Linux Networking

Linux

Network

Published

May 3, 2007

Modified

November 30, 2023

Ethernet

ethtool NIC configuration utility …find Ethernet devices on the PCI/USB bus

>>> grep -i ethernet <(lspci) <(lsusb) | cut -d: -f2-
02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06)
Bus 002 Device 002: ID 0bda:8153 Realtek Semiconductor Corp. RTL8153 Gigabit Ethernet Adapter
# read PCI device information from sysfs
>>> cat /sys/bus/pci/devices/0000:02:00.0/vendor    
0x10ec
# find the vendor product number
>>> grep 0x10ec /usr/src/linux-headers-$(uname -r)/include/linux/pci_ids.h
#define PCI_VENDOR_ID_REALTEK           0x10ec

List all Ethernet devices names

>>> ip -o link show | grep link/ether | cut -d: -f2 | sort
enp0s19f2u4
enp2s0
wlp3s0
>>> ls -1 /sys/class/net/ | egrep 'en|wl' | sort
enp0s19f2u4
enp2s0
wlp3s0
>>> cat /proc/net/dev | tail -n+4 | cut -d: -f1 | sort
enp0s19f2u4
enp2s0
wlp3s0

Identify the name of the driver module …follow the link in /sys/class/net/*/device/driver

>>> basename `readlink /sys/class/net/eth0/device/driver/module`
tg3
# find kernel configuration parameter by searching in the Linux kernel source code
>>> find -type f -name Makefile | xargs grep tg3
./drivers/net/ethernet/broadcom/Makefile:obj-$(CONFIG_TIGON3) += tg3.o
>>> grep CONFIG_TIGON3 /boot/config-$(uname -r)
CONFIG_TIGON3=m

Find the vendor product number from the PCI IDs kernel header

>>> cat /sys/bus/pci/devices/0000:05:00.0/vendor
0x14e4
>>> cat /sys/bus/pci/devices/0000:05:00.0/device
0x1681
>>> egrep "0x14e4|0x1681" include/linux/pci_ids.h 
#define PCI_DEVICE_ID_AL_M1681          0x1681
#define PCI_DEVICE_ID_MOXA_CP168U       0x1681
#define PCI_VENDOR_ID_BROADCOM          0x14e4
#define PCI_DEVICE_ID_TIGON3_5761       0x1681
#define PCI_DEVICE_ID_ARECA_1681        0x1681

Search the kernel drivers source code directory for the vendor modules

>>> grep -Rl PCI_VENDOR_ID_BROADCOM drivers/net/ethernet 
drivers/net/ethernet/broadcom/tg3.c
drivers/net/ethernet/broadcom/tg3.h
drivers/net/ethernet/broadcom/b44.c
drivers/net/ethernet/broadcom/bnx2.c

DHCP

Using dnsmasq as DHCP server

# install the DHCP service package
apt install dnsmasq # Debian
yum install dnsmasq # Centos
# Configuration files..
/etc/dnsmasq.conf         # local configuration file
/etc/dnsmasq.d/           # custom configuration files
dnsmasq --test            # syntax check the configuration
dnsmasq --help dhcp       # list all options numbers
# Run the daemon foreground
dnsmasq --keep-in-foreground --no-daemon
# Enable and start service 
systemctl enable dnsmasq && systemctl start dnsmasq
journalctl -u dnsmasq -f  # print dnsmasq log
# Open the firewall on CentOS
firewall-cmd --add-service=dns --permanent  # port 53
firewall-cmd --add-service=dhcp --permanent # port 67
firewall-cmd --reload                       # apply rules

…minimal DHCP example configuration file /etc/dnsmasq.d/dhcp.conf

port=0               # diable DNS service
log-dhcp             # extra verbose on DHCP requests
domain=devops.test   # allow FQDNs
no-hosts             # do not read /etc/hosts
## address pool configuration
dhcp-range=10.1.1.1,10.1.1.254,255.255.255.0,12h
dhcp-host=02:FF:0A:0A:06:05,lxdns01,10.1.1.5
dhcp-host=02:FF:0A:0A:06:06,lxdns02,10.1.1.6
dhcp-host=02:FF:0A:0A:06:1B,lxdev01,10.1.1.27
dhcp-host=02:FF:0A:0A:06:1C,lxdev02,10.1.1.28
dhcp-host=02:FF:0A:0A:06:1D,lxdev03,10.1.1.29
dhcp-host=02:FF:0A:0A:06:1E,lxdev04,10.1.1.30
## additonal options
dhcp-option=option:router,10.1.1.1        # default gateway
dhcp-option=option:dns-server,10.1.1.1    # DNS server

