Net-HOWTO
Introduction
This is the first release of the GOLEM Network Howto, this document aims to be a sort of unofficial update of the Linux Networking Howto.
General Information about Networking
Sources of non-linux-specific network information
If you are looking for general TCP/IP networking information, here you can find some resources:
IPv4 Addresses
Internet Protocol v4 Addresses are composed of 4 bytes (32 bit), each byte is converted to a decimal number (0-255) and bytes are separated by a . (dot), for this reason IPv4 addresses are limits to near 4 billions (232). Usually every network interface has its own IP address in a format like this: 192.168.0.5
Subnetting
Addresses in a network have some digits in common, that part is called the network portion of the address, the remaining numbers are called the host portion.
For example:
----------------- --------------- Host Address 192.168.0.23 Network Portion 192.168.0. Host portion .23 ----------------- --------------- Network Address 192.168.0.0 Broadcast Address 192.168.0.255 ----------------- ---------------
Subnetting is a way to subdivide an TCP/IP network. The Classless Inter-Domain Routing (CIDR) is the current method for defining subnet, the IP address is followed by a prefix number between 0 and 32 that shows how many bits represent the network.
192.168.0.23/24 => network 192.168.0.0 - 192.168.0.255 192.168.0.23/16 => network 192.168.0.0 - 192.168.255.255
This method replace the obsolete classful network addressing architecture.
The maximum number of addresses of a network may be calculated as 232 − prefix number
CIDR | Classful network mask | Number of Hosts | Typical use |
---|---|---|---|
/8 | 255.0.0.0 | 16777214 = 224 - 2 | Largest IANA block allocation |
/9 | 255.128.0.0 | 8388608 = 223 | |
/10 | 255.192.0.0 | 4194304 = 222 | |
/11 | 255.224.0.0 | 2097152 = 221 | |
/12 | 255.240.0.0 | 1048576 = 220 | |
/13 | 255.248.0.0 | 524288 = 219 | |
/14 | 255.252.0.0 | 262144 = 218 | |
/15 | 255.254.0.0 | 131072 = 217 | |
/16 | 255.255.0.0 | 65536 = 216 | |
/17 | 255.255.128.0 | 32768 = 215 | ISP / large business |
/18 | 255.255.192.0 | 16384 = 214 | ISP / large business |
/19 | 255.255.224.0 | 8192 = 213 | ISP / large business |
/20 | 255.255.240.0 | 4096 = 212 | Small ISP / large business |
/21 | 255.255.248.0 | 2048 = 211 | Small ISP / large business |
/22 | 255.255.252.0 | 1024 = 210 | |
/23 | 255.255.254.0 | 512 = 29 | |
/24 | 255.255.255.0 | 256 = 28 | Large LAN |
/25 | 255.255.255.128 | 128 = 27 | Large LAN |
/26 | 255.255.255.192 | 64 = 26 | Small LAN |
/27 | 255.255.255.224 | 32 = 25 | Small LAN |
/28 | 255.255.255.240 | 16 = 24 | Small LAN |
/29 | 255.255.255.248 | 8 = 2³ | The smallest multi-host network |
/30 | 255.255.255.252 | 4 = 2² | Point-to-point links (glue network) |
/31 | 255.255.255.254 | 2 = 21 | Point-to-point network (RFC 3021) |
/32 | 255.255.255.255 | 1 = 20 | Single host |
Traffic between subnets is guaranteed by routers.
IPv6 Addresses
IPv6 is the latest version of the Internet Protocol, due to the lack of available IPv4 addresses it is poised to replace it in the near future.
One of the most important features of IPv6 is the much larger address space.
