Home

Geography

New York
Rita and Me
US Pop. Growth
Energy for Food
American Theatres
American Infrastructure

Music

Best Served Loud
Fragments
Debut
Together Again
A Face In The Crowd
Time To Move On
Drum Corps

Linux Docs

Toshiba U505-S2960
Toshiba M34X-S114
Toshiba 1800-S203
Toshiba 1905-S303
Toshiba 2755DVD
Toshiba 335CDS
Toshiba T1910
ASUS Eee PC
Command Line
CL Video Editing
Home Network
Peripherals

Linux Software

MMPTP
MMCPM
MMQGIS
MMZX-81
MMXMPCR
MMUSBAUDIO

Web

NAATCO
Privett Family
Andros on Ballet
Kaleidoscope Theatre
Vaughan Discography
Armstrong Discography

Theatre

Resume
Mossadegh
Irreplaceable Commodity
Prod. at the Fringe

Linux On Laptops

Linux Home Networking

Author: Michael Minn (see michaelminn.com for contact info)

15 January 2010

A brief introduction of hardware and techniques for networking Linux computers in a home environment

1. Introduction

From it's origins, the UNIX operating system has been oriented around networking and UNIX machines are generally very easy to network and use on networks. Networking is a huge topic, but the following contains some basic information that should be helpful for configuring modest home and small business networks. Basic information is also provided for connecting your Linux box to a network associated with a larger institution (such as a university).

Although a number of graphical user interfaces are available for network configuration, use of software that shields the user from the technical workings of their system can sometimes be counterproductive. In a Linux environment where hardware and drivers are not specifically designed for the plethora of configurations, understanding the details of how a system is configured can be extremely helpful for diagnosing problems and actually save time.

With that premise in mind, all configuration in this document is performed by editing system files or using command line programs. This document is not intended to be complete and I welcome any suggestions for it's improvement.

2. Hardware

Perhaps the biggest issue facing a Linux user is finding hardware that is supported by vendor or open source drivers. Many manufacturers guard information about their hardware as trade secrets and see no need to expend effort on developing drivers for a rather small group of Linux users.

Research: However, there are numerous vendors and projects that fill some of the holes. It is therefore ESSENTIAL that before purchasing hardware that you check the hardware compatibility lists AND Google your hardware to verify that drivers are available. The following are some online resources, although they are usually behind the curve and search engines will find up-to-date information.

Hardware Versions: Hardware vendors often change chipsetss while keeping the same model number. This means that two cards with the same model number can actually be completely different hardware, and Linux drivers for the old model may not work for the new version. Linux drivers often trail introduction of a product by months, by which time the vendor may have moved on to yet another chip vendor.

Thankfully, many vendors issue the new hardware with a different "version" number that can be used to distinguish different releases of the same hardware. Product or serial numbers can also be used to distinguish new versions. BUYER BEWARE.

Some information for specific hardware (current at the time of this writing) are given later in this document.

Network Card: Every device on the network needs a network interface of some kind. Most new desktop and laptop computers have ethernet ports (RJ-45 connectors) and modem ports (RJ-11 or phone line connectors), although the chips driving them may not have Linux drivers. Wireless and wired cards are available as internal cards (for desktops) or PCMCIA or USB devices. Again, do your research before buying.

Switches/Routers: Once you have machines with network cards, you need some way to connect them. For a small number of machines, consumer-quality switches are usually simpler than routers. Routers are more complex and usually associated with a shared internet connection.

Switches and routers often are mixed. There is a central router connected to the internet. Multiple machines in one room can be connected to a switch, which then has a single wire connected to the central router.

Crossover Cables: If you are only connecting two machines, perhaps to share files between a laptop and a desktop, all you need is a crossover cable to connect them. Although this cable appears identical to a regular ethernet cable, the connectors are wired so the outputs of one machine go to the inputs of the other.

Access Points: For wireless networks, you need one or more access point to serve as a router between machines and between the network and an internet connection. It is possible for wireless machines to connect directly to each other (ad-hoc mode), although most networks centralize control (and internet access) through access points.

Modems: Modems are used to connect to a remote machine (such as your internet service provider) through a phone line (dial-up or DSL) or cable connection.

4. Single Computer With a DSL or Cable Modem

If you have a single computer and a single high-speed Internet connection, setup is probably described by your ISP. Most common contemporary Linux distributions have daemons that detect ethernet connections and automatically activate the network interfaces. However, it is possible to manually configure, start and stop interfaces without the aid of mysterious background processes.

Device NamesAn internal, PCMCIA or USB networking device that has appropriate supporting modules installed on a machine will be recognized at boot or by hotplugging when the device plugged into the machine. Ethernet devices recieve the name ethX, where X is a number assigned by the sequence in which the device is detected. The first device is eth0, second device eth1, etc.

