireless router, the instructions above can be used with the addresses assigned by the router's DHCP server.

If you don't have a wireless router, you can create an "Ad-Hoc" wireless network to interconnect the two machines. The following instructions should be executed on both machines to set the card into ad-hoc mode, specify a frequency, set the network name and set a WEP encryption key. Note that encryption keys specified as ASCII strings (s:) must be exactly 5 or 13 characters:

	sudo iwconfig wlan0 mode Ad-Hoc
	sudo iwconfig wlan0 channel 4
	sudo iwconfig wlan0 essid omega
	sudo iwconfig wlan0 key s:alpha

On the server machine, bring the interface up with the server address:

	sudo ifconfig wlan0

On the client machine, bring the interface up with the client address:

	sudo ifconfig wlan0

Attempt to ping the remote machine from the client to verify connectivity:


	PING ( 56(84) bytes of data.
	64 bytes from icmp_seq=1 ttl=64 time=2.21 ms
	64 bytes from icmp_seq=2 ttl=64 time=0.445 ms

You should then be able to mount the remote filesystem on the client:

	mount /mnt/network

7. NFS Debugging

NFS can be a MAJOR pain in the ass to get running, with cryptic error messages and strange freezes. The following are some errors I encountered and potential fixes. Some of these date from a previous experience with Fedora and they remain here for completeness. When all else fails, Google is your friend.

Test the Connection: If mounting of an NFS file system is freezing or failing, you should first verify that you have connectivity to the server using ping.


Should give something like this:

	PING ( 56(84) bytes of data.
	64 bytes from icmp_seq=0 ttl=64 time=0.895 ms
	64 bytes from icmp_seq=1 ttl=64 time=0.435 ms
	64 bytes from icmp_seq=2 ttl=64 time=0.430 ms

If you do not get ping messages, there's a problem with the basic connection between the machines. Verify that your cables are connected properly and firmly seated all the way into their sockets. If you are using a switch, make sure it is powered up and the indicator lights confirm connection. If you are using a crossover cable, make sure it is a crossover cable and not a regular Ethernet cable.

NFS Version

The Linux NFS client supposedly supports NFS protocol versions 2, 3, and 4 but the server doesn't seem quite so robust. nfsvers=2 is used above as the option on the mount command (or in /etc/fstab) to force use of NFS v2. If you fail to use explicit versioning, you may get a message like this:

	sudo mount -v /mnt/network

	mount: no type was given - I'll assume nfs because of the colon
	mount.nfs: timeout set for Wed Dec 29 09:20:34 2010
	mount.nfs: text-based options: 'addr='
	mount.nfs: mount(2): Protocol not supported
	mount.nfs: trying prog 100003 vers 3 prot UDP port 2049
	mount.nfs: mount to NFS server '' failed: RPC Error: Success

By contrast, when you use explicit versioning:

	mount -o nfsvers=2 /mnt/network

	mount: no type was given - I'll assume nfs because of the colon
	mount.nfs: timeout set for Wed Dec 29 09:20:53 2010
	mount.nfs: text-based options: 'nfsvers=2,addr=' on /mnt/network type nfs (rw,nfsvers=2)

Access denied: This is likely caused because the directory you are trying to mount is not specified in /etc/exports on the NFS server. You should verify that file contains the correct info as described above.

	mount.nfs: access denied by server while mounting

RPC Error: Program not registered: This is likely caused because NFS or rpcbind is not running on the server. Execute "/etc/init.d/unfs3 start" on the server as described above.

	mount.nfs: mount to NFS server '' failed: 
	RPC Error: Program not registered

Server Is Down

	mount to NFS server 'x.x.x.x' failed: server is down

This may, in fact, mean that the server is not running or that you do not have connectivity to the server (see above for ping). It can also be caused if the server does not have an entry in /etc/exports giving you permission to mount the requested resource (see above).

However, this message may also be caused by a NFS protocol version mismatch. You should use NFS version 2 as described above.

Permission denied on mount

	statd: Could not chdir: Permission denied
	mount.nfs: rpc.statd is not running but is required for remote locking.
	mount.nfs: Either use '-o nolock' to keep locks local, or start statd.

This is a strange one. The easiest solution was to just mount as superuser:

	sudo mount /mnt/network

However, subsequent mounts as non-superuser worked fine, so go figure.

