diff options
author | Silvino <silvino@bk.ru> | 2021-02-25 23:22:17 +0000 |
---|---|---|
committer | Silvino <silvino@bk.ru> | 2021-02-25 23:22:17 +0000 |
commit | d12b35a47b9a872ecb5e037f1c2b02e1ea8927fb (patch) | |
tree | 8fdac6dfc8cabb9f85a2db3a3bd628cfe44438cd /linux/network.html | |
parent | 0a6b0fc9769daf0932cb207c3285baa31547b489 (diff) | |
parent | a3628fc49db4d88ff3e4067268650710d1da3f6f (diff) | |
download | doc-d12b35a47b9a872ecb5e037f1c2b02e1ea8927fb.tar.gz |
merge openbsd branch into develop
new directory layout
Diffstat (limited to 'linux/network.html')
-rw-r--r-- | linux/network.html | 437 |
1 files changed, 437 insertions, 0 deletions
diff --git a/linux/network.html b/linux/network.html new file mode 100644 index 0000000..0d359f3 --- /dev/null +++ b/linux/network.html @@ -0,0 +1,437 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>2.2. Network</title> + </head> + <body> + <a href="index.html">Core OS Index</a> + + <h1>2.2. Network</h1> + + <p>Operation of the network can be handle with init scripts or with + <a href="#nm">network manager</a>;</p> + + <dl> + <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> + <dd>Configure <a href="#iptables">iptables</a>, "start" option + loads set of rules from file /etc/iptables/(name).v4, "open" option + allows everything to outside and blocks everything from outside, + "stop" option will block and log everything.</dd> + <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt> + <dd>Configure Ethernet interface with static or dynamic (dhcp) + IP, set default route and add default gateway.</dd> + <dt><a href="conf/rc.d/wlan">/etc/rc.d/wlan</a></dt> + <dd>Configure Wireless interface, launch wpa_supplicant to handle + wireless authenticationand dynamic (dhcp) + connection to router and add as default gateway.</dd> + <dt><a href="conf/rc.d/wlan">/etc/rc.d/networkmanager</a></dt> + <dd>Use network manager to handle connections.</dd> + </dl> + + <p>Choose wireless (wlan), cable network (net) or network manager in + <a href="conf/rc.conf">/etc/rc.conf</a> to handle configuration of the + network at startup, example using network manager;</p> + + <pre> + # + # /etc/rc.conf: system configuration + # + + FONT=default + KEYMAP=dvorak + TIMEZONE="Europe/Lisbon" + HOSTNAME=machine + SYSLOG=sysklogd + SERVICES=(lo iptables networkmanager crond) + + # End of file + </pre> + + <p>If is first boot after install configure iptables and one of above + described scripts then proceed to + <a href="package.html#sysup">update system.</a></p> + + <h2 id="resolv">2.2.1. Resolver</h2> + + <p>This example will use + <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a> + server, edit /etc/resolv.conf and make it immutable;</p> + + <pre> + # /etc/resolv.conf.head can replace this line + nameserver 2.2.73.91.35 + # /etc/resolv.conf.tail can replace this line + </pre> + + <pre> + # chattr +i /etc/resolv.conf + </pre> + + <h2 id="static">2.2.2. Static IP</h2> + + <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p> + + <pre> + Address: 192.168.0.1 11000000.10101000.00000000 .00000001 + Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 + Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 + => + Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C) + Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111 + HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001 + HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110 + Hosts/Net: 254 (Private Internet) + </pre> + + <p>Other IP class that can used for private network;</p> + + <pre> + Address: 10.0.0.1 00001010.00000000.00000000 .00000001 + Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000 + Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111 + => + Network: 10.0.0.0/24 00001010.00000000.00000000 .00000000 (Class A) + Broadcast: 10.0.0.255 00001010.00000000.00000000 .11111111 + HostMin: 10.0.0.1 00001010.00000000.00000000 .00000001 + HostMax: 10.0.0.254 00001010.00000000.00000000 .11111110 + Hosts/Net: 254 (Private Internet) + </pre> + + <p>Manual configuring like net script;</p> + + <pre> + # DEV=enp8s0 + # ADDR=192.168.1.9 + # MASK=24 + # GW=192.168.1.254 + </pre> + + <pre> + # ip addr flush dev ${DEV} + # ip route flush dev ${DEV} + # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + # ip link set ${DEV} up + # ip route add default via ${GW} + </pre> + + <h2 id="iptables">2.2.3. Iptables</h2> + + <p>For more information about firewall systems read arch wiki + <a href="https://wiki.archlinux.org/index.php/Iptables">iptables</a> + and <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p> + + <p>Diagram of a package route throw iptables;</p> + + <pre> + + XXXXXXXXXXXXXXXXX + XXXX Network XXXX + XXXXXXXXXXXXXXXXX + + + | + v + +-------------+ +------------------+ + |table: filter| >---+ | table: nat | + |chain: INPUT | | | chain: PREROUTING| + +-----+-------+ | +--------+---------+ + | | | + v | v + [local process] | **************** +--------------+ + | +---------+ Routing decision +------< |table: filter | + v **************** |chain: FORWARD| + **************** +------+-------+ + Routing decision | + **************** | + | | + v **************** | + +-------------+ +------< Routing decision >---------------+ + |table: nat | | **************** + |chain: OUTPUT| | + + +-----+-------+ | | + | | v + v | +-------------------+ + +--------------+ | | table: nat | + |table: filter | +----+ | chain: POSTROUTING| + |chain: OUTPUT | +--------+----------+ + +--------------+ | + v + XXXXXXXXXXXXXXXXX + XXXX Network XXXX + XXXXXXXXXXXXXXXXX + + </pre> + + <p>Command line usage;</p> + + <pre> + iptables [-t table] {-A|-C|-D} chain rule-specification + iptables [-t table] {-A|-C|-D} chain rule-specification + iptables [-t table] -I chain [rulenum] rule-specification + iptables [-t table] -R chain rulenum rule-specification + iptables [-t table] -D chain rulenum + iptables [-t table] -S [chain [rulenum]] + iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] + iptables [-t table] -N chain + iptables [-t table] -X [chain] + iptables [-t table] -P chain target + iptables [-t table] -E old-chain-name new-chain-name + rule-specification = [matches...] [target] + match = -m matchname [per-match-options] + </pre> + + <p>Targets, can be a user defined chain;</p> + + <pre> + ACCEPT - accepts the packet + DROP - drop the packet on the floor + QUEUE - packet will be stent to queue + RETURN - stop traversing this chain and + resume ate the next rule in the + previeus (calling) chain. + + if packet reach the end of the chain or + a target RETURN, default policy for that + chain is applayed. + </pre> + + <p>Target Extensions</p> + + <pre> + AUDIT + CHECKSUM + CLASSIFY + DNAT + DSCP + LOG + Torn on kernel logging, will print some + some information on all matching packets. + Log data can be read with dmesg or syslogd. + This is a non-terminating target and a rule + should be created with matching criteria. + + --log-level level + Level of logging (numeric or see sys- + log.conf(5) + + --log-prefix prefix + Prefix log messages with specified prefix + up to 29 chars log + + --log-uid + Log the userid of the process with gener- + ated the packet + NFLOG + This target pass the packet to loaded logging + backend to log the packet. One or more userspace + processes may subscribe to the group to receive + the packets. + + ULOG + This target provides userspace logging of maching + packets. One or more userspace processes may then + then subscribe to various multicast groups and + then receive the packets. + </pre> + + <p>Commands</p> + <pre> + -A, --append chain rule-specification + -C, --check chain rule-specification + -D, --delete chain rule-specification + -D, --delete chain rulenum + -I, --insert chain [rulenum] rule-specification + -R, --replace chain rulenum rule-specification + -L, --list [chain] + -P, --policy chain target + </pre> + + <p>Parameters</p> + <pre> + -p, --protocol