`dhclient`

/etc/dhcp/dhclient.conf               # DHCP client configuration
dhclient                              # request a lease, configure network interface

Use dhcping with the broadcast IP-address to determine if a DHCP server is on the network

>>> dhcping -s 255.255.255.255 -rv
Got answer from: 10.1.2.3
received from 10.1.2.3, expected from 255.255.255.255
# otherwise on a network without DHCP server. 
>>> dhcping -s 255.255.255.255 -rv
no answer

…inspect DHCP packages with dhcpdump

`dhcpcd`

dhcpcd daemon, and optionally WPA supplicant

# run debug mode, foreground
dhcpcd -Bd -f /etc/dhcpcd.conf

clear network interface configuration with ip addr flush
use dhcpcd DHCP client to request a lease
- request an IP address white-listing the DHCP server at 10.1.1.5 with -w
- rebind the interface before the lease expires with -n

>>> apt install dhcpcd5 # install a DHCP client
>>> ip addr flush ens3  # clear interface configuration 
>>> dhcpcd -B -W 10.1.1.5 -1 ens3
...
ens3: leased 10.1.1.27 for 43200 seconds
ens3: changing route to 10.1.1.0/24
ens3: changing default route via 10.1.1.1
...
>>> dhcpcd -d -B -W 10.1.1.5 -1 -n ens3
...
ens3: reading lease `/var/lib/dhcpcd5/dhcpcd-ens3.lease'
ens3: rebinding lease of 10.1.1.27
..
ens3: acknowledged 10.1.1.27 from 10.1.1.5
ens3: leased 10.1.1.27 for 43200 seconds
...

Configuration in /etc/dhcpcd.conf

# prevent the configuration of an interface:
denyinterfaces wlan0        # do not configure WiFi

TCP/IP

IP Protocol

Reserved addresses…

0.0.0.0/8        current network (only valid as source address)
127.0.0.0/8      loopback (used for tests)
255.255.255.255  broadcast

Private address ranges

Reserved for internal use behind a router or other NAT devices
Entirely separate set of addresses that allow access on a network

First       Last            Class 
10.0.0.0    10.255.255.255  A     
172.16.0.0  172.31.255.255  B     
192.168.0.0 192.168.255.255 C

CIDR (classless inter-domain routing)

developed as a more granular method for classful IP addressing
more compact representation of an IP address
based on VLSM (variable length subnet masking)
notation either /xx or decimal notation

CIDR	Subnet Netmask
/8	255.0.0.0
/16	255.255.0.0
/24	255.255.255.0

`ip addr`

ip command configures the local IP network communication

# configure the IP address of a network interface:
ip addr add <address>/<prefix> dev <interface>
# show configuration for interface
ip addr show <interface>
# show enabled interfaces
ip link show up
# enable/disable network interface
ip link set <interface> up|down
# clear interface IP configuration
ip addr flush dev <interface>
# network traffic counters
/proc/net/dev
ip -s l

ipcalc calculate IP network segments

# calculate sub networks
ipcalc <address>/<prefix>
ipcalc <address> <netmask>

`ip route`

router, forwards data packets between networks
routing, selects a path for traffic across multiple networks…
- …depending on the destination address
- packet forwarding, transit of packets between networks
routing table, lists the routes to particular network destinations
- static routes, a manually-configured routing rule
- dynamic routing is based on a “discovery” procedure (cf. spanning tree)
- routing entries may have an associated metric (distance)
route evaluation process selects an entry from a routing table
- longest prefix match selects most specific entry with the longest subnet mask
symmetric routing, inbound and outbound traffic take the same path
asymmetric routing should be avoided because:
- wrong interface source address may be considered as spoofed
- state full firewalls depend on connection tracking of inbound and outbound traffic
- congestion off outbound traffic

routel                                               # list comprehensive routing configuration
ip r                                                 # show routing table
ip route get <address>                               # check which interface is used for a specific dest.
ip route add <address>/<prefix> dev <interface>      # create network route
ip route add <address>/<prefix> via <gateway> dev <interace> # Static routes
ip route delete <address>/<prefix> dev <interface>   # remove network route
ip route flush cache                                 # flush routing cash after reconfiguration
ip route flush table main                            # empty routing table
## -- deprecated commands -- ##
netstat -rn                                          # show routing table
route -n

