about summary refs log tree commit diff stats
path: root/linux/network.html
diff options
context:
space:
mode:
authorSilvino <silvino@bk.ru>2021-02-25 23:22:17 +0000
committerSilvino <silvino@bk.ru>2021-02-25 23:22:17 +0000
commitd12b35a47b9a872ecb5e037f1c2b02e1ea8927fb (patch)
tree8fdac6dfc8cabb9f85a2db3a3bd628cfe44438cd /linux/network.html
parent0a6b0fc9769daf0932cb207c3285baa31547b489 (diff)
parenta3628fc49db4d88ff3e4067268650710d1da3f6f (diff)
downloaddoc-d12b35a47b9a872ecb5e037f1c2b02e1ea8927fb.tar.gz
merge openbsd branch into develop
new directory layout
Diffstat (limited to 'linux/network.html')
-rw-r--r--linux/network.html437
1 files changed, 437 insertions, 0 deletions
diff --git a/linux/network.html b/linux/network.html
new file mode 100644
index 0000000..0d359f3
--- /dev/null
+++ b/linux/network.html
@@ -0,0 +1,437 @@
+<!DOCTYPE html>
+<html dir="ltr" lang="en">
+    <head>
+        <meta charset='utf-8'>
+        <title>2.2. Network</title>
+    </head>
+    <body>
+        <a href="index.html">Core OS Index</a>
+
+        <h1>2.2. Network</h1>
+
+        <p>Operation of the network can be handle with init scripts or with
+        <a href="#nm">network manager</a>;</p>
+
+        <dl>
+            <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt>
+            <dd>Configure <a href="#iptables">iptables</a>, "start" option
+            loads set of rules from file /etc/iptables/(name).v4, "open" option
+            allows everything to outside and blocks everything from outside,
+            "stop" option will block and log everything.</dd>
+            <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt>
+            <dd>Configure Ethernet interface with static or dynamic (dhcp)
+            IP, set default route and add default gateway.</dd>
+            <dt><a href="conf/rc.d/wlan">/etc/rc.d/wlan</a></dt>
+            <dd>Configure Wireless interface, launch wpa_supplicant to handle
+            wireless authenticationand dynamic (dhcp)
+            connection to router and add as default gateway.</dd>
+            <dt><a href="conf/rc.d/wlan">/etc/rc.d/networkmanager</a></dt>
+            <dd>Use network manager to handle connections.</dd>
+        </dl>
+
+        <p>Choose wireless (wlan), cable network (net) or network manager in
+        <a href="conf/rc.conf">/etc/rc.conf</a> to handle configuration of the 
+        network at startup, example using network manager;</p>
+
+        <pre>
+        #
+        # /etc/rc.conf: system configuration
+        #
+
+        FONT=default
+        KEYMAP=dvorak
+        TIMEZONE="Europe/Lisbon"
+        HOSTNAME=machine
+        SYSLOG=sysklogd
+        SERVICES=(lo iptables networkmanager crond)
+
+        # End of file
+        </pre>
+
+        <p>If is first boot after install configure iptables and one of above
+        described scripts then proceed to
+        <a href="package.html#sysup">update system.</a></p>
+
+        <h2 id="resolv">2.2.1. Resolver</h2>
+
+        <p>This example will use
+        <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a>
+        server, edit /etc/resolv.conf and make it immutable;</p>
+
+        <pre>
+        # /etc/resolv.conf.head can replace this line
+        nameserver 2.2.73.91.35
+        # /etc/resolv.conf.tail can replace this line
+        </pre>
+
+        <pre>
+        # chattr +i /etc/resolv.conf
+        </pre>
+
+        <h2 id="static">2.2.2. Static IP</h2>
+
+        <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p>
+
+        <pre>
+        Address:   192.168.0.1           11000000.10101000.00000000 .00000001
+        Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
+        Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
+        =>
+        Network:   192.168.0.0/24        11000000.10101000.00000000 .00000000 (Class C)
+        Broadcast: 192.168.0.255         11000000.10101000.00000000 .11111111
+        HostMin:   192.168.0.1           11000000.10101000.00000000 .00000001
+        HostMax:   192.168.0.254         11000000.10101000.00000000 .11111110
+        Hosts/Net: 254                   (Private Internet)
+        </pre>
+
+        <p>Other IP class that can used for private network;</p>
+
+        <pre>
+        Address:   10.0.0.1              00001010.00000000.00000000 .00000001
+        Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
+        Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
+        =>
+        Network:   10.0.0.0/24           00001010.00000000.00000000 .00000000 (Class A)
+        Broadcast: 10.0.0.255            00001010.00000000.00000000 .11111111
+        HostMin:   10.0.0.1              00001010.00000000.00000000 .00000001
+        HostMax:   10.0.0.254            00001010.00000000.00000000 .11111110
+        Hosts/Net: 254                   (Private Internet)
+        </pre>
+
+        <p>Manual configuring like net script;</p>
+
+        <pre>
+        # DEV=enp8s0
+        # ADDR=192.168.1.9
+        # MASK=24
+        # GW=192.168.1.254
+        </pre>
+
+        <pre>
+        # ip addr flush dev ${DEV}
+        # ip route flush dev ${DEV}
+        # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+        # ip link set ${DEV} up
+        # ip route add default via ${GW}
+        </pre>
+
+        <h2 id="iptables">2.2.3. Iptables</h2>
+
+        <p>For more information about firewall systems read arch wiki
+        <a href="https://wiki.archlinux.org/index.php/Iptables">iptables</a>