Starting NFS quotas: Cannot register service

	Starting NFS quotas: Cannot register service: RPC: 
	Unable to receive; errno = Connection refused
	rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp).

This is a mysterious one. Seems to magically go away if you just restart NFS.

	/etc/init.d/unfs3 restart

Firewall - iptables: If you are running a non-Ubuntu configuration or you have iptables running as a firewall, it needs to be configured to allow the client machine(s) to access NFS. On both machines, add a new iptables rule that accepts all input on the eth0 interface from the local network (both and List the new table and if everything looks good, save it to the /etc/sysconfig/iptables file.

	sudo iptables -I INPUT -p ALL -i eth0 -s -j ACCEPT
	sudo iptables -L
	sudo iptables-save > /etc/sysconfig/iptables

RPC: Port mapper failure - RPC: Unable to receive: NFS uses TCP/IP port 2049. The default firewalls on many distributions may cause mounting a drive on a remote machine to fail with the message:

	RPC: Port mapper failure - RPC: Unable to receive

Solution is changing the iptable settings as described above.

RPC: Timed out

The firewall settings on the server or client may cause the mount to hang and eventually issue the message:

	RPC: Timed out

Solution is changing the iptable settings as described above.

Debugging - Ports: NFS uses TCP port 2049. rpcinfo can be used to list available ports. Problems with rpcinfo indicates a machine is not accepting NFS requests.


You can also verify open ports with netstat. nfs should be listed for both tcp and udp, although only the tcp port will be in LISTEN state

	# netstat -tul

	Active Internet connections (only servers)
	Proto Recv-Q Send-Q Local Address           Foreign Address         State      
	tcp        0      0 *:nfs                   *:*                     LISTEN      
	tcp        0      0 *:printer               *:*                     LISTEN      
	tcp        0      0 *:676                   *:*                     LISTEN      
	tcp        0      0 *:sunrpc                *:*                     LISTEN      
	tcp        0      0 *:x11                   *:*                     LISTEN      
	tcp        0      0 *:ha-cluster            *:*                     LISTEN      
	tcp        0      0 *:32893                 *:*                     LISTEN      
	tcp        0      0 *:32894                 *:*                     LISTEN      
	udp        0      0 *:nfs                   *:*                                 
	udp        0      0 *:32782                 *:*                                 
	udp        0      0 *:32783                 *:*                                 
	udp        0      0 *:673                   *:*                                 
	udp        0      0 *:691                   *:*                                 
	udp        0      0 *:bootpc                *:*                                 
	udp        0      0 *:727                   *:*                                 
	udp        0      0 *:sunrpc                *:*     

iptables restart: If all else fails, you can simply stop the firewall.

	sudo service iptables stop

If this solves the problem, you should look further into correcting your firewall configuration. Running without a firewall, especially with a connection to the internet exposes your machine to hacking and not recommended.

FYI, an important line in /etc/sysconfig/iptables on some Red Hat configurations may be rejection of port 2049, used by NFS:

	-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT

8. Samba

The Windoze operating system shares files through Server Message Blocks (SMB) and Network Message Blocks (NMB). Directories on a Windoze system that are made available for network access are called Shares.

Samba is an open source package that provides file access between Windoze and Linux machines using SMB/NMB. Samba configuration is a huge topic, but some basic configuration information is given here for a simple home network. The utilities provided with Samba permit both access of Windoze shares from Linux systems and sharing of Linux directories with Windoze systems.

useradd: Samba users from Windoze should have user accounts on the Linux machine. Usernames are added with the useradd command and passwords are set/changed with passwd. All users should have directories in /home as well.

	useradd (username)
	passwd (username)
	mkdir /home/(username)

This can be combined into a single useradd request

	useradd -m -d /home/(username) -p (password) (username)

smbpasswd: Samba keeps usernames and passwords in a separate file from regular Linux passwords. The smbpasswd command is uaed to add/delete Samba users.

	smbpasswd -a (username)

/etc/samba/smb.conf: security: The type of access available for ALL samba shares are defined in the [global] section of /etc/samba/smb.conf. "share" security is read only, "user" security is read-write.