network gateway handles packages with destinations outside local network
default route: forwarding rule to used when no specific route can be determined
- designated zero-address 0.0.0.0/0 (IPv4) ::/0 (IPv6)
- /0 subnet mask specifies all networks
- lookups not matching any other route use the default route
- methods to configure the default gateway: DHCP, BOOTP, ICMP Router Discovery Protocol (IRDP), manual configuration
- only one default gateway can be configured

ip route add default via <ip>                        # configure/change the default route
ip route change default via <ip> dev <int>
ip route del default via <ip>                        # remove default gateway
## -- deprecated commands -- ##
route add default gw <ip>                            # add a default route

gateway redundancy protocol
- VRRP (Virtual Router Redundancy Protocol)
- Cisco proprietary: GLBP (Gateway Load Balancing Protocol), HSRP (Hot Standby Router Protocol)
- gateways use one IP address as next hop for the network in an active-active or active-passive configuration
- IRDP (ICMP Router Discovery Protocol)
policy-based routing, routing decisions based on criteria other than the destination address
- uses a separate routing table for each of the interfaces
- policy rules direct outbound traffic to the appropriate routing table
- ensure that the main routing table has a default route
- kernel search policy rules with lowest priority first
- local default rule-set with priority 0 matching all, handles traffic to localhost

ip rule                                                 # list routing tables
/etc/iproute2/rt_tables                                 # routing table configuration file
ip route show table <t_name>                            # show specific routing table
ip rule add from <ip> lookup <t_name> prio <num>        # add a routing policy to table
ip route add default via <ip> dev <dev> table <t_name>  # add a default route to table

TCP Ports

Ports are the end-points of TCP and UDP network connections…

TCP/IP uses ports to communicate over the IP protocol
…programs send and receive data at a port
lsof -Pnl -i to list open ports

Port addressing…for example 192.168.1.3:80

…identifies a node on the network by IP address…
…followed by a colon : as separator to the port number

Port are sub-divided into sockets…

…each socket accepts a different protocol (for example TCP IPv4)
Sockets are part of the transport layer in the OSI model
- …single socket can send and receive data (bi-directional)
- …identified by pairing the local IP address and port with the remote address and port.

`nc`

NetCat…TCP network tool…two modes…

…client nc [-options] [hostname] [ports]
…server nc –l [options] [hostname] [port]

Scanning ports…

-z scan for listening daemons (without sending any data to them)
-4/-6 …IPv4/IPV6 specifically
-v …enable verbose mode

# check the SSH port on localhost
nc -v -4 -z 127.0.0.1 22

Simple client server example…

# listen on port 8080 (server)...pipe incomming data to file
nc -l 8080 > /tmp/inbound
# send data to port 8080 (client)
echo input | nc 127.0.0.1 8080

`ss`

ss -l                       # listening ports
netstat -lN
lsof -nPi tcp               # established connections
ss -r
netstat -p                  # process socket binding:
ss -p
socklist
nc -vnzu <address> <port>   # check connectivity to destination port

`nmcli` NetworkManager

nmcli device status
nmcli con mod $device connection.autoconnect yes

GNOME NetworkManager [^nm1] configures and monitors Wifi network connections:

nmcli radio wifi on|off                 # toggle Wifi
nmcli dev wifi                          # list available Wifi APs

Connect to Wifi using the NetworkManager applet [^nm2].

Start the applet on session it within the i3 Window Manager:

# start NetworkManager applet
exec_always --no-startup-id nm-applet

[^nm1] GNOME Network Manager
https://wiki.gnome.org/Projects/NetworkManager

[^nm2] NetworkManager Gnome Applet
https://gitlab.gnome.org/GNOME/network-manager-applet

TCP Load Balancer

Load balancing…

…distribution workloads across multiple computing resources
Goals…
- …optimize resource use
- …maximize throughput
- …minimize response time
- …avoid overloading any single resource
- …provide redundancy over multiple resources
Options…
- …direct routing (direct server return)
- …destination NAT
Proxy terminology…
- …reverse proxy …entity before server …acts on behalf of a server
- …forward proxy …entity before client …acts on behalf of a client

