Linux Foundation LFCS – Domain No. 4 – Networking
Hello and welcome students. We are starting the network module now and in this lecture I’m going to discuss the IP configuration in Linux. So IP configuration can be looked at in two different ways in Linux. One is called the Runtime configuration which is temporary, which you can run or used while the system is running right now. You can test it, you can run commands. It’ll give you current information on your system. The other one is called persistent configuration. So for runtime configuration. The command that you can use is IP Help. It will give you more detail about what IP can be used with. So as you can see, it shows you the usage and IP can be used with these objects, these can be configured as subcommands for IP. And some of the most important ones that we’ll be using is your link address and route. So if I were to do IP link show, it will show me.
All the interfaces that are currently on this machine, like the loop back address and interface zero, interface one, interface two, interface three. However, if you notice that it’s not showing me the IP address, it’s just showing the interfaces. Hence the name link. Similarly, you can also do IP address. And in this command, the output of this command, you can see it’s showing the IP addresses. Two interfaces that I’m interested in talking about is these two before. That we have one more interface here, which is the loopback address, which you probably have heard of. May have used it in Windows as well. This is an IP address that is used to check the TCP IP stack. Within the system. It’s not an IP address that you use to communicate with other machines. It’s for systems internal IP address. And the IP address is always one hundred and twenty seven, zero, one eight. And here we can see an ITV six address. This is always colon 1128, and as you can see, it’s valid for forever. So it’s not a leased address. That’s going to expire ever. And the interested interfaces that in my case, they are. Bonded. So that means there are two interface bonded together for redundancy.
And the IP address is this and the broadcast address is this valid? This is also forever. But it could have if it was a DHCP assigned IP address, then it would have a lease time that is leased for this many minutes or this many seconds. In my case, it’s assigned forever. And same way on this one. This is my outside interface. And this is my private interface. Add an IP address. IP address, add device. That’s an important part of the command. Get half that and then depending on your interface. So in your case it might be ETH one, ETH two. Since I have bonded interfaces, I’m going to put type in bond zero and then my IP address is ten 9396-7326. That’s my IP address. Let’s see if it is working. And it is working. So this is how you configure an IP address. This is runtime configuration of IP. So one thing about the runtime configuration, you have to understand that it is not permanent.
If you were to reboot your system, then the changes that we made in IP, changes that we just made are not going to survive. You’re going to see the old IP address instead of the one that we changed to. And also beside the IP command, you might see something like IP config. And it used to be the old method of configuring IP addresses and now it’s changed. And the latest is of course IP. Now we’re going to use the IP Route Command, IP Route Show and it is showing the routing on this system, how it’s configured in Linux. And so if we look at the first line is default via this IP address and this IP address is going through this router. So this is what it’s showing you that the routing is configured to the IP address of this network. The ten network that we configured is 100, zero, and then we have 1093, 96 and 64, which is our router in that case. So this is how you can find out runtime Configuration regarding Link IP addresses and IP route. This is a quick way to test stuff, but as I mentioned before, it’s not persistent. We’re going to talk about persistent in the next lecture.
Hello and welcome. In this lecture, we’re going to configure IP address in a persistent way. That means the networking configuration that is going to hold even after a reboot because when we did the runtime configuration, that was just for the current session. So in persistent mode, one of the main files that you’re going to have to edit or you’re going to have to remember to consider is the file or directory that I am in ISTC sysconfig network scripts. And if you do it LS here you’re going to see interfaces. Like in my case, these are the three interfaces I have. Just look on the left hand side, the Ifcfg and that ENP zero s 30, s eight and L zero, l zero. We already know that is the loop back address and the other two interfaces are the ones that are configurable. So we’re going to look at the file now and so do an LS. Then I’m going to VI this file here. Paste. Okay, so this is what generally a file look like. It’s going to have type, which is ethernet proxy method that just leave that alone.
I would not change it. And the main thing that this is the hardware address or Mac address, the device name is right here. ENP three IPV six. If you’re dealing with IPV six, you’ll change that here on boot. That means after reboot it will be enabled. And this is what the main thing is, the IP address. This is where you put the IP address permanently prefix, meaning your subnet mask. So it’s like 192, 106, 820-2124. And this is our gateway. This is our default router for this machine. This is how it learns how to actually get to the Internet. Okay, so we’ll go ahead and actually make a change in that file. So our file was this one right here. And I’m going to come down here to the IP address, I’ll leave the prefix to be 255-255-2550, which is slash 24. But the only change I’m going to make will be the IP address. So previously it was 21. I changed it 23. Let’s try 24.
Now, the easiest way you can make a change in a VI editor, if you just need to change one character is type R, just R and then type what you want to change to and that’s going to change it to the character that you want to change. So I just typed R at three and type four. And now I’ve changed it. I’m going to get out of here. And one thing I do have to run is this command system CTL restart network. The other way to do it is of course to reboot the machine, but this is much easier while the system is running. I’m going to run this as long as we don’t come up with an error. Sometimes it gives you an okay prompt, but in my case it didn’t. But looks like everything is still going fine. So now I’m going to ping 192, 168, 24 and it is pinging. And also I can do an app or IP space a to see if my IP address has actually is showing in here or not. And as you can see in here that it is showing up 2024.
Another way to check the current status of your network interfaces is to type Nm Network Manager, CLI P and then Dev for device and they’ll give you a very nice output to show you the exact status. Like my ENP zero S eight is disconnected right now. The S three is connected and the loop back is unmanaged at this time. Now, suppose you wanted to do dynamic IP address configuration. What is dynamic IP Address configuration is when you have a DNS DHCP server which provides IP addresses without you manually adding IP addresses into the system. So what you do in that case is where it says boot proto. It should say instead of none, it’ll say I’m not going to actually do it, but I’ll just show you what it should look like, okay? It’ll say DHCP all lower case and your IP address command is not going to be there.
So what you can do is just take that file and comment it out. Sorry, comment it out like this so it won’t get executed. Same with this, you can comment it out. Same with this, you can comment this out as well. So that way everything is going to be read off of the DACP server. It’s going to provide the IP address, the prefix and the gateway. And you don’t have to do anything as long as your system is pointed to the DACP server. Okay? So in our configuration file so far, although we had everything else, but there are a couple of pieces missing. So let me show you that we don’t have a DNS setting. And of course, in pretty much all networks out there in production, you got to have a DNS server. This is how you resolve an IP address to a host name.
And the way you do it is either you point them to your local DNS servers if you have a couple of them, they usually have a couple of them one as a backup, and if not, then you can assign them DNS servers out on the internet. For instance, the one that you get used the most is eight, which is Google’s DNS server. But it’s always better to have your own in house DNS servers that you can point to. So the way you do it is I’m going to type in O to open a line and then DNS one. Suppose that’s the name of my DNS server and it’s going to be I’m sorry, that’s how you and then you type 168, 254.
Suppose that’s my first IP address of the first DNS server. Then you type in DNS Two and you give its IP address. Then you type DNS three, if you happen to have three and its IP address. And that’s it. That’s all you’re going to need in order for it to have DNS server. So after we have added couple of DNS servers in our machine, the one thing that you always have, any time you made a network change, you have to run this command system, CTL restart network. And as long as there are no errors, there are no errors, we are good. If I do a more on Etsyresolve. com, we are seeing the two name servers that had been added, DNS One and DNS two. And this is how you configure the DNS servers.
Hello and welcome again. In this lecture we’re going to learn how to synchronize time using NTP peers. So what is NTP? NTP is the network time protocol. You should have it installed on your Linux system already. If not run this command rpm QA, pipe it to grab NTP which is the NTP daemon. And you should get something like this. If suppose for some reason you didn’t get it or it’s not installed then it’s very simple. As long as you’re on the network yum install yntpd that’s all you have to run. And this will install NTP on your system. So the command or the file for the NTP is Ntp. com which is located in Slash etc. So I’m currently in slash, etc. If I do it lent and then star it’ll show me Ntp. com.
So here I can do a more on our let’s do a VI on Ntp. com. And if you come down on the file here right where it starts on the server and then time service you’re going to see different time servers that are configured on this. I have these servers zero through three in here and they are connected to Red Hatspool. NTP. org eyeburst is one of the options and if you don’t like any of those and you want to use your own NTP time servers, all you have to do is I and comment and then it’s not going to be read in this file and you can do the same with the next four as well. But since in my system I don’t want to do it, I’m just going to quit without saving. So that way it won’t save this. To make sure that the service is always on the NTP service or Ntpd demon just like any other service you’ll do CHK config Ntpd on. So that way the service always remain on even after after a reboot.
Hello and welcome again. In this lecture we’re going to learn how to start, how to stop and how to check the status of network services. And we’re going to use one example, although there are dozens of services that you can check on, I’m going to use SSH, which runs as a demon on a Linux machine. SSHD is the daemon. So let’s first look can see if it’s even running. So the way you check and see if a process is running is do a PS EF, pipe it and then grab for that service. SSHD is what I’m looking for and as you can see it is running. Ignore the one that says grab because that’s the command itself. But what I’m concerned with is these two, these two processes that show me that this demon is running. Now, starting from Centaus and Red Hat Seven, you can use systemctl status SSHD and for now ignore the rest of the stuff. But if you just look right here it’ll tell you that it’s active and running.
And what if we go ahead and stop it? It stopped. Let’s look at the status now and as you can see now it’s showing active, inactive, dead. Okay, let’s go back. I’m using the up arrow because it’s in the history so I don’t have to retype it started. Okay, now look at the status again and it’s running again. One other way that you can stop and start it is to reload it and reload is simply reload command and it does exactly the same thing. Let’s check on the status and it is running and it’s active. Now if you want to start a service at boot time, which you definitely do want to do with SSH, then you do Systemctl enable and then the name of the service in our case is SSHD. And there and to check if a network service is enabled at boot time, we can do system ctfctl is enablessshd and it says it’s enabled. That means it’s enabled at boot.
So as we have discussed previously, there are two ways to add to adding an IP address to a Linux machine. One is DHCP by the dynamic Host protocol and where the IP address and gateway and subnet mask gets assigned automatically. The other way to do it is statically where you are are manually typing all this information through the command line. So in order to show what we have currently right now we’re going to work on IP route instead of the IP address, we’re going to work on the routing. So the machine I’m logged in currently is routed like this to this IP address via its default gateway. So this 65 is the default gateway of my machine.
Suppose if I I’m going to this machine which is on a different network than my own machine, mine is on 10, 93, 96. This machine is ten dot, zero dot, zero dot something. So the way I’m going to go to it is via through my default gateway. Okay, the syntax to add IP route as you could tell from this line over here is IP route and then add this is how you’re going to add an extra route, IP route add then the network where you’re trying to go to via IP which is the IP of the default gateway of your machine. Then the command dev and then the actual device. So this is the syntax. So suppose the network 1921-685-5024 is available via this default gateway. How do we configure this? So the way you configure is IP route add is the command. Then we are trying to get to this address or this network, sorry this network address which is 24 or subnet mask is 24.
And we are going through my default gateway which is 109, 2168-1254, and then the command dev for device and then the interface that we’re going to use to get there. And suppose if we want to make all these changes instead of runtime, we want to make it persistent, then what we do is we go into this subdirectory at CSIS config network script and that’s where all the interfaces files are located. So I’m just going to create a file which is not there right now, like Ethio suppose which is how we used to define the interfaces before, all the interfaces that are ethernet interfaces and VI this file and type I to insert. And then I have some information about the gateway that I’m going to use to get which is 255-255-2550. Somehow I got zeros tagged onto these.
There’s no need for these zeros. And the address that I’m going to use is 192-16-8550, net mask is this and the gateway is this. So my eventual goal is get to a machine located in this network but I’m going to use my default gateway to get to it. Commands are added persistently in the network file. Then you type in system CTL, restart network service and if your file is fine, there is no syntax error or anything like that, then you should not get any error and this should finish successfully. But I haven’t made any changes so far. It’s not going to do anything. I’ll just control C out of it.
Hello and welcome again. In this lecture we’re going to actually get started and configure Iptables. So working with Iptables from the command line requires root privileges. So you will need to become root for most things we’ll be doing one important note we’ll be turning off Iptables and resetting your Firewall rules. So if you’re relying on your Linux firewall as your primary line of defense, you should be aware of this iptables should be installed by default on all centaus and redhead machines. You can check that by running this command rpmq IP tables and this is what you should be getting, something similar to that running.
We can check that the Iptable modules are loaded and use the lSWITCH to inspect the currently loaded rules. So first we’re going to run LS mod and we’re going to grep for IP tables and then we’re going to run IP tables, capital L input policy chain forward and chain output that we talked in the previous lecture. If IP tables is not running on your system, this is how you can get it started. Configurity level. This is the command to get it started, but since on my system it’s running, I’m not going to start it again.
Hello. In this lecture we’re going to write a simple rule set. It’s important that at this point we are going to clear the default rule set. So if you’re connecting remotely to a server via SSH for this tutorial, then there is a very real possibility that you could lock yourself out of your machine. So you must set the default input policy to accept before flushing the current rules and then add a rule at the start to explicitly allow yourself access to prevent against locking yourself out. So this is just a cautionary note. We will use an example based on approach to examine the various Iptables commands. In this example, we will create a very simple set of rules to set up a stateful packet inspection or SPI firewall that will allow all outgoing connections but block all unwanted incoming connections.
Okay, so let’s start. IP tablespinput Accept then IP tablespoon f then IP tables a input ILO Jacceptcept IP tables a input m state related Jacceptcept and I want to remove this space we have here. Okay, the next one is going to be Iptables 22 is for the SSH accept drop iptables p output Accept iptables LV these are the rules that we have set up so far. Let’s take a look at all the commands that we have run so far. The Iptable Pinput Accept which is this command right here. If connecting remotely, we must first temporarily set the default policy on the input chain to accept. Otherwise, once we flush the current rules, we will be locked out of a server. So that’s what that is. Iptables F. We use the F switch to flush all existing rules. So we start with a clean state from which to add new rules. Iptables A input this command it’s time to start adding some new rules.
So we use the A switch to append or add a rule to specific chain the input chain in this instance. Then we use the I switch for instance for interface to specify packets matching our destin for the L zero our localhost which is one hundred and twenty seven zero one interface and finally J to packets matching the rule, in this case Accept. So this rule will allow all incoming packet destination destined for the local host interface to be accepted. This is generally required as many software applications expect to be able to communicate with the local host adapter. Then the next command we have is this one here. This is a rule set that does most of the work. And again we are adding A to it to the input chain. Here we are using the M switch to load a module state.
The state module is able to examine the state of a packet and determine if it is new, established or related. New refers to the incoming packets that are new incoming connections that weren’t initiated by the host system. Established and related referred to incoming packets that are part of an already established connection are related to an already established connection. The next one is this one right here. Here we add a rule allowing SSH connections over TCP port 22. This is to prevent accidental lockouts when working on remote systems over an SSH connection. Next one is Iptables p. This one here, the dash P switch sets the default policy on the specified chain. So now we can set the default policy on the input chain to drop. This means that if an incoming packet does not match one of the following rules, it will be dropped.
If we are connecting remotely via SSH and had not added the rule above, we would have just locked ourselves out of the system at this point. Iptables p forward drop similarly, here we have set the default policy on the forward chain to drop, as we are not using our computer as a router, so there should not be any packets passing through our computer. This one is finally we have set the default policy on the output chain to accept as we want to allow all outgoing traffic as we trust our users. Then this one right here is we can list L rules we have just added to check they have been loaded correctly. And finally, the thing that we want to do is to save our rules.
So the next time we reboot our computer, our rules are automatically loaded. So in order to save it, we’re going to run SB. So when I try to run the Service Iptable Save command, you probably noticed that the service command didn’t quite work. So what I had to do is install the Iptable Services package. I didn’t have that on my system, so I went ahead and did that it’s installed. And after that I run the Service Iptable save again and this time it saved it. So this executes the IP tables in its script which runs SBIN Iptable save and writes the current Iptables configuration to the etc config IP tables. And once you reboot the Iptables init script, reapplies the rules saved in etsy sysconfig IP table IP tables by using the SBIN Iptables, obviously typing all of these commands at the shell can become tedious. So by the easiest so far by the easiest way to work with Iptable is to create a simple script to do it all of that for you. And so you can put all of that into a shell script and run it that way.
Popular posts
Recent Posts