	# read only access
	security = share 
	# security = user

/etc/samba/smb.conf: shares: Samba "shares" are configured in /etc/samba/smb.conf. To configure a share named (sharename), add the following section to the file:

        	comment = Shared directory named (sharename)
	        path = (filepath)
        	valid users = (username)
		read only = No

Starting Samba Services: The rcnmb and rcsmb scripts start Samba filesharing and naming services:

	rcnmb start
	rcsmb start

Mounting Samba Shares: Samba shares on other Linux or Windoze systems can be mounted just like other file systems and /etc/fstab can be used to define mount points and options. Example line in /etc/fstab:

	//(server)/(sharename) /(mountpoint)  smb noauto,user,soft,ip=,username=(user)  0 0

testparm: lists Samba shares and verifies correct syntax of configuration files

smbstatus: a simple program to list currently open Samba connections.

10.2 Accessing Windoze Shares from Linux

It is possible to access shares on a Windoze system from a Linux box either through smbclient (a program similar to FTP) or by mounting the shares as an SMB filesystem on Linux.

The following examples presume unprotected shares. You may need additional workgroup/username/password information if the share is protected.

Static IP Configuration: If you are using a crossover cable between your Windoze and Linux machines and have no DHCP server, you will need to configure a static IP address both machines.

Sharing: Despite Windoze's notorious vulnerability to attack, getting a legitimate share visible to the world requires some confusing firewall configuration (including allowing exceptions) as well as actually configuring the folder to be shared.

Find the IP address of the server: You should be able to get the IP address of the computer hosting the shares by simply viewing the network properties of the host. However, if you are in an unfamiliar environment, you can use NMAP to find valid IP addresses on a network. If the network is set up with DHCP, you can get the IP info for the network with ifconfig. Assuming a network with a mask of

	nmap -sP

List services on the computer: You can get the network name of the host computer by listing available services with nmblookup. Assuming the host computer IP is

	nmblookup -A

List shares on a computer: Assuming that you found the computer is named "mainserver", you can list the available shares with smbclient. Note that server names are normally preceded with "\\", but because the UNIX shell uses the slash as a special character, you use \\ to represent \\ UNLESS you put quotes around the whole name.

	smbclient -L \\\\mainserver -I

Connect to a share: If you only need to do simple transfer of files from/to the share, you can use the smbclient as a simple FTP-like program. Assuming a share named "sharedirectory" on computer "mainserver" with no password:

	smbclient \\\\mainserver\\sharedirectory "" -I

Like FTP, gets can only be of single files, not directories. However, if all you're doing is trying to get a whole directory of files off a Windoze machine, smbconnect has a "tar" command that permits recursive copies of complete directories from Windoze to Linux by creating tar archives. For example, to copy all files from a shared folder to the Linux machine:

	smbclient \\\\mainserver\\sharedirectory "" -Tc backup.tar .

smbmount mounts a share so it can be accessed through the Linux filesystem.

The findsmb and smbtree commands are available for viewing networks, although they requre additional configuration to work properly


DHCP (Dynamic Host Configuration Protocol) is a service provided by a server for assigning IP addresses to network hosts dynamically and eliminating the need to manually assign IP addresses to each computer on a network. The DHCP server needs a static IP address, but all hosts can have their network interface configurations set to get an IP address from the DHCP server.

11.1 DHCP Client

Most non-trivial networks, including networks that have access points or use routers to connect to the internet, have DHCP servers of some kind. A network card will get an address when the interface is brought up. Therefore dhcp must be specified in the config file for the particular interface. For a simple network card on eth0, the /etc/sysconfig/network-scripts/ifcfg-eth0 file will be:


You can verify successful assignment of a dynamic IP address with ifconfig. You can also see diagnostic messages issued when seeking a DHCP address at the end of /var/log/messages

DHCP addresses are "leased" for a set duration. There may be situations (such as DHCP server testing) where you need to relinquish a DHCP lease and acquire a new IP address. This can be done with dhclient. To release an IP address

	/sbin/dhclient -r

To acquire a lease for one new IP address:

	/sbin/dhclient -1

11.2 DHCP Server

/etc/sysconfig/dhcpd: Setup for a simple network is quite easy. Add an entry to /etc/syconfig/dhcpd for the network interface that will be be connected to hosts:


/etc/sysconfig/dhcpd.conf: Add a range of addresses that can be allocated to /etc/dhcpd.conf

	ddns-update-style none;

	subnet netmask {

iptables: Configure the firewall config file to permit incoming DHCP requests. (FYI: DHCP utilizes UDP on ports 67 and 68)

	/sbin/iptables -I INPUT -p ALL -i wlan0 -s -j ACCEPT
	/sbin/iptables-save > /etc/sysconfig/iptables

SuSE Firewall: If you're using SuSe, modify the following line in the /etc/sysconfig/SuSEfirewall2 file:


Lease Info: Information about current DHCP leases is listed in /var/lib/dhcp/dhcpd.leases

10. Dialup Access

Although dialup access to the internet is rapidly going the way of buggy whips, millions of people still connect to the internet via analog phone lines. And travelers who stay in cheap hotels often find it necessary to get a dialup connection.