Layer 4 vs Layer 7

TCP load balancers (layer 4)
- …works on IP-addresses and TCP port numbers
- …per connection …transparent to the client
- …high-availability based on latency & service up-state
- …more efficient than high-layer protocols
- …no decisions based on transported data (…no caches)
Protocol aware load balancers (layer 7)…

`tcpdump`

tcpdump is a network debugging tool
- intercept/display packages transmitted/received on a network interface
- filters used to select a subset of interesting packages
- different output format for package typers
commonly used options

-D                    # list interfaces
-i <iface>            # select network interface
# output modifier
-t                    # not timestamps
-n                    # do not resolve hostname
-nn                   # ^^ and ports
-q                    # just source/destination
-v[v[v]]              # verbose output
-A                    # print payload (ASCII)
-x                    # ^^ in hex
-X                    # ^^ hex and ASCII

filters, combine with and, or, and not

# packets from hostname/ip-address                 
[src|dst] host <host>
# packets using host as a gateway
gateway host <host>
# packeets from host in network, CIDR notation
[src|dst] net <cidr>
# packages send to/from port
[tcp|udp] [src|dst] port <port>             
                    portrange <port>-<port>
# packages via protocol
(ether|ip|ip6) proto <protocol>

examples…

# raw output stream
tcpdump -ttnnvvS | grep ...
# specific IP destination port
tcpdump -nnvvS src 192.168.1.10 and dst port 80
# traffic crossing between networks
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
# ICMP packages from a specific IP
tcpdump dst 192.168.0.2 and src net and not icmp
# DHCP traffic
tcpdump -v -n port 67 or 68               
# SSH connections
tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
# DNS traffic
tcpdump -vvAs0 port 53
# NTP traffic
tcpdump -vvAs0 port 123
# dumpo HTTPS traffic
tcpdump -nnSX port 443
# extract HTTP reqeust URLs
tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"
# capture SMTP/POP3 email
tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'
# top host by package count
tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

IPVS

IPVS (IP Virtual Server)
- Layer 4 load balancing (aka layer 4 switching)
- TCP/UDP traffic load-balanced between physical servers
- Service exposed by a unique virtual IP
Multiple ways to forward packages:
- NAT (Network Address Translation)
- Direct Routing (with an unmodified package) to a real server accepting traffic for a virtual IP address
- IP-IP Encapsulation (tunnelling) forward/redirect packages to another address (possibly in a different network)

# install on CentOS
yum -y install ipvsadm
# enable IP forwarding
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf && sysctl -p
touch /etc/sysconfig/ipvsadm && systemctl enable --now ipvsadm
# show the number of active connections
ipvsadm -L -n
# number of packets/bytes sent/received per second
ipvsadm -L -n --stats
# total number of packets/bytes sent/received
ipvsadm -L -n --rate

SR-IOV

Single root I/O virtualization (SR-IOV):

PCI Special Interest Group (PCI-SIG) specification for I/O virtualization.
Extension to the PCI Express (PCIe) specification
Allows partitioning of a PCI function into many virtual interfaces for the purpose of sharing the resources of a PCIe device in a virtual environment

Enables PCIe adapter sharing for virtual machines and containers.

PCIe adapters become self-virtualizing, a single PCIe device appears as multiple, separate devices
- The physical device is referred to as Physical Function (PF)
- Virtual devices are referred to as Virtual Functions (VF)
By default, SR-IOV is disabled and the PF behaves as a regular PCIe device

Physical function:

Function of a PCIe adapter that supports the SR-IOV interface, advertises by the device’s SR-IOV capabilities
Used to dynamically allocate VFs controlled by the PF via registers encapsulated in the capability
The max. number of VFs limited by the device hardware (up to 256 acc. to spec.)
Typical supports L2 sorter/switcher, link controls

Virtual function:

Each VF’s PCI configuration space can be accessed by…
- its own bus, slot and function number (Routing ID)
- a PCI memory space, which is used to map its register set
Can move data in and out of DMA
Dedicated Tx/Rx queues

SR-IOV drivers are implemented in the Linux kernel:

VFs have near-native performance (better performance than para-virtualized drivers and emulated access)
VFs provide data protection between partitions (including Quality of Service)