Configuration files for Fedora distributions are located in /etc/sysconfig/network-scripts. They are named ifcfg-XXXX, where XXXX is the name of the device. For example, my /etc/sysconfig/network/ifcfg-eth0 file for an internal card connected to a DSL modem that is started at boot time. The DSL modem has DHCP, which assigns my interface an IP address:

	DEVICE=eth0
	ONBOOT=yes
	BOOTPROTO=dhcp

For a statically configured IP address on an interface that must be started manually:

	DEVICE=eth0
	ONBOOT=no
	BOOTPROTO=static
	IPADDR=192.168.1.1
	NETMASK=255.255.255.0

Debian/Ubuntu distributions have a single network interface configuration file, /etc/network/interfaces. Interfaces are configured with a single line. For example, my internal network card eth0, connected to a DSL modem and getting its IP address from DHCP on the modem:

	iface eth0 inet dhcp

Interfaces can be manually started with the ifup and ifdown commands (run with superuser authority):

	sudo ifup eth0

5. A Two Computer Network with NFS

If you just need to share or transfer files between two systems, you can set up a simple network using a crossover cable or switch.

Install NFS: To provide mutual access to files between both machines, you will need to set both machines up as Network File System file servers and clients. If only one machine is being used for file storage, you only need NFS on that machine. Fedora distributions come with NFS installed, but you can verify/install with:

	sudo yum install nfs-utils system-config-nfs

Ubuntu distributions install with:

	sudo apt-get install portmap nfs-kernel-server
	sudo apt-get install portmap nfs-common

Crossover Cable: For hardware, each computer needs an ethernet card (10/100BaseT) and an RJ-45 CROSSOVER cable. Note that this is a crossover cable and not just a regular CAT-5 patch cable. Unless you're using a hub, the wires have to be "crossed over" to directly connect two PCs. Just plug one cable into the network port of one machine and plug the other end into the other machine.

Switch: Optionally, if you wish to share file systems AND and internet connection, you can interconnect machines by plugging regular ethernet cables from each machine and the modem into a switch. Consumer grade switches are inexpensive and readily available anwhere computers are sold.

IP Addresses: Unless you have a DHCP server or want to set one up, you will need to choose static IP addresses on the two machines. Easiest choice is to use the Class C addresses 192.168.1.1 and 192.168.1.2 on my two machines, respectively.

On a console on the source machine (the one with the files to be transferred), type:

	sudo ifconfig eth0 192.168.1.1

On the other machine:

	sudo ifconfig eth0 192.168.1.2

If you are planning on a permanent network, you will want to change the network configuration files to use these static IP addresses at all times, since IP addresses can vary when using DHCP. Network interface static IP address configuration is described in the previous section.

Firewall - iptables: The iptables firewall needs to be configured to allow the remote machine to access NFS. On both machines, add a new iptables rule that accepts all input on the eth0 interface from the local network (both 192.168.1.1 and 192.168.1.2). List the new table and if everything looks good, save it to the /etc/sysconfig/iptables file.

	sudo iptables -I INPUT -p ALL -i eth0 -s 192.168.1.0/255.255.255.0 -j ACCEPT
	sudo iptables -I INPUT -p ALL -i eth0 -s 192.168.1.2 -j ACCEPT
	sudo iptables -L
	sudo iptables-save > /etc/sysconfig/iptables

NFS Exports: The /etc/exports file tells NFS which directories to make visible to network systems. To make the /home directory visible (read only) to both machines with the IP addresses given above, the /etc/exports file on both machines would have one line: 

	/home 192.168.1.0/255.255.255.0(ro)

Export these file systems after modifying /etc/exports. The file systems will subsequently be exported each time the system is rebooted. 

	sudo exportfs -a -v

Mount point: The network file system will be visible through a mount point, a directory that the file system will associate with the remote machine. You can put this anywhere and call it anything you want, but /mnt or /mount are common places.

	sudo mkdir /mnt/network

/etc/fstab: To tell the Linux file system how to mount the network file system. Edit the /etc/fstab file and add the following line on the 192.168.1.2 machine, pointing to the 192.168.1.1 machine.

	192.168.1.1:/home	/mnt/network	nfs	noauto,user,exec,soft	0  0

On the 192.168.1.1 machine, the address would be changed to point to the 192.168.1.2 machine. The options in fourth column indicate not to try to mount at boot time (noauto), to allow a regular user (not just superuser) to mount the drive (user) and to timeout rather than retrying indefinitely if there is a problem accessing the device (soft). The given mount point (/mnt/network) can be any directory you prefer. If there is a confusion about protocols with the serve, and explicit version option may also be necessary (i.e. nfsvers=2)

Start NFS: Start the NFS daemons 

	sudo service rpcbind start
	sudo service nfs start

Mount: Network file systems just like physical drives:

	mount /mnt/network

Network file systems can also be mounted explicitly (without an entry in the /etc/fstab file: 

	mount 192.168.1.1:/home /mnt/network

You should now be able to see your remote directories under /mnt/network.