+        and <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p>
+
+        <p>Diagram of a package route throw iptables;</p>
+
+        <pre>
+
+                                 XXXXXXXXXXXXXXXXX
+                                 XXXX Network XXXX
+                                 XXXXXXXXXXXXXXXXX
+                                         +
+                                         |
+                                         v
+   +-------------+              +------------------+
+   |table: filter| &gt;---+        | table: nat       |
+   |chain: INPUT |     |        | chain: PREROUTING|
+   +-----+-------+     |        +--------+---------+
+         |             |                 |
+         v             |                 v
+   [local process]     |           ****************          +--------------+
+         |             +---------+ Routing decision +------&lt; |table: filter |
+         v                         ****************          |chain: FORWARD|
+  ****************                                           +------+-------+
+  Routing decision                                                  |
+  ****************                                                  |
+         |                                                          |
+         v                        ****************                  |
+  +-------------+       +------&lt;  Routing decision  &gt;---------------+
+  |table: nat   |       |         ****************
+  |chain: OUTPUT|       |               +
+  +-----+-------+       |               |
+        |               |               v
+        v               |      +-------------------+
+  +--------------+      |      | table: nat        |
+  |table: filter | +----+      | chain: POSTROUTING|
+  |chain: OUTPUT |             +--------+----------+
+  +--------------+                      |
+                                        v
+                                XXXXXXXXXXXXXXXXX
+                                XXXX Network XXXX
+                                XXXXXXXXXXXXXXXXX
+
+        </pre>
+
+        <p>Command line usage;</p>
+
+        <pre>
+        iptables [-t table] {-A|-C|-D} chain rule-specification
+        iptables [-t table] {-A|-C|-D} chain  rule-specification
+        iptables  [-t table] -I chain [rulenum] rule-specification
+        iptables [-t table] -R chain rulenum  rule-specification
+        iptables [-t table] -D chain rulenum
+        iptables [-t table] -S [chain [rulenum]]
+        iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
+        iptables [-t table] -N chain
+        iptables [-t table] -X [chain]
+        iptables [-t table] -P chain target
+        iptables [-t table]  -E  old-chain-name  new-chain-name
+        rule-specification = [matches...] [target]
+        match = -m matchname [per-match-options]
+        </pre>
+
+        <p>Targets, can be a user defined chain;</p>
+
+        <pre>
+        ACCEPT - accepts the packet
+        DROP   - drop the packet on the floor
+        QUEUE  - packet will be stent to queue
+        RETURN - stop traversing this chain and
+                 resume ate the next rule in the
+                 previeus (calling) chain.
+
+        if packet reach the end of the chain or
+        a target RETURN, default policy for that
+        chain is applayed.
+        </pre>
+
+        <p>Target Extensions</p>
+
+        <pre>
+        AUDIT
+        CHECKSUM
+        CLASSIFY
+        DNAT
+        DSCP
+        LOG
+            Torn on kernel logging, will print some
+            some information on all matching packets.
+            Log data can be read with dmesg or syslogd.
+            This is a non-terminating target and a rule
+            should be created with matching criteria.
+
+            --log-level level
+                  Level of logging (numeric or see sys-
+                  log.conf(5)
+
+            --log-prefix prefix
+                  Prefix log messages with specified prefix
+                  up to 29 chars log
+
+            --log-uid
+                  Log the userid of the process with gener-
+                  ated the packet
+        NFLOG
+            This target pass the packet to loaded logging
+            backend to log the packet. One or more userspace
+            processes may subscribe to the group to receive
+            the packets.
+
+        ULOG
+            This target provides userspace logging of maching
+            packets. One or more userspace processes may then
+            then subscribe to various multicast groups and
+            then receive the packets.
+        </pre>
+
+        <p>Commands</p>
+        <pre>
+         -A, --append chain rule-specification
+         -C, --check chain rule-specification
+         -D, --delete chain rule-specification
+         -D, --delete chain rulenum
+         -I, --insert chain [rulenum] rule-specification
+         -R, --replace chain rulenum rule-specification
+         -L, --list [chain]
+         -P, --policy chain target
+        </pre>
+
+        <p>Parameters</p>
+        <pre>
+         -p, --protocol protocol
+               tcp, udp, udplite, icmp, esp, ah, sctp, all
+         -s, --source address[/mask][,...]
+         -d, --destination address[/mask][,...]
+         -j, --jump target
+         -g, --goto chain
+         -i, --in-interface name
+         -o, --out-interface name
+         -f, --fragment
+         -m, --match options module-name
+               iptables can use extended packet matching
+               modules.