--- title: Linux Networking categories: - Linux - Network date: 2007/05/03 date-modified: 2023/11/30 toc-expand: 3 --- # Ethernet `ethtool` NIC configuration utility ...find Ethernet devices on the PCI/USB bus ```sh >>> grep -i ethernet <(lspci) <(lsusb) | cut -d: -f2- 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 06) Bus 002 Device 002: ID 0bda:8153 Realtek Semiconductor Corp. RTL8153 Gigabit Ethernet Adapter # read PCI device information from sysfs >>> cat /sys/bus/pci/devices/0000:02:00.0/vendor 0x10ec # find the vendor product number >>> grep 0x10ec /usr/src/linux-headers-$(uname -r)/include/linux/pci_ids.h #define PCI_VENDOR_ID_REALTEK 0x10ec ``` List all Ethernet **devices names** ```sh >>> ip -o link show | grep link/ether | cut -d: -f2 | sort enp0s19f2u4 enp2s0 wlp3s0 >>> ls -1 /sys/class/net/ | egrep 'en|wl' | sort enp0s19f2u4 enp2s0 wlp3s0 >>> cat /proc/net/dev | tail -n+4 | cut -d: -f1 | sort enp0s19f2u4 enp2s0 wlp3s0 ``` Identify the name of the **driver module** ...follow the link in `/sys/class/net/*/device/driver` ```sh >>> basename `readlink /sys/class/net/eth0/device/driver/module` tg3 # find kernel configuration parameter by searching in the Linux kernel source code >>> find -type f -name Makefile | xargs grep tg3 ./drivers/net/ethernet/broadcom/Makefile:obj-$(CONFIG_TIGON3) += tg3.o >>> grep CONFIG_TIGON3 /boot/config-$(uname -r) CONFIG_TIGON3=m ``` Find the **vendor product number** from the PCI IDs kernel header ```sh >>> cat /sys/bus/pci/devices/0000:05:00.0/vendor 0x14e4 >>> cat /sys/bus/pci/devices/0000:05:00.0/device 0x1681 >>> egrep "0x14e4|0x1681" include/linux/pci_ids.h #define PCI_DEVICE_ID_AL_M1681 0x1681 #define PCI_DEVICE_ID_MOXA_CP168U 0x1681 #define PCI_VENDOR_ID_BROADCOM 0x14e4 #define PCI_DEVICE_ID_TIGON3_5761 0x1681 #define PCI_DEVICE_ID_ARECA_1681 0x1681 ``` Search the kernel drivers source code directory for the vendor modules ```sh >>> grep -Rl PCI_VENDOR_ID_BROADCOM drivers/net/ethernet drivers/net/ethernet/broadcom/tg3.c drivers/net/ethernet/broadcom/tg3.h drivers/net/ethernet/broadcom/b44.c drivers/net/ethernet/broadcom/bnx2.c ``` # DHCP Using `dnsmasq` as DHCP server ```bash # install the DHCP service package apt install dnsmasq # Debian yum install dnsmasq # Centos # Configuration files.. /etc/dnsmasq.conf # local configuration file /etc/dnsmasq.d/ # custom configuration files dnsmasq --test # syntax check the configuration dnsmasq --help dhcp # list all options numbers # Run the daemon foreground dnsmasq --keep-in-foreground --no-daemon # Enable and start service systemctl enable dnsmasq && systemctl start dnsmasq journalctl -u dnsmasq -f # print dnsmasq log # Open the firewall on CentOS firewall-cmd --add-service=dns --permanent # port 53 firewall-cmd --add-service=dhcp --permanent # port 67 firewall-cmd --reload # apply rules ``` ...minimal DHCP example configuration file `/etc/dnsmasq.d/dhcp.conf` ```sh port=0 # diable DNS service log-dhcp # extra verbose on DHCP requests domain=devops.test # allow FQDNs no-hosts # do not read /etc/hosts ## address pool configuration dhcp-range=10.1.1.1,10.1.1.254,255.255.255.0,12h dhcp-host=02:FF:0A:0A:06:05,lxdns01,10.1.1.5 dhcp-host=02:FF:0A:0A:06:06,lxdns02,10.1.1.6 dhcp-host=02:FF:0A:0A:06:1B,lxdev01,10.1.1.27 dhcp-host=02:FF:0A:0A:06:1C,lxdev02,10.1.1.28 dhcp-host=02:FF:0A:0A:06:1D,lxdev03,10.1.1.29 dhcp-host=02:FF:0A:0A:06:1E,lxdev04,10.1.1.30 ## additonal options dhcp-option=option:router,10.1.1.1 # default gateway dhcp-option=option:dns-server,10.1.1.1 # DNS server ``` ## `dhclient` ```sh /etc/dhcp/dhclient.conf # DHCP client configuration dhclient # request a lease, configure network interface ``` Use `dhcping` with the broadcast IP-address to determine if a DHCP server is on the network ```sh >>> dhcping -s 255.255.255.255 -rv Got answer from: 10.1.2.3 received from 10.1.2.3, expected from 255.255.255.255 # otherwise on a network without DHCP server. >>> dhcping -s 255.255.255.255 -rv no answer ``` ...inspect DHCP packages with `dhcpdump` ## `dhcpcd` `dhcpcd` daemon, and optionally WPA supplicant ```sh # run debug mode, foreground dhcpcd -Bd -f /etc/dhcpcd.conf ``` * clear network interface configuration with `ip addr flush` * use `dhcpcd` DHCP client to request a lease - **request** an