Configure NFS to Start On Boot: This will cause the NFS daemons to be started at boot time. Since this opens potential vulnerability to hackers, you should not do this if you do not plan to use NFS regularly.

	sudo chkconfig nfs on
	sudo chkconfig nfslock on
	sudo chkconfig rpcbind on

6. NFS Debugging

NFS can be a major pain in the ass to get running, with cryptic error messages and strange freezes. The following are some errors I encountered and potential fixes.

More detailed instructions are available for NFS setup on Fedora and Ubuntu. And when all else fails, Google is your friend.

Permission denied on mount

	statd: Could not chdir: Permission denied
	mount.nfs: rpc.statd is not running but is required for remote locking.
	mount.nfs: Either use '-o nolock' to keep locks local, or start statd.

This is a strange one. The easiest solution was to just mount as superuser:

	sudo mount /mnt/network

However, subsequent mounts as non-superuser worked fine, so go figure.

RPC Error: Program not registered

	mount.nfs: mount to NFS server '192.168.1.1:/home' failed: 
	RPC Error: Program not registered

rpcbind may not be running or may have an out-of-date configuration. Restart it to be sure:

	sudo service rpcbind restart

Starting NFS quotas: Cannot register service 

	Starting NFS quotas: Cannot register service: RPC: 
	Unable to receive; errno = Connection refused
	rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp).

This is a mysterious one. Seems to magically go away if you just restart NFS.

	sudo service rpcbind stop
	sudo service nfs stop

	sudo service rpcbind start
	sudo service nfs start

RPC: Port mapper failure - RPC: Unable to receive: NFS uses TCP/IP port 2049. The default firewalls on many distributions may cause mounting a drive on a remote machine to fail with the message:

	RPC: Port mapper failure - RPC: Unable to receive

Solution is changing the iptable settings as described above.

RPC: Timed out

The firewall settings on the server or client may cause the mount to hang and eventually issue the message: 

	RPC: Timed out

Solution is changing the iptable settings as described above.

Test the Connection: If the system is configured properly, you should be able to ping one system from the other. You can also ping yourself. If you're on 192.168.1.1:

	ping 192.168.1.2

Should give something like this: 

	PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
	64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.895 ms
	64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.435 ms
	64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.430 ms

If you do not get ping messages, there's a problem with the basic connection between the machines. Verify that your cables are connected properly and firmly seated all the way into their sockets. If you are using a switch, make sure it is powered up and the indicator lights confirm connection. If you are using a crossover cable, make sure it is a crossover cable and not a regular ethernet cable.

Debugging - Server Is Down 

	mount to NFS server 'x.x.x.x' failed: server is down

This may, in fact, mean that the server is not running or that you do not have connectivity to the server (see above for ping). It can also be caused if the server does not have an entry in /etc/exports giving you permission to mount the requested resource (see above).

However, this message may also be caused by a NFS protocol version mismatch. The Linux NFS client supposedly supports NFS protocol versions 2, 3, and 4 but the server doesn't seem quite so robust. Use the nfsvers=2 option on the mount command (or in /etc/fstab) to force use of NFSv2.

	mount -o nfsvers=2 192.168.1.1:/home /mnt/network

Much love to Sergejs Svitnevs for pointing this out on an HP IT Resource Center Forum.

Debugging - Ports: NFS uses TCP port 2049. rpcinfo can be used to list available ports. Problems with rpcinfo indicates a machine is not accepting NFS requests.

	rpcinfo

You can also verify open ports with netstat. nfs should be listed for both tcp and udp, although only the tcp port will be in LISTEN state 

	# netstat -tul

	Active Internet connections (only servers)
	Proto Recv-Q Send-Q Local Address           Foreign Address         State      
	tcp        0      0 *:nfs                   *:*                     LISTEN      
	tcp        0      0 *:printer               *:*                     LISTEN      
	tcp        0      0 *:676                   *:*                     LISTEN      
	tcp        0      0 *:sunrpc                *:*                     LISTEN      
	tcp        0      0 *:x11                   *:*                     LISTEN      
	tcp        0      0 *:ha-cluster            *:*                     LISTEN      
	tcp        0      0 *:32893                 *:*                     LISTEN      
	tcp        0      0 *:32894                 *:*                     LISTEN      
	udp        0      0 *:nfs                   *:*                                 
	udp        0      0 *:32782                 *:*                                 
	udp        0      0 *:32783                 *:*                                 
	udp        0      0 *:673                   *:*                                 
	udp        0      0 *:691                   *:*                                 
	udp        0      0 *:bootpc                *:*                                 
	udp        0      0 *:727                   *:*                                 
	udp        0      0 *:sunrpc                *:*

iptables: If all else fails, you can simply stop the firewall.

	sudo service iptables stop

If this solves the problem, you should look further into correcting your firewall configuration. Running without a firewall, especially with a connection to the internet exposes your machine to hacking and not recommended.