Internal Modems: Finding a modem that works with Linux is actually a bit harder than it would seem. Most laptop and external modem designers have chosen to simplify their designs by moving some of the analog signal processing out of hardware and into the driver software. Since these drivers are almost never written for Linux, this presents a severe problem. However, there are a relatively small number of manufacturers making the chips used in these WinModems and, thankfully, SOME manufacturers and private developers have developed Linux drivers.

Some resources for finding Linmodem info:

To know which driver to use, you need to know what chip the modem uses. This can be especially difficult on laptops or external devices where it is not easy to pop the case open and see the hardware. For internal modems, if you have Windoze installed, you can get the Properties of your LAN connection for detailed info.

Lacking Windoze info, you may also be able to use the /sbin/lspci -vv command, although this may not be of value since dial-up modems are often hidden behind AC'97 chips, such as this listing from my Toshiba 1905 laptop:

	00:1f.6 Modem: Intel Corp. 82801BA/BAM AC'97 
	Modem (rev 05) (prog-if 00 [Generic])
	Subsystem: Toshiba America Info Systems: Unknown device 0001
	Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- 
	ParErr- Stepping- SERR- FastB2B-
	Status: Cap- 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- 
	<TAbort- <MAbort- >SERR- 

The Windoze info indicates the modem chip is and HSF winmodem from Compal:

	Driver Provider: Agere
	Driver Date 6/21/2002
	Driver Version
	I/O Range 2400-24FF
	I/O Range 2000-207F
	IRQ 11
	Intel AC97
	Conexant SmartMC II

	Device Manager- >Modems->toshiba Software Modem->Diagnostics
	PCI\VEN_8086&DEV_2446&SUBSYS_00011179\REV 05

	VENDOR ID 8086 (Intel Corporation)
	Device ID 2446


External Modems: If you have an internal modem that is not supported or you don't feel like fighting with a driver, you might consider an external modem although that presents more problems.

  • Most external USB modems are WinModems, and unsupported.
  • External hardware modems usually require RS-232 serial connections and most new laptops do not have RS-232 ports
  • Although USB/Serial convertors are availble, many are not supported

A case study for using a USB/Serial convertor with an external modem is given below.

PCMCIA modems are available, although they all seem to use the same driver, which is buggy

wvdial: Once you have a modem, you need software to dial out and establish a connection. Wvdial is an excellent, no-nonsense ppp connection program that can be used for dial-up networking. It can be invoked from the command line without any options. The network device created by wvdial with PPPD is ppp0. Dialing information is given in the /etc/wvdial.conf file. An example is given below. You should modify the phone number, username and password to ones appropriate to your ISP. The modem device may also differ depending on your hardware or winmodem configuration. Usually it is /dev/modem, although my winmodems have names like /dev/ttySL0 and /dev/ttyLT0

	Modem = /dev/modem
	Init1 = ATZ
	Phone = (access number)
	Username = (username provided by ISP)
	Password = (password provided by ISP)

11. Wireless

Creation of and connecting to wireless networks is generally as easy as with wired networks.

Hardware: As before, one of the biggest problems with Linux wireless is finding a card with Linux drivers. Some resourses are listed below. As usual, information gleaned with Google can often be more up-to-date than info contained on web list pages.

Modes: There are two common wireless network configurations:

  • Managed Mode involves having a central Access Point device that manages the network and routes messages between nodes on the network. All devices on a managed mode network communicate via the access point, even when communicating with each other. The access point serves as a router and, usually, as a DHCP server. Managed mode is used on most wireless networks
  • Ad-Hoc Mode involves computers on the network communicating directly with each other. Setup of this kind of network is a bit more complicated (including static IP addresses), although if you do not have an access point, this is the way to go. Computers set up to work in Ad-Hoc mode cannot communicate with Managed networks, and vice-versa.