IP address white-listing the DHCP server at 10.1.1.5 with `-w` - **rebind** the interface before the lease expires with `-n` ```sh >>> apt install dhcpcd5 # install a DHCP client >>> ip addr flush ens3 # clear interface configuration >>> dhcpcd -B -W 10.1.1.5 -1 ens3 ... ens3: leased 10.1.1.27 for 43200 seconds ens3: changing route to 10.1.1.0/24 ens3: changing default route via 10.1.1.1 ... >>> dhcpcd -d -B -W 10.1.1.5 -1 -n ens3 ... ens3: reading lease `/var/lib/dhcpcd5/dhcpcd-ens3.lease' ens3: rebinding lease of 10.1.1.27 .. ens3: acknowledged 10.1.1.27 from 10.1.1.5 ens3: leased 10.1.1.27 for 43200 seconds ... ``` Configuration in `/etc/dhcpcd.conf` ```sh # prevent the configuration of an interface: denyinterfaces wlan0 # do not configure WiFi ``` # TCP/IP ## IP Protocol **Reserved addresses**... ```sh 0.0.0.0/8 current network (only valid as source address) 127.0.0.0/8 loopback (used for tests) 255.255.255.255 broadcast ``` **Private address** ranges - Reserved for internal use behind a router or other NAT devices - Entirely separate set of addresses that allow access on a network ```sh First Last Class 10.0.0.0 10.255.255.255 A 172.16.0.0 172.31.255.255 B 192.168.0.0 192.168.255.255 C ``` **CIDR** (classless inter-domain routing) - developed as a more granular method for classful IP addressing - more compact representation of an IP address - based on VLSM (variable length subnet masking) - notation either `/xx` or decimal notation CIDR | Subnet Netmask -|---- /8 | 255.0.0.0 /16 | 255.255.0.0 /24 | 255.255.255.0 ### `ip addr` `ip` command configures the local IP network communication ```bash # configure the IP address of a network interface: ip addr add <address>/<prefix> dev <interface> # show configuration for interface ip addr show <interface> # show enabled interfaces ip link show up # enable/disable network interface ip link set <interface> up|down # clear interface IP configuration ip addr flush dev <interface> # network traffic counters /proc/net/dev ip -s l ``` `ipcalc` calculate IP network segments ```sh # calculate sub networks ipcalc <address>/<prefix> ipcalc <address> <netmask> ``` ### `ip route` * router, forwards data packets between networks * routing, selects a path for traffic across multiple networks... - ...depending on the destination address - **packet forwarding**, transit of packets between networks * **routing table**, lists the routes to particular network destinations - **static routes**, a manually-configured routing rule - **dynamic routing** is based on a "discovery" procedure (cf. spanning tree) - routing entries may have an associated **metric** (distance) * route evaluation process selects an entry from a routing table - longest prefix match selects most specific entry with the longest subnet mask * **symmetric routing**, inbound and outbound traffic take the same path * **asymmetric routing** should be avoided because: - wrong interface source address may be considered as spoofed - state full firewalls depend on connection tracking of inbound and outbound traffic - congestion off outbound traffic ```sh routel # list comprehensive routing configuration ip r # show routing table ip route get <address> # check which interface is used for a specific dest. ip route add <address>/<prefix> dev <interface> # create network route ip route add <address>/<prefix> via <gateway> dev <interace> # Static routes ip route delete <address>/<prefix> dev <interface> # remove network route ip route flush cache # flush routing cash after reconfiguration ip route flush table main # empty routing table ## -- deprecated commands -- ## netstat -rn # show routing table route -n ``` * network **gateway** handles packages with destinations outside local network * **default route**: forwarding rule to used when no specific route can be determined - designated zero-address `0.0.0.0/0` (IPv4) `::/0` (IPv6) - `/0` subnet mask specifies all networks - lookups not matching any other route use the default route - methods to configure the default gateway: DHCP, BOOTP, ICMP Router Discovery Protocol (IRDP), manual configuration - only one default gateway can be configured ```sh ip route add default via <ip> # configure/change the default route ip route change default via <ip> dev <int> ip