1054 lines