FYI, an important line in /etc/sysconfig/iptables on some Red Hat configurations may be rejection of port 2049, used by NFS:

	-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT

10. Samba

The Windoze operating system shares files through Server Message Blocks (SMB) and Network Message Blocks (NMB). Directories on a Windoze system that are made available for network access are called Shares.

Samba is an open source package that provides file access between Windoze and Linux machines using SMB/NMB. Samba configuration is a huge topic, but some basic configuration information is given here for a simple home network. The utilities provided with Samba permit both access of Windoze shares from Linux systems and sharing of Linux directories with Windoze systems.

useradd: Samba users from Windoze should have user accounts on the Linux machine. Usernames are added with the useradd command and passwords are set/changed with passwd. All users should have directories in /home as well.

	useradd (username)
	passwd (username)
	mkdir /home/(username)

This can be combined into a single useradd request

	useradd -m -d /home/(username) -p (password) (username)

smbpasswd: Samba keeps usernames and passwords in a separate file from regular Linux passwords. The smbpasswd command is uaed to add/delete Samba users.

	smbpasswd -a (username)

/etc/samba/smb.conf: security: The type of access available for ALL samba shares are defined in the [global] section of /etc/samba/smb.conf. "share" security is read only, "user" security is read-write.

	[global]
	# read only access
	security = share 
	# security = user

/etc/samba/smb.conf: shares: Samba "shares" are configured in /etc/samba/smb.conf. To configure a share named (sharename), add the following section to the file:

	[(sharename)]
        	comment = Shared directory named (sharename)
	        path = (filepath)
        	valid users = (username)
		read only = No

Starting Samba Services: The rcnmb and rcsmb scripts start Samba filesharing and naming services:

	rcnmb start
	rcsmb start

Mounting Samba Shares: Samba shares on other Linux or Windoze systems can be mounted just like other file systems and /etc/fstab can be used to define mount points and options. Example line in /etc/fstab:

	//(server)/(sharename) /(mountpoint)  smb noauto,user,soft,ip=192.168.1.1,username=(user)  0 0

testparm: lists Samba shares and verifies correct syntax of configuration files

smbstatus: a simple program to list currently open Samba connections.

10.2 Accessing Windoze Shares from Linux

It is possible to access shares on a Windoze system from a Linux box either through smbclient (a program similar to FTP) or by mounting the shares as an SMB filesystem on Linux.

The following examples presume unprotected shares. You may need additional workgroup/username/password information if the share is protected.

Find the IP address of the server: You should be able to get the IP address of the computer hosting the shares by simply viewing the network properties of the host. However, if you are in an unfamiliar environment, you can use NMAP to find valid IP addresses on a network. If the network is set up with DHCP, you can get the IP info for the network with ifconfig. Assuming a 192.168.0.0 network with a mask of 255.255.255.0

	nmap -sP 192.168.0.0/24

List services on the computer: You can get the network name of the host computer by listing available services with nmblookup. Assuming the host computer IP is 192.168.0.1:

	nmblookup -A 192.168.0.1

List shares on a computer: Assuming that you found the 192.168.0.1 computer is named "mainserver", you can list the available shares with smbclient. Note that server names are normally preceded with "\\", but because the UNIX shell uses the slash as a special character, you use \\ to represent \\ UNLESS you put quotes around the whole name.

	smbclient -L \\\\mainserver -I 192.168.0.1

Connect to a share: If you only need to do simple transfer of files from/to the share, you can use the smbclient as a simple FTP-like program. Assuming a share named "sharedirectory" on computer "mainserver":

	smbclient "\\mainserver\sharedirectory" "" -I 192.168.0.1

smbmount mounts a share so it can be accessed through the Linux filesystem.

The findsmb and smbtree commands are available for viewing networks, although they requre additional configuration to work properly

11. DHCP

DHCP (Dynamic Host Configuration Protocol) is a service provided by a server for assigning IP addresses to network hosts dynamically and eliminating the need to manually assign IP addresses to each computer on a network. The DHCP server needs a static IP address, but all hosts can have their network interface configurations set to get an IP address from the DHCP server.

11.1 DHCP Client

Most non-trivial networks, including networks that have access points or use routers to connect to the internet, have DHCP servers of some kind. A network card will get an address when the interface is brought up. Therefore dhcp must be specified in the config file for the particular interface. For a simple network card on eth0, the /etc/sysconfig/network-scripts/ifcfg-eth0 file will be: 

	DEVICE=eth0
	NAME=eth0
	BOOTPROTO=dhcp
	ONBOOT=yes

You can verify successful assignment of a dynamic IP address with ifconfig. You can also see diagnostic messages issued when seeking a DHCP address at the end of /var/log/messages

DHCP addresses are "leased" for a set duration. There may be situations (such as DHCP server testing) where you need to relinquish a DHCP lease and acquire a new IP address. This can be done with dhclient. To release an IP address 

	/sbin/dhclient -r

To acquire a lease for one new IP address: 