Protocol | Address space | Addresses |
IPv4 | 32 bit | 232 = 4 billions |
IPv6 | 128 bit | 2128 = approximately 3.4 x 1038 total addresses |
IPv4 vs IPv6
Address representation
- IPv4 → 4 byte rappresentati con numeri decimali separati da un punto, es:
192.0.2.127
- IPv6 → 16 byte, ogni byte è rappresentato da due cifre esadecimali; ogni 4 cifre esadecimali si inseriscono i due punti
:
; come in IPv4 è possibile omettere gli zeri in testa; la più lunga sequenza di zeri allineata a 4 può essere omessa per intero; esempi (indirizzi equivalenti):2001:0470:c844:0020:0000:0000:0000:0001
2001:470:c844:20:0:0:0:1
2001:470:c844:20::1
Tipi di indirizzi
- IPv6 Reference Card by RIPE [1]
Riassunto:
IPv6 | Equivalente IPv4 | Significato |
::1/128
|
127.0.0.1
|
Indirizzo loopback |
fc00::/7
|
192.168.0.0/16 , 10.0.0.0/8 , 172.16.0.0/12
|
Indirizzo privato |
fe80::/10
|
169.254.0.0/16
|
Indirizzo link-local (univoco nella rete locale, e autoassegnato) |
2001:db8::/32
|
192.0.2.0/24
|
Esempi e documentazione |
2000::/3
|
Indirizzi unicast globalmente raggiungibili |
Indirizzi pubblici vs privati
Gli IPv6 sono così tanti che non c'è bisogno di utilizzare indirizzi privati: niente NAT, niente port-forwarding. Questo restituisce connettività end-to-end ai dispositivi e apre numerose nuove possibilità di impiego, rimaste nascoste per anni a causa della scarsità di IPv4 e degli osceni espedienti inventati. Una banalità: non sarà più necessario passare attraverso un server terzo per condividere documenti, chattare o telefonare ai propri contatti.
Se necessarie, le caratteristiche di "sicurezza" introdotte dal NAT possono essere sostituite e accorpate a un banale firewall.
Progettazione di una rete
Nel progettare una rete con IPv4, la necessità principale è quella di risparmiare sugli indirizzi, perciò vengono usati prefissi di rete di varia lunghezza. Nel progettare una rete con IPv6, si hanno a disposizione così tanti indirizzi che conviene utilizzarli in maniera da renderne più agevole una distribuzione logica.
Sono così identificate le seguenti dimensioni standard per le reti IPv6 (nulla vieta di usare dimensioni personalizzate):
- /126: contiene 2 soli host, utilizzata per i collegamenti punto-punto nell'infrastruttura di rete;
- /64: è la più piccola rete che dovrebbe essere fatta; dimensione utilizzata nelle LAN; lo spazio di indirizzamento è esageratamente sovradimensionato ed è sufficiente per qualunque LAN immaginabile (è 4 miliardi di volte più grande di tutta la rete Internet IPv4); viene usata in ambito domestico;
- /56: contiene 256 reti di dimensione /64, viene usata in ambito domestico o per piccole imprese;
- /48: contiene 65536 reti di dimensione /64, viene usata in ambito aziendale;
Le LAN non devono avere un prefisso più lungo di /64, perché molte nuove funzionalità introdotte con IPv6 (es SLAAC, Privacy Extension, ...), e anche funzionalità che saranno introdotte in futuro, daranno per scontato che le reti abbiano almeno questa dimensione.
Network Configuration
Driver
Modern Linux distributions already include driver for most of LAN and WiFi devices. Otherwise try to upgrade your OS or compile and install a newer kernel.
Network tools
iproute2: IP Routing Utilities
nftables: Linux kernel packet control tool (firewall)
iputils: arping, clockdiff, ping, tracepath
Legacy tools
net-tools: configuration tools for Linux networking (arp, ifconfig, ipmaddr, iptunnel, mii-tool, nameif, netstat, plipconfig, rarp, route, slattach)
iptables: Linux kernel packet control tool (firewall)
Network Application Programs
Most common network applications, derived from the 4.4BSDLite2 distribution, are collected in the inetutils package: dnsdomainname, ftp, ftpd, hostname, ifconfig, ping, rcp, rlogin, rlogind, rsh, rshd, talk, talkd, telnet, telnetd, whois
Setup LAN Interfaces
Predictable Network Interface Names
Starting with v197 systemd assign fixed and predictable network interface names for all local network devices instead of the traditional eth0, eth1, wlan0 which may change after a reboot post kernel update. This feature simplify the system management and fix potential security implications e.g., changing firewall rules.