route del default via <ip> # remove default gateway ## -- deprecated commands -- ## route add default gw <ip> # add a default route ``` * **gateway redundancy** protocol - **VRRP** (Virtual Router Redundancy Protocol) - Cisco proprietary: GLBP (Gateway Load Balancing Protocol), HSRP (Hot Standby Router Protocol) - gateways use one IP address as next hop for the network in an active-active or active-passive configuration - IRDP (ICMP Router Discovery Protocol) * **policy-based routing**, routing decisions based on criteria other than the destination address - uses a separate routing table for each of the interfaces - policy rules direct outbound traffic to the appropriate routing table - ensure that the `main` routing table has a default route - kernel search policy rules with lowest priority first - local default rule-set with priority 0 matching all, handles traffic to `localhost` ```sh ip rule # list routing tables /etc/iproute2/rt_tables # routing table configuration file ip route show table <t_name> # show specific routing table ip rule add from <ip> lookup <t_name> prio <num> # add a routing policy to table ip route add default via <ip> dev <dev> table <t_name> # add a default route to table ``` ## TCP Ports Ports are the end-points of TCP and UDP network connections... - TCP/IP uses ports to communicate over the IP protocol - ...programs send and receive data at a port - `lsof -Pnl -i` to list open ports Port addressing...for example `192.168.1.3:80` - ...identifies a node on the network by IP address... - ...followed by a colon `:` as separator to the port number Port are sub-divided into **sockets**... - ...each socket accepts a different protocol (for example TCP IPv4) - Sockets are part of the transport layer in the OSI model - ...single socket can send and receive data (bi-directional) - ...identified by pairing the local IP address and port with the remote address and port. ### `nc` NetCat...TCP network tool...two modes... - ...client `nc [-options] [hostname] [ports]` - ...server `nc –l [options] [hostname] [port]` Scanning ports... - `-z` scan for listening daemons (without sending any data to them) - `-4`/`-6` ...IPv4/IPV6 specifically - `-v` ...enable verbose mode ```sh # check the SSH port on localhost nc -v -4 -z 127.0.0.1 22 ``` Simple client server example... ```sh # listen on port 8080 (server)...pipe incomming data to file nc -l 8080 > /tmp/inbound # send data to port 8080 (client) echo input | nc 127.0.0.1 8080 ``` ### `ss` ```sh ss -l # listening ports netstat -lN lsof -nPi tcp # established connections ss -r netstat -p # process socket binding: ss -p socklist nc -vnzu <address> <port> # check connectivity to destination port ``` ## `nmcli` NetworkManager ```ash nmcli device status nmcli con mod $device connection.autoconnect yes ``` GNOME NetworkManager [^nm1] configures and monitors Wifi network connections: ```bash nmcli radio wifi on|off # toggle Wifi nmcli dev wifi # list available Wifi APs ``` Connect to Wifi using the **NetworkManager applet** [^nm2]. Start the applet on session it within the **i3 Window Manager**: ```sh # start NetworkManager applet exec_always --no-startup-id nm-applet ``` [^nm1] GNOME Network Manager <https://wiki.gnome.org/Projects/NetworkManager> [^nm2] NetworkManager Gnome Applet <https://gitlab.gnome.org/GNOME/network-manager-applet> ## TCP Load Balancer Load balancing... - ...distribution workloads across multiple computing resources - Goals... - ...optimize resource use - ...maximize throughput - ...minimize response time - ...avoid overloading any single resource - ...provide redundancy over multiple resources - Options... - ...[direct routing](http://www.linuxvirtualserver.org/VS-DRouting.html) (direct server return) - ...[destination NAT](http://www.linuxvirtualserver.org/VS-NAT.html) - Proxy terminology... - ...reverse proxy ...entity before server ...acts on behalf of a server - ...forward proxy ...entity before client ...acts on behalf of a client Layer 4 vs Layer 7 - TCP load balancers (layer 4) - ...works on IP-addresses and TCP port numbers - ...per connection ...transparent to the client - ...high-availability based on latency & service up-state - ...more efficient than high-layer protocols - ...