Access Point: For a managed network, you will need an access point. In a home network, this is usually a separate box that is also used as a router for sharing a high-speed internet connection. Most Linux wireless cards cannot be configured to function as access-points. Consumer-quality access points are usually configured from a web interface that can be accessed through the gateway IP address. Type "" in a browser from a computer connected to the access point.

Configuration: As with Ethernet cards, configuration information for a wireless cards is contained in the /etc/sysconfig/network-scripts/ifcfg-xxx file, where xxx is the name of the interface. Wireless cards almost always connect as wlan0, wlan1, etc.

There are additional parameters in the ifcfg files specific to wireless cards although some drivers (notably the linux-wlan-ng driver) ignore these parameters and use separate configuration files.

ESSID indicates the name of the network you wish to connect to. This is especially valuable in situations (such as apartment buildings) where there may be multiple access points functioning. If no ESSID entry is given or no network with the ID is found, the card will connect to the access point with the strongest signal. The ESSID is configured in the access point.


AP is an alternate way of specifying the MAC hardware address of the access point you wish to use. As with ESSID, this will be ignored if the device is not found


When connecting to networks with WEP encryption, you will also need to specify an encryption key. Keys can be specified as hexadecimal digits or as more readable ASCII strings (with a "s:" prefix as in the example above)

Wireless Utilities: In addition to /sbin/ifconfig, there are two separate utilities for configuring wireless access. iwconfig changes wireless configuration parameters. One common use is for changing the ESSID of an active card if it connected to the wrong network.

	/sbin/iwconfig wlan0 essid name

You can also set the encryption key with a syntax similar to the ifcfg file.

	/sbin/iwconfig wlan0 key s:networkkey

iwlist lists information about the wireless network. One useful use is to list available access points. This command is not avaialable with cards that use the linux-wlan-ng driver.

	/sbin/iwlist wlan0 scan

Security: The major issue with wireless is security. Radio signals are visible to anyone and the available wireless encryption scheme (WEP) can be easily cracked using the AirSnort program. While complex security techniques used in professional settings are necessary for a professional leel of security, there are a number of steps that can be taken to dramatically improve home wireless network security. Security is, unfortunately, a process, not a step.

  • Change the factory default SSID in your access point
  • Disable SSID Broadcasts
  • Change the default password for the access point Administrator account
  • Enable MAC Address Filtering. This allows only computers from a given set of MAC hardware addresses to connect to your network
  • Enable WEP 128-bit Encryption (This will slow network access somewhat)
  • Enable the firewalls on all machines connected to your wireless network
  • Change the network SSID periodically
  • Change the WEP encryption keys periodically

Additional Wireless Utilities:

  • Kismet: an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Will not work with ndiswrapper cards or any wireless card that does not support raw monitoring (rfmon) mode
  • AirSnort: another sniffer that can also be used to crack WEP encryption keys

Regular wired network sniffers like Ethereal and TCPDUMP can also be used to sniff packets on a wireless network.

12. Using A Linux Box as a Router

You can use a Linux box as a router and firewall between an internet connection and an internal network. The examples below assume a dialup connection to the internet (ppp0) that can changed to any network connection (e.g. wlan0, eth1)

Enable IP Packet Forwarding: Uncomment the existing entry in /etc/sysctl.conf


Configure your firewall for IP masquerading: Masquerading is also known as Network Address Translation (NAT). Since internal private network addresses are not valid on the public internet, connections to and from the internet must translate the private IP address to the public IP address of the internet interface card. The following example assumes the internal network is

	/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
	/sbin/iptables -A FORWARD -s -j ACCEPT
	/sbin/iptables -A FORWARD -d -j ACCEPT
	/sbin/iptables -A FORWARD -s ! -j DROP
	/sbin/iptables-save > /etc/sysconfig/iptables

Allow Firewall Input: If not already configured to do so, the firewall must be configured to accept messages from the internal network. The following example assumes the internal network is on eth0

	/sbin/iptables -I RH-Firewall-1-INPUT -p ALL -i eth0 -s -j ACCEPT

Save firewall settings

	cp -p /etc/sysconfig/iptables /etc/sysconfig/iptables.old
	/sbin/iptables-save > /etc/sysconfig/iptables

Restart network services and the firewall

	/etc/init.d/network restart
	/etc/init.d/iptables restart

Restart outgoing interface: If using a dial-up outgoing interface, dial out with wvdial. Other types of connection may need to be brought up with /etc/ifup.