protocol + tcp, udp, udplite, icmp, esp, ah, sctp, all + -s, --source address[/mask][,...] + -d, --destination address[/mask][,...] + -j, --jump target + -g, --goto chain + -i, --in-interface name + -o, --out-interface name + -f, --fragment + -m, --match options module-name + iptables can use extended packet matching + modules. + -c, --set-counters packets bytes + </pre> + + <p>See current rules and packets counts;</p> + + <pre> + # iptables -L -n -v | less + </pre> + + <h3 id="ipt_scripts">2.2.3.1. Iptable scripts</h3> + + <p>Scripts help to setup iptables rules so they can be saved using iptables-save + and later restored using iptables-restore utilities. Init script + <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> + loads set of rules from /etc/iptables folder at boot time. + Start option "open" option allows everything to outside + and blocks new connections from outside, "stop" will block and log + everything.</p> + + <p>Setup init script and rules;</p> + + <pre> + # mkdir /etc/iptables + # cp core/conf/iptables/*.sh /etc/iptables/ + # cp core/conf/rc.d/iptables /etc/rc.d/ + # chmod +x /etc/rc.d/iptables + </pre> + + <p>Change /etc/rc.conf and add iptables;</p> + + <pre> + SERVICES=(iptables lo net crond) + </pre> + + <p>Change <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> and define type; server, bridge or open.</p> + + <p>Adjust <a href="conf/ipt-conf.sh">/etc/iptables/ipt-conf.sh</a> + with your network configuration, and adjust + <a href="conf/ipt-server.sh">/etc/iptables/ipt-server.sh</a>, <a href="conf/ipt-bridge.sh">/etc/iptables/ipt-bridge.sh</a>, <a href="conf/ipt-open.sh">/etc/iptables/ipt-open.sh</a> according with host necessities.</p> + + <p>When is everything configured run script to load the rules and save them on /etc/iptables. Example for bridge setup;</p> + + <pre> + # cd /etc/iptables + # bash ipt-bridge.sh + </pre> + + <p>From now on use /etc/rc.d/iptables to start and stop.<p> + + <h2 id="wpa">2.2.4. Wpa and dhcpd</h2> + + <p>There is more information on + <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and + see <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>. Manual or first time configuration;</p> + + <pre> + # ip link + </pre> + + <pre> + # iwlist wlp2s0 scan + </pre> + + <pre> + # iwconfig wlp2s0 essid NAME key s:ABCDE12345 + </pre> + + <h3>2.2.4.1. Wpa Supplicant</h3> + + <p>Configure wpa supplicant edit;</p> + + <pre> + # vim /etc/wpa_supplicant.conf + </pre> + + <pre> + ctrl_interface=/var/run/wpa_supplicant + update_config=1 + fast_reauth=1 + ap_scan=1 + </pre> + + <pre> + # wpa_passphrase <ssid> <password> >> /etc/wpa_supplicant.conf + </pre> + + <p>Now start wpa_supplicant with:</p> + + <pre> + # wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf + Successfully initialized wpa_supplicant + </pre> + + <p>Use <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a> + init script to auto load wpa configuration and dhcp + client.</p> + + <h3>2.2.4.2. Wpa Cli</h3> + + <pre> + # wpa_cli + > status + </pre> + + <pre> + > add_network + 3 + </pre> + + <pre> + > set_network 3 ssid "Crux-Network" + OK + </pre> + + <pre> + > set_network 3 psk "uber-secret-pass" + OK + </pre> + + <pre> + > enable_network 3 + OK + </pre> + + <pre> + > list_networks + </pre> + + <pre> + > select_network 3 + </pre> + + <pre> + > save_config + </pre> + + <h2 id="nm">2.2.5. Network Manager</h2> + + <p>Wifi status;</p> + + <pre> + $ nmcli radio wifi + $ nmcli radio wifi on + </pre> + + <p>List wifi networks;</p> + + <pre> + $ nmcli device wifi rescan + $ nmcli device wifi list + </pre> + + <p>Connect to a wifi network;</p> + + <pre> + $ nmcli device wifi connect "network name" password "network password" + </pre> + + <p>Edit and save network configuration;</p> + + <pre> + $ nmcli connection edit "network name" + nmcli> save persistent + </pre> + + <a href="index.html">Core OS Index</a> + <p> + This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> |