**no decisions based on transported data** (...no caches) - Protocol aware load balancers (layer 7)... ## `tcpdump` * `tcpdump` is a network debugging tool - intercept/display packages transmitted/received on a network interface - filters used to select a subset of interesting packages - different output format for package typers * commonly used options ```bash -D # list interfaces -i <iface> # select network interface # output modifier -t # not timestamps -n # do not resolve hostname -nn # ^^ and ports -q # just source/destination -v[v[v]] # verbose output -A # print payload (ASCII) -x # ^^ in hex -X # ^^ hex and ASCII ``` * filters, combine with `and`, `or`, and `not` ``` # packets from hostname/ip-address [src|dst] host <host> # packets using host as a gateway gateway host <host> # packeets from host in network, CIDR notation [src|dst] net <cidr> # packages send to/from port [tcp|udp] [src|dst] port <port> portrange <port>-<port> # packages via protocol (ether|ip|ip6) proto <protocol> ``` * examples... ```bash # raw output stream tcpdump -ttnnvvS | grep ... # specific IP destination port tcpdump -nnvvS src 192.168.1.10 and dst port 80 # traffic crossing between networks tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16 # ICMP packages from a specific IP tcpdump dst 192.168.0.2 and src net and not icmp # DHCP traffic tcpdump -v -n port 67 or 68 # SSH connections tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' # DNS traffic tcpdump -vvAs0 port 53 # NTP traffic tcpdump -vvAs0 port 123 # dumpo HTTPS traffic tcpdump -nnSX port 443 # extract HTTP reqeust URLs tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:" # capture SMTP/POP3 email tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO' # top host by package count tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20 ``` # IPVS * IPVS (IP Virtual Server) - Layer 4 load balancing (aka layer 4 switching) - TCP/UDP traffic load-balanced between physical servers - Service exposed by a unique virtual IP * Multiple ways to forward packages: - **NAT** (Network Address Translation) - **Direct Routing** (with an unmodified package) to a real server accepting traffic for a virtual IP address - **IP-IP Encapsulation** (tunnelling) forward/redirect packages to another address (possibly in a different network) ```bash # install on CentOS yum -y install ipvsadm # enable IP forwarding echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf && sysctl -p touch /etc/sysconfig/ipvsadm && systemctl enable --now ipvsadm # show the number of active connections ipvsadm -L -n # number of packets/bytes sent/received per second ipvsadm -L -n --stats # total number of packets/bytes sent/received ipvsadm -L -n --rate ``` # SR-IOV Single root I/O virtualization (SR-IOV): - PCI Special Interest Group (PCI-SIG) specification for I/O virtualization. - Extension to the PCI Express (PCIe) specification - Allows partitioning of a PCI function into many virtual interfaces for the purpose of sharing the resources of a PCIe device in a virtual environment Enables PCIe **adapter sharing for virtual machines and containers**. * PCIe adapters become self-virtualizing, a single PCIe device appears as **multiple, separate devices** - The physical device is referred to as **Physical Function** (PF) - Virtual devices are referred to as **Virtual Functions** (VF) * By default, SR-IOV is disabled and the PF behaves as a regular PCIe device Physical function: * Function of a PCIe adapter that supports the SR-IOV interface, advertises by the device's SR-IOV capabilities * Used to **dynamically allocate VFs** controlled by the PF via registers encapsulated in the capability * The max. number of VFs limited by the device hardware (up to 256 acc. to spec.) * Typical supports L2 sorter/switcher, link controls Virtual function: * Each VF's PCI configuration space can be accessed by... - its own bus, slot and function number (Routing ID) - a PCI memory space, which is used to map its register set * Can move data in and out of DMA * Dedicated Tx/Rx queues SR-IOV drivers are implemented in the Linux kernel: * VFs have near-native performance (better performance than para-virtualized drivers and emulated access) * VFs provide data protection between partitions (including Quality of Service)