Client Configuration: Gateway: Client computers on the network will need to be configured to use the router computer as the default gateway. Edit the /etc/sysconfig/network file and add an entry. This example assumes the router computer is


Client Configuration: Nameservers: Client computers need to be configured with a computer that will be used to resolve internet names into IP addresses. Direct connections modify this file automatically, but the router computer must be specified in this situation

14. Local Web Server

Linux is widely used on Internet web servers. Most ISPs provide home users with dynamic IP addresses, making it impossible to use your home machine as an web server. However, you can still service your home network as an intranet or use your local machine to test web pages before uploading them to a public server.

Apache: The web server used on almost all Linux systems is Apache and it comes with almost all distributions.

Starting Apache: The Apache daemon goes by it's old name httpd and can be started with the standard init script:

	/etc/init.d/httpd start

To configure Apache to start at boot time:

	/sbin/chkconfig httpd on

Apache Configuration File: The configuration file for Apache is /etc/httpd/conf/httpd.conf. The basic configuration file that comes with the installation should be suitable for simple server configurations. It contains extensive commentary documentation if you need to change anything.

Document Root: The document root is the root directory used by Apache for serving pages - this is where the base index.html is located. By default the document root is /var/www/html/. The document root can be changed, although it is safest if you just link /var/www/html to the desired directory if you need to change it.

Creating A Temporary domain Alias: If you are testing a website offline before uploading it to a public server, you can use the /etc/hosts file to temporarily alias a domain name to point to your local machine. For example, when testing michaelminn.net, I point michaelminn.net to the loopback address so it will be served by Apache on my machine:	localhost.localdomain localhost michaelminn.net

Accessing the Web Server: With Apache running, you can then access your web pages through the loopback address or any of the configured aliases:

SELinux: Security Enhanced Linux provides enhanced security, but can be a pain. When configuring Apache to use a DocumentRoot other than the default, httpd may fail to start and will leave a message in /var/log/messages like:

	audit(1162480826.087:2): avc:  denied  { getattr } for  pid=2004 
	comm="httpd" name="michaelminn.dom" dev=hda6 ino=4517569 
	scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir

This can be fixed by changing the security context for your directory:

	chcon -v -R -h -t httpd_user_content_t /home/michaelminn.net

Password Protecting Files: Apache provides a facility for password-protecting files and directories using the .htaccess. While .htaccess files can be quite complex and perform numerous other functions, rudamentary password protection for all files in a directory can be implemented with the following steps:

Create a .htaccess file in the directory you want to protect. Note that the name of the password file must be a full path to the password file in the directory; replace <path> with the full path to the directory.

	AuthType Basic
	AuthName "Enter Password"
	AuthUserFile <path>/password.file
	Require valid-user

In the directory you want to protect run the htpasswd command. Replace <username> with the username of your choice and enter the password of your choice when prompted:

	htpasswd -c password.file <username>

You can password-protect specific files by specifying them in <Files" directives. For example, to protect just the .mp3 files in the directory, your .htaccess would be:

	AuthType Basic
	AuthName "Enter Password"
	AuthUserFile <path>/password.file
	<Files *.mp3>
	Require valid-user

Whenever access is attempted to files in that directory, the user will be prompted for a password.

Note that apache will not do authentication when accessing a directory locally via localhost.

A nice .htaccess tutorial is HERE.

15. Diagnostic Utilities

Networks always have problems and diagnosis of those problems is the primary activity of network administrators. Diagnosing and solving network problems is a black art that can only be covered superficially here, but the following are some basic utilities for diagnosing problems. Many of these programs are mentioned in more detail above and you can get further information on the command line with the "man <command>" command.

ifconfig: The first step is to verify that the interface you are trying to connect to the network with is up and has a valid IP address. ifconfig with no arguments lists all the network interfaces on a system and allows configuration. If the interface is not displayed or does not have an IP address, your system cannot connect to the network through that interface. The example output given below shows the interface IP address as and, with the given mask, the default gateway is The "RX bytes" and "TX bytes" can be used to determine if there has been any traffic on an interface, implying that it is or was working at some point. lo is the loopback interface on every system that is, in essence, only connected to itself.