	/sbin/dhclient -1

11.2 DHCP Server

/etc/sysconfig/dhcpd: Setup for a simple network is quite easy. Add an entry to /etc/syconfig/dhcpd for the network interface that will be be connected to hosts: 

	DHCPD_INTERFACE="eth0"

/etc/sysconfig/dhcpd.conf: Add a range of addresses that can be allocated to /etc/dhcpd.conf 

	ddns-update-style none;

	subnet 192.168.1.0 netmask 255.255.255.0 {
	  range 192.168.1.3 192.168.1.3;
	  }

iptables: Configure the firewall config file to permit incoming DHCP requests. (FYI: DHCP utilizes UDP on ports 67 and 68) 

	/sbin/iptables -I INPUT -p ALL -i wlan0 -s 192.168.2.3 -j ACCEPT
	/sbin/iptables-save > /etc/sysconfig/iptables

SuSE Firewall: If you're using SuSe, modify the following line in the /etc/sysconfig/SuSEfirewall2 file: 

	FW_SERVICE_DHCPD="yes"

Lease Info: Information about current DHCP leases is listed in /var/lib/dhcp/dhcpd.leases

12. Dialup Access

Although dialup access to the internet is rapidly going the way of buggy whips, millions of people still connect to the internet via analog phone lines. And travelers who stay in cheap hotels often find it necessary to get a dialup connection.

Internal Modems: Finding a modem that works with Linux is actually a bit harder than it would seem. Most laptop and external modem designers have chosen to simplify their designs by moving some of the analog signal processing out of hardware and into the driver software. Since these drivers are almost never written for Linux, this presents a severe problem. However, there are a relatively small number of manufacturers making the chips used in these WinModems and, thankfully, SOME manufacturers and private developers have developed Linux drivers.

Some resources for finding Linmodem info:

To know which driver to use, you need to know what chip the modem uses. This can be especially difficult on laptops or external devices where it is not easy to pop the case open and see the hardware. For internal modems, if you have Windoze installed, you can get the Properties of your LAN connection for detailed info.

Lacking Windoze info, you may also be able to use the /sbin/lspci -vv command, although this may not be of value since dial-up modems are often hidden behind AC'97 chips, such as this listing from my Toshiba 1905 laptop: 

	00:1f.6 Modem: Intel Corp. 82801BA/BAM AC'97 
	Modem (rev 05) (prog-if 00 [Generic])
	Subsystem: Toshiba America Info Systems: Unknown device 0001
	Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- 
	ParErr- Stepping- SERR- FastB2B-
	Status: Cap- 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- 
	<TAbort- <MAbort- >SERR- 


The Windoze info indicates the modem chip is and HSF winmodem from Compal:


	Driver Provider: Agere
	Driver Date 6/21/2002
	Driver Version 2.1.15.0
	I/O Range 2400-24FF
	I/O Range 2000-207F
	IRQ 11
	Intel AC97
	Conexant SmartMC II

	Device Manager- >Modems->toshiba Software Modem->Diagnostics
	PCI\VEN_8086&DEV_2446&SUBSYS_00011179\REV 05

	8086:2446
	VENDOR ID 8086 (Intel Corporation)
	Device ID 2446
	SUBVENDOR ID 1179
	SUBDEVICE ID 0001
	REVISION ID 05

	VENDOR NAME ICH
	DEVICE NAME ICH2
	SUBVENDOR NAME COMPAL
	MODEM TYPE HSF
	WINXP INBUILD SUPPORT NO




External Modems: If you have an internal modem that is not supported or
you don't feel like fighting with a driver, you might consider an external modem
although that presents more problems.


    

  • Most external USB modems are WinModems, and unsupported.

  • External hardware modems usually require RS-232 serial connections
and most new laptops do not have RS-232 ports

  • Although USB/Serial convertors are availble, many are not supported




A case study for using a USB/Serial convertor with an external modem
is given below.


PCMCIA modems are available, although they all seem to use the same
driver, which is buggy



wvdial: Once you have a modem, you need software to dial out and
establish a connection. Wvdial is an excellent, no-nonsense ppp connection 
program that can be used for dial-up networking. It can be invoked from the 
command line without any options. The network device created by wvdial with 
PPPD is ppp0.  Dialing information is given in the /etc/wvdial.conf file.
An example is given below. You should modify the phone number, username and password 
to ones appropriate to your ISP. The modem device may also differ depending on
your hardware or winmodem configuration. Usually it is /dev/modem, although
my winmodems have names like /dev/ttySL0 and /dev/ttyLT0


	Modem = /dev/modem
	Init1 = ATZ
	Phone = (access number)
	Username = (username provided by ISP)
	Password = (password provided by ISP)










14. Wireless



Creation of and connecting to wireless networks is generally as 
easy as with wired networks.


Hardware: As before, one of the biggest problems with Linux
wireless is finding a card with Linux drivers. Some resourses are listed
below. As usual, information gleaned with Google can often be more
up-to-date than info contained on web list pages.