+         -c, --set-counters packets bytes
+        </pre>
+
+        <p>See current rules and packets counts;</p>
+
+        <pre>
+        # iptables -L -n -v | less
+        </pre>
+
+        <h3 id="ipt_scripts">2.2.3.1. Iptable scripts</h3>
+
+        <p>Scripts help to setup iptables rules so they can be saved using iptables-save
+        and later restored using iptables-restore utilities. Init script
+        <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a>
+        loads set of rules from /etc/iptables folder at boot time.
+        Start option "open" option allows everything to outside
+        and blocks new connections from outside, "stop" will block and log
+        everything.</p>
+
+        <p>Setup init script and rules;</p>
+
+        <pre>
+        # mkdir /etc/iptables
+        # cp core/conf/iptables/*.sh /etc/iptables/
+        # cp core/conf/rc.d/iptables /etc/rc.d/
+        # chmod +x /etc/rc.d/iptables
+        </pre>
+
+        <p>Change /etc/rc.conf and add iptables;</p>
+
+        <pre>
+        SERVICES=(iptables lo net crond)
+        </pre>
+
+        <p>Change <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> and define type; server, bridge or open.</p>
+
+        <p>Adjust <a href="conf/ipt-conf.sh">/etc/iptables/ipt-conf.sh</a>
+        with your network configuration, and adjust
+        <a href="conf/ipt-server.sh">/etc/iptables/ipt-server.sh</a>, <a href="conf/ipt-bridge.sh">/etc/iptables/ipt-bridge.sh</a>, <a href="conf/ipt-open.sh">/etc/iptables/ipt-open.sh</a> according with host necessities.</p>
+
+        <p>When is everything configured run script to load the rules and save them on /etc/iptables. Example for bridge setup;</p>
+
+        <pre>
+        # cd /etc/iptables
+        # bash ipt-bridge.sh
+        </pre>
+
+        <p>From now on use /etc/rc.d/iptables to start and stop.<p>
+
+        <h2 id="wpa">2.2.4. Wpa and dhcpd</h2>
+
+        <p>There is more information on
+        <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and
+        see <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>. Manual or first time configuration;</p>
+
+        <pre>
+        # ip link
+        </pre>
+
+        <pre>
+        # iwlist wlp2s0 scan
+        </pre>
+
+        <pre>
+        # iwconfig wlp2s0 essid NAME key s:ABCDE12345
+        </pre>
+
+        <h3>2.2.4.1. Wpa Supplicant</h3>
+
+        <p>Configure wpa supplicant edit;</p>
+
+        <pre>
+        # vim /etc/wpa_supplicant.conf
+        </pre>
+
+        <pre>
+        ctrl_interface=/var/run/wpa_supplicant
+        update_config=1
+        fast_reauth=1
+        ap_scan=1
+        </pre>
+
+        <pre>
+        # wpa_passphrase &lt;ssid&gt; &lt;password&gt; &gt;&gt; /etc/wpa_supplicant.conf
+        </pre>
+
+        <p>Now start wpa_supplicant with:</p>
+
+        <pre>
+        # wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant.conf
+        Successfully initialized wpa_supplicant
+        </pre>
+
+        <p>Use <a href="conf/rc.d/wlan">/etc/rc.d/wlan</a>
+        init script to auto load wpa configuration and dhcp
+        client.</p>
+
+        <h3>2.2.4.2. Wpa Cli</h3>
+
+        <pre>
+        # wpa_cli
+        &gt; status
+        </pre>
+
+        <pre>
+        &gt; add_network
+        3
+        </pre>
+
+        <pre>
+        &gt; set_network 3 ssid "Crux-Network"
+        OK
+        </pre>
+
+        <pre>
+        &gt; set_network 3 psk "uber-secret-pass"
+        OK
+        </pre>
+
+        <pre>
+        &gt; enable_network 3
+        OK
+        </pre>
+
+        <pre>
+        &gt; list_networks
+        </pre>
+
+        <pre>
+        &gt; select_network 3
+        </pre>
+
+        <pre>
+        &gt; save_config
+        </pre>
+
+        <h2 id="nm">2.2.5. Network Manager</h2>
+
+        <p>Wifi status;</p>
+
+        <pre>
+        $ nmcli radio wifi
+        $ nmcli radio wifi on
+        </pre>
+
+        <p>List wifi networks;</p>
+
+        <pre>
+        $ nmcli device wifi rescan
+        $ nmcli device wifi list
+        </pre>
+
+        <p>Connect to a wifi network;</p>
+
+        <pre>
+        $ nmcli device wifi connect "network name" password "network password"
+        </pre>
+
+        <p>Edit and save network configuration;</p>
+
+        <pre>
+        $ nmcli connection edit "network name"
+        nmcli> save persistent
+        </pre>
+
+        <a href="index.html">Core OS Index</a>
+        <p>
+        This is part of the Tribu System Documentation.
+        Copyright (C) 2020
+        Tribu Team.
+        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
+        for copying conditions.</p>
+
+    </body>
+</html>