	eth0      Link encap:Ethernet  HWaddr 00:0F:B0:66:40:C2  
	          inet addr:  Bcast:  Mask:
	          inet6 addr: fe80::20f:b0ff:fe66:40c2/64 Scope:Link
	          RX packets:29369 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:32776 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:1000 
	          RX bytes:20428276 (19.4 Mb)  TX bytes:21405541 (20.4 Mb)
	          Interrupt:11 Base address:0x3000

	lo        Link encap:Local Loopback  
	          inet addr:  Mask:
	          inet6 addr: ::1/128 Scope:Host
	          UP LOOPBACK RUNNING  MTU:16436  Metric:1
	          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:0 
         	  RX bytes:592 (592.0 b)  TX bytes:592 (592.0 b)

ping is the second most useful network diagnostic utility. ping allows you to send echo request messages to specific IP addresses and verify that they are up. Generally, in diagnosing a connectivity problem you will first try to ping the interface, then ping the gateway (which can be inferred from the output of ifconfig), and, finally, ping the destination you are trying to reach.

traceroute lists all the routers between you and a destination. This permits detection of the point in a route where there is a problem.

arp allows display and modification of the ARP caches on interfaces. If you need to determine if you have the lowest level connectivity to the network, in this case through interface eth0:

	/sbin/arp -a -i eth0

iwconfig is a utility for displaying and configuring wireless-specific information that is not part of ifconfig. Looking for the connected access point ESSID (or lack thereof) is a common reason to use iwconfig.

iwlist: When connecting to an unfamiliar network, you may want to use the iwlist command to see what access points are available. If no access point ESSID is specified, bringing a wireless interface up will connect to the most powerful AP it sees, which may not be the one you want.

	/sbin/iwlist wlan0 scan

tcpdump is a program for listing network packets. The output can be rather obtuse to the uninitiated. Useful for diagnosing problems with NFS or authentication issues. For example, to display packets in ASCII that are passing through interface eth0:

		tcpdump -s 1024 -A -i eth0

In some configurations the filtering used by tcpdump may be so aggressive that it yields no significant output other than ARP requests. In those cases you may need to specify the specific IP network address of the interface you're trying to list traffic from:

		tcpdump -A -s 1024 net

netstat lists active network connections, routing tables, interface statistics, masquerade connections, and multicast membership

  • netstat -r: show routing table
  • netstat -a: list connections
  • netstat -s: list statistics by protocol
  • netstat -n: list port numbers

host, dig and nslookup are DNS lookup utilities, with dig giving the more detailed output of the bunch. If you are having trouble connecting to a named website, you can use these utilities to try to figure out if the name is getting resolved to an IP address. You can also use these utilities to lookup addresses on specific nameservers if your currently configured nameserver is having problems.

route is a utility to list and/or manipulate the IP routing table. If you're having problems with a browser not being able to see a network, this will show if there is a problem in your routing table.

Example route output with a DSL modem

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface     *        U     0      0        0 eth0     *          U     0      0        0 eth0
default         dslrouter         UG    0      0        0 eth0

Example route output with a dialup modem

Destination Gateway Genmask Flags Metric Ref Use Iface nas31.newyork1. * UH 0 0 0 ppp0 default nas31.newyork1. UG 0 0 0 ppp0

whois queries the Internet WhoIs database to find out who a domain name is registered to. Anonymous or third-world registrations often indicate entities that you should have no dealings with. whois can also be used to list to what organization an IP address has been assigned to, although this information will often only lead you to an ISP that controls a block of IP addresses and not to the company or individual who is actually using that IP address.

airsnort: When you need to connect to an encrypted network but do not have the encryption key, AirSnort can listen to traffic for a period of time and determine the key.

nmap is a network exporation tool and security scanner. Lots of options. The -sT option is especially useful for detecting "open ports" that represent potential entry paths for invaders and the results of this scan may indicate unnecessary services you want to shut down or unnecessary permissions in your firewall.

	Example: scan a local address for open ports
		nmap -sT

	Example: looks for hosts on a network
		nmap -sP

Netdisco is an open source web-based network management tool. It's quite complex and I mention it here only as a suggestion if you're looking for network discovery software.

nmblookup, smbstatus and findsmb are utilities for diagnosing and establishing Samba connections to Windoze systems. They are described earlier in this document.

The infrastructure of suburbia can be described as the greatest misallocation of resources in the history of the world. (James Howard Kunstler)