Modes: There are two common wireless network configurations:

    

  • Managed Mode involves having a central Access Point
device that manages the network and routes messages between nodes on the network. 
All devices on a managed mode network communicate via the access point, even when 
communicating with each other. The access point serves as a router and, usually,
as a DHCP server. Managed mode is used on most wireless networks


  • Ad-Hoc Mode involves computers on the network communicating
directly with each other. Setup of this kind of network is a bit more complicated
(including static IP addresses), although if you do not have an access point,
this is the way to go. Computers set up to work in Ad-Hoc mode cannot communicate
with Managed networks, and vice-versa.




Access Point: For a managed network, you will need an access point. In a 
home network, this is usually a separate box that is also used as a router for 
sharing a high-speed internet connection. Most Linux wireless cards cannot be 
configured to function as access-points. Consumer-quality access points are usually 
configured from a web interface that can be accessed through the gateway IP address.
Type "192.168.0.1" in a browser from a computer connected to the 
access point.



Configuration: As with ethernet cards, configuration information
for a wireless cards is contained in the /etc/sysconfig/network-scripts/ifcfg-xxx
file, where xxx is the name of the interface. Wireless cards almost always 
connect as wlan0, wlan1, etc.


There are additional parameters in the ifcfg files specific to wireless cards
although some drivers (notably the linux-wlan-ng driver) ignore these parameters
and use separate configuration files. 


ESSID indicates the name of the network you wish to connect to. This is
especially valuable in situations (such as apartment buildings) where there may
be multiple access points functioning. If no ESSID entry is given or no network
with the ID is found, the card will connect to the access point with the strongest 
signal. The ESSID is configured in the access point.


	DEVICE=wlan0
	NAME=wlan0
	BOOTPROTO=dhcp
	ONBOOT=yes
	ESSID=MYNETWORK461




AP is an alternate way of specifying the MAC hardware address of the access point 
you wish to use. As with ESSID, this will be ignored if the device is not found


	DEVICE=wlan0
	NAME=wlan0
	BOOTPROTO=dhcp
	ONBOOT=yes
	AP=xx:xx:xx:xx:xx:xx
	KEY=s:networkkey




When connecting to networks with WEP encryption, you will also need to specify
an encryption key. Keys can be specified as hexadecimal digits or as more readable
ASCII strings (with a "s:" prefix as in the example above)



Wireless Utilities: In addition to /sbin/ifconfig, there are two separate
utilities for configuring wireless access. iwconfig changes wireless 
configuration parameters. One common use is for changing the ESSID of an active card
if it connected to the wrong network.


	/sbin/iwconfig wlan0 essid name




You can also set the encryption key with a syntax similar to the ifcfg file.


	/sbin/iwconfig wlan0 key s:networkkey





iwlist lists information about the wireless network. One useful use is
to list available access points. This command is not avaialable with cards that
use the linux-wlan-ng driver.


	/sbin/iwlist wlan0 scan





Security: The major issue with wireless is security. Radio signals
are visible to anyone and the available wireless encryption scheme (WEP)
can be easily cracked using the AirSnort
program.  While complex security techniques 
used in professional settings are necessary for a professional leel of security,
there are a number of steps that can be taken to dramatically improve home
wireless network security. Security is, unfortunately, a process, not a step.


    

  • Change the factory default SSID in your access point

  • Disable SSID Broadcasts

  • Change the default password for the access point Administrator account

  • Enable MAC Address Filtering. This allows only computers from 
a given set of MAC hardware addresses to connect to your network

  • Enable WEP 128-bit Encryption (This will slow network access somewhat)

  • Enable the firewalls on all machines connected to your wireless network

  • Change the network SSID periodically

  • Change the WEP encryption keys periodically




Additional Wireless Utilities:

    

  • Kismet:
an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
Will not work with ndiswrapper cards or any wireless card that does not support
raw monitoring (rfmon) mode

  • AirSnort: another
sniffer that can also be used to crack WEP encryption keys




Regular wired network sniffers like Ethereal and TCPDUMP can also be
used to sniff packets on a wireless network.






15. Using A Linux Box as a Router




You can use a Linux box as a router and firewall between an internet connection
and an internal network. The examples below assume a dialup connection to the
internet (ppp0) that can changed to any network connection (e.g. wlan0, eth1)


Configure default gateway: Add a gateway to /etc/sysconfig/network

	GATEWAYDEV=ppp0




Enable IP Packet Forwarding: Modify the existing entry in /etc/sysctl.conf

	net.ipv4.ip_forward 1




Configure your firewall for IP masquerading: Masquerading is also known
as Network Address Translation (NAT). Since internal private network addresses are
not valid on the public internet, connections to and from the internet must translate
the private IP address to the public IP address of the internet interface card.
The following example assumes the internal network is 192.168.1.0/24

	/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
	/sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
	/sbin/iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
	/sbin/iptables -A FORWARD -s ! 192.168.1.0/24 -j DROP
	/sbin/iptables-save > /etc/sysconfig/iptables