These names are based on hardware firmware/topology/location information and they stay fixed even if hardware is added or removed.
Prefix Description en Ethernet ib InfiniBand sl Serial line IP (slip) wl Wireless local area network (WLAN) ww Wireless wide area network (WWAN)
eth0 could be renamed enp6s0: en (ethernet) + p6 (bus 6) + s0 (slot 0)
Manual managing
The following commands activates the enp6s0 interface with the IP 192.168.0.2, for the subnet 192.168.0.1-255, using the router-gateway 192.168.0.1
# ip addr add 192.168.0.2/24 dev enp6s0 # ip route add default via 192.168.0.1
Edit the /etc/resolv.conf file adding a list of DNS IP addresses for enabling the address resolution
nameserver 8.8.8.8 nameserver 1.1.1.1
For a non fixed IP address in a LAN with a DHCP server just run
# dhcpcd enp6s0
Useful commands
Show devices IP addresses
# ip addr
Show information of a specific interface
# ip addr show enp6s0
Add IP addresses on a device
# ip addr add 192.0.2.10/24 dev enp6s0
Delete a device IP
# ip addr delete 192.0.2.10/24 dev enp6s0
Enabling the interface enp6s0 without specifying an IP
# ip link set dev enp6s0 up
Disabling the interface enp6s0
# ip link set dev enp6s0 down
Set 192.168.0.2 as default gateway for the host
# ip route add default via 192.0.2.1
Add the gateway 192.168.0.1 route for the interfaces enp2s0 10.0.2.0
# ip route add 10.0.2.1/24 via 192.168.0.1 dev enp2s0
Remove the gateway 192.168.0.1 route for the interfaces enp2s0 10.0.2.0
# ip route del 10.0.2.0/24 via 192.168.0.1 dev enp2s0
Show the routing table
# ip route show
Setup WLAN Interfaces
Utility | WEXT | nl80211 | WEP | WPA |
---|---|---|---|---|
wireless_tools | Yes | No | Yes | No |
iw | No | Yes | Yes | No |
wpa_supplicant | Yes | Yes | No | Yes |
iwd/iwgtk | No | Yes | No | Yes |
iw vs wireless_tools (both legacy)
systemd-networkd
systemd-networkd is a system service, part of systemd, for the network configuration management.
Enable the systemd-networkd daemon
# systemctl enable --now systemd-networkd.service
Enable and set the DNS
# systemctl enable --now systemd-resolved.service # ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
DHCP
/etc/systemd/network/20-wired.network
[Match] Name=enp1s0 [Network] DHCP=yes
Static IP
/etc/systemd/network/20-wired.network
[Match] Name=enp1s0 [Network] Address=10.1.10.9/24 Gateway=10.1.10.1 DNS=10.1.10.1
Rename a network interface
Create and edit a .link file e.g., /etc/systemd/network/10-ethusb0.link
[Match] MACAddress=12:34:56:78:90:ab [Link] Description=USB to Ethernet Adapter Name=ethusb0
Ignore a network interface
If you want to exclude some network device to be automatically configured by Network Manager just explicit this in the config file:
/etc/NetworkManager/conf.d/99-unmanaged-devices.conf
[keyfile] #unmanaged-devices=interface-name:enp6s0;interface-name:enp0s13f0u1u3
NetworkManager
NetworkManager è una utility che si è imposta come standard per la configurazione della reti Linux (LAN e Wifi)
Si compone di un demone, un'interfaccia da riga di comando (nmcli) ed un'interfaccia di configurazione basata su un menu testuale (nmtui).
I principali desktop enviroment come GNOME e KDE Plasma possiedono una utility grafica che consente loro di configurare graficamente le reti basandosi su NetworkManager.