Allow Firewall Input: If not already configured to do so, the firewall 
must be configured to accept messages from the internal network. The following
example assumes the internal network is on eth0


	/sbin/iptables -I RH-Firewall-1-INPUT -p ALL -i eth0 -s 192.168.1.0/24 -j ACCEPT




Save firewall settings

	cp -p /etc/sysconfig/iptables /etc/sysconfig/iptables.old
	/sbin/iptables-save > /etc/sysconfig/iptables




Restart network services and the firewall

	/etc/init.d/network restart
	/etc/init.d/iptables restart




Restart outgoing interface: If using a dial-up outgoing interface,
dial out with wvdial. Other types of connection may need to be brought up with /etc/ifup.


Client Configuration: Gateway: Client computers on the network will need
to be configured to use the router computer as the default gateway. Edit the 
/etc/sysconfig/network file and add an entry. This example assumes the router 
computer is 192.168.1.1

	GATEWAY=192.168.1.1




Client Configuration: Nameservers: Client computers need to be
configured with a computer that will be used to resolve internet names into
IP addresses. Direct connections modify this file automatically, but the
router computer must be specified in this situation


	192.168.1.1








16. Local Web Server



Linux is widely used on Internet web servers. Most ISPs provide
home users with dynamic IP addresses, making it impossible to
use your home machine as an web server. However, you can still 
service your home network as an intranet or use your local machine
to test web pages before uploading them to a public server.


Apache: The web server used on almost all Linux systems
is Apache and it comes with almost all distributions.


Starting Apache: The Apache daemon goes by it's old name
httpd and can be started with the standard init script:


	/etc/init.d/httpd start




To configure Apache to start at boot time:


	/sbin/chkconfig httpd on




Apache Configuration File: The configuration file
for Apache is /etc/httpd/conf/httpd.conf. The basic configuration
file that comes with the installation should be suitable for
simple server configurations. It contains extensive commentary
documentation if you need to change anything.


Document Root: The document root is the root directory
used by Apache for serving pages - this is where the base index.html
is located. By default the document root is /var/www/html/.
The document root can be changed, although it is safest if you
just link /var/www/html to the desired directory if you need to
change it.


Creating A Temporary domain Alias: If you are testing
a website offline before uploading it to a public server, you can
use the /etc/hosts file to temporarily alias a domain name to
point to your local machine. For example, when testing michaelminn.net,
I point michaelminn.net to the loopback address so it will be served
by Apache on my machine:


127.0.0.1	localhost.localdomain localhost michaelminn.net




Accessing the Web Server: With Apache running, you can then
access your web pages through the loopback address or any of the 
configured aliases:


	http://127.0.0.1
	http://localhost




SELinux: Security Enhanced Linux provides enhanced security, but
can be a pain. When configuring Apache to use a DocumentRoot other
than the default, httpd may fail to start and will leave a message
in /var/log/messages like:


	audit(1162480826.087:2): avc:  denied  { getattr } for  pid=2004 
	comm="httpd" name="michaelminn.dom" dev=hda6 ino=4517569 
	scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir




This can be fixed by changing the security context for your directory:


	chcon -v -R -h -t httpd_user_content_t /home/michaelminn.net




Password Protecting Files: Apache provides a
facility for password-protecting files and directories using the
.htaccess.
While .htaccess files can be quite complex and perform numerous other
functions, rudamentary password protection for all files in a directory
can be implemented with the following steps:



Create a .htaccess file in the directory you want to protect. 
Note that the name of the password file must be a full path to
the password file in the directory; replace <path> with the 
full path to the directory.


	AuthType Basic
	AuthName "Enter Password"
	AuthUserFile <path>/password.file
	Require valid-user




In the directory you want to protect run the htpasswd command. Replace
<username> with the username of your choice and enter the password
of your choice when prompted:



	htpasswd -c password.file <username>




You can password-protect specific files by specifying them in
<Files" directives. For example, to protect just the .mp3 files
in the directory, your .htaccess would be:



	AuthType Basic
	AuthName "Enter Password"
	AuthUserFile <path>/password.file
	<Files *.mp3>
	Require valid-user
	</Files>




Whenever access is attempted to files in that directory, the user
will be prompted for a password.



Note that apache will not do authentication when accessing a 
directory locally via localhost.



A nice .htaccess tutorial is HERE.






17. Diagnostic Utilities



Networks always have problems and diagnosis of those problems is the
primary activity of network administrators. Diagnosing and solving network
problems is a black art that can only be covered superficially here, but
the following are some basic utilities for diagnosing problems. Many of these 
programs are mentioned in more detail above and you can get further 
information on the command line with the "man <command>" command.


ifconfig: The first step is to verify that the interface you
are trying to connect to the network with is up and has a valid IP
address. ifconfig with no arguments lists all the network interfaces
on a system and allows configuration. If the interface is not
displayed or does not have an IP address, your system cannot
connect to the network through that interface.
The example output given below shows the interface IP address as
192.168.1.47 and, with the given mask, the default gateway is 192.168.1.1.
The "RX bytes" and "TX bytes" can be used
to determine if there has been any traffic on an interface, implying
that it is or was working at some point.
lo is the loopback interface on every system that is, in essence, only connected
to itself.


	eth0      Link encap:Ethernet  HWaddr 00:0F:B0:66:40:C2  
	          inet addr:192.168.1.47  Bcast:255.255.255.255  Mask:255.255.255.0
	          inet6 addr: fe80::20f:b0ff:fe66:40c2/64 Scope:Link
	          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
	          RX packets:29369 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:32776 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:1000 
	          RX bytes:20428276 (19.4 Mb)  TX bytes:21405541 (20.4 Mb)
	          Interrupt:11 Base address:0x3000

	lo        Link encap:Local Loopback  
	          inet addr:127.0.0.1  Mask:255.0.0.0
	          inet6 addr: ::1/128 Scope:Host
	          UP LOOPBACK RUNNING  MTU:16436  Metric:1
	          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
	          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
	          collisions:0 txqueuelen:0 
         	  RX bytes:592 (592.0 b)  TX bytes:592 (592.0 b)




ping is the second most useful network diagnostic utility.
ping allows you to send echo request messages to specific IP addresses 
and verify that they are up. Generally, in diagnosing a connectivity
problem you will first try to ping the interface, then ping the gateway
(which can be inferred from the output of ifconfig), and, finally,
ping the destination you are trying to reach.


traceroute lists all the routers between you and a destination.
This permits detection of the point in a route where there is a problem.


arp allows display and modification of the ARP caches on
interfaces. If you need to determine if you have the lowest level
connectivity to the network, in this case through interface eth0:


	/sbin/arp -a -i eth0





iwconfig is a utility for displaying and configuring
wireless-specific information that is not part of ifconfig.
Looking for the connected access point ESSID (or lack thereof)
is a common reason to use iwconfig.


iwlist: When connecting to an unfamiliar network, you
may want to use the iwlist command to see what access points
are available. If no access point ESSID is specified, bringing
a wireless interface up will connect to the most powerful
AP it sees, which may not be the one you want.


	/sbin/iwlist wlan0 scan




tcpdump is a program for listing network packets. The 
output can be rather obtuse to the uninitiated. Useful for diagnosing
problems with NFS or authentication issues. For example, to
display packets in ASCII that are passing through interface eth0:



		/sbin/tcpdump -s 1024 -A -i eth0




netstat lists active network connections, routing tables,
interface statistics, masquerade connections, and multicast membership

    

  • netstat -r: show routing table

  • netstat -a: list connections

  • netstat -s: list statistics by protocol

  • netstat -n: list port numbers




host, dig and nslookup are DNS lookup utilities, 
with dig giving the more detailed output of the bunch. If you are 
having trouble connecting to a named website, you can use
these utilities to try to figure out if the name is getting
resolved to an IP address. You can also use these utilities to
lookup addresses on specific nameservers if your currently
configured nameserver is having problems.


route is a utility to list and/or manipulate the IP routing table. 
If you're having problems with a browser not being able to see
a network, this will show if there is a problem in your routing table.


Example route output with a DSL modem

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         dslrouter       0.0.0.0         UG    0      0        0 eth0




Example route output with a dialup modem
Destination Gateway Genmask Flags Metric Ref Use Iface nas31.newyork1. * 255.255.255.255 UH 0 0 0 ppp0 default nas31.newyork1. 0.0.0.0 UG 0 0 0 ppp0

whois queries the Internet WhoIs database to find out who a domain name is registered to. Anonymous or third-world registrations often indicate entities that you should have no dealings with. whois can also be used to list to what organization an IP address has been assigned to, although this information will often only lead you to an ISP that controls a block of IP addresses and not to the company or individual who is actually using that IP address.

airsnort: When you need to connect to an encrypted network but do not have the encryption key, AirSnort can listen to traffic for a period of time and determine the key.

nmap is a network exporation tool and security scanner. Lots of options. The -sT option is especially useful for detecting "open ports" that represent potential entry paths for invaders and the results of this scan may indicate unnecessary services you want to shut down or unnecessary permissions in your firewall. 

	Example: scan a local address for open ports
		nmap -sT 192.168.1.1

	Example: looks for hosts on a network
		nmap -sP 172.16.1.1-127

Netdisco is an open source web-based network management tool. It's quite complex and I mention it here only as a suggestion if you're looking for network discovery software.

nmblookup, smbstatus and findsmb are utilities for diagnosing and establishing Samba connections to Windoze systems. They are described earlier in this document.

I am 216.14.220.197
You are 38.107.191.101

They don't hate us for our freedom, they hate us for our fiefdom. (Bill Maher)

All content on this site (c) 2000-2010 by Michael Minn or the respective copyright owners.