Installation
Depending on the distribution used, the following command must be used
- Arch Linux: # pacman -S networkmanager
- Debian: # apt-get install network-manager
- Red Hat: # yum install NetworkManage
Enable the daemon
# systemctl enable --now NetworkManager
Configurazione
- Menu di configurazione: qualora si utilizzi un sistema privo di interfaccia grafica e si desideri configurare una rete wifi si consiglia caldamente l'utilizzo dell'applicazione
nmtui
- Per chi dovesse prediligere la configurazione manuale:
nmcli
- Per impedire a Network Manager di gestire una certa interfaccia di rete è sufficiente aggiungere il suo MAC Address al file di configurazione
/etc/NetworkManager/NetworkManager.conf
[main] plugins=keyfile [keyfile] unmanaged-devices=mac:00:25:21:73:90:72
Sharing Internet connection
Enable IP forwarding
# echo 1 > /proc/sys/net/ipv4/ip_forward
To keep IP forwarding enabled edit /etc/sysctl.conf
net.ipv4.ip_forward = 1
Enabling IP masquerading (let the computer acts as a gateway for the network)
# iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
enp6s0 it's not a fixed value, you may have to replace it with your computer the external device which is already connected on Internet
Per applicare automaticamente tale regola ad ogni riavvio
# iptables-save > /etc/iptables.ipv4.nat # iptables-restore < /etc/iptables.ipv4.nat
Check if your system loaded the following modules: ip_tables, ip_conntrack, iptable_nat, ipt_MASQUERADE. Otherwise you have to manually load them with modprobe, to automatically load them at the boot and create the file /etc/modules-load.d/firewall.conf .
ip_tables ip_conntrack iptable_nat ipt_MASQUERADE
Set a static IP to the ethernet card connected to the LAN (e.g., enp2s0)
# ip addr add 192.168.5.1/24 dev enp2s0
To save this configuration it's possible to use systemd-networkd.
# systemctl enable --now systemd-networkd.service
Create the file /etc/systemd/network/20-wired.network
[Match] Name=enp2s0 [Network] Address=192.168.5.1/24
Configurazione scheda wireless
# iwconfig wlp7s0 mode Master # iwconfig wlp7s0 ESSID GOLEM-NET # iwconfig wlp7s0 enc off # ifconfig wlp7s0 192.168.5.1 netmask 255.255.255.0 up
Install hostapd and configure the protected access (WPA)
/etc/hostapd/hostapd.conf
# Device interface interface=wlp7s0 # Driver driver=nl80211 # Name of the net (SSID) ssid=GOLEM-NET hw_mode=g # Channel channel=6 macaddr_acl=0 # Righe per la protezione auth_algs=1 ignore_broadcast_ssid=0 wpa=2 # Password wpa_passphrase=password wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP
Automatically assigning IP addresses
Install dhcp
Edit /etc/dhcpd.conf adding the rules for the internal network (es.: enp2s0, wlp7s0)
subnet 192.168.5.0 netmask 255.255.255.0 { range 192.168.5.100 192.168.5.200; option domain-name-servers 8.8.8.8; }
Restart the dhcp daemon
# systemctl restart dhcpd
Boot from LAN
Preboot eXecution Environment: boot from LAN or Internet with a PXE
Install and enable tftpd-htpa to provide the installation file.
Edit /etc/dhcpd.conf adding the following lines
next-server 192.168.0.2; filename "pxelinux.0";
next-server is the IP address of the dhcpd/TFTP server and filename is the image to boot (e.g., Arch Linx Netboot).
https://www.debian.org/releases/stable/amd64/ch04s05.en.html
https://gist.github.com/rikka0w0/50895b82cbec8a3a1e8c7707479824c1
https://wiki.golem.linux.it/PXE
Lato client
ipxe.iso Custom PXE
VPN
WireGuard server
Server config
WireGuard client
Client config
Firewall
Block ports, transparent proxy...
https://wiki.archlinux.org/title/Nftables
https://guide.debianizzati.org/index.php/Nftables
https://home.regit.org/netfilter-en/nftables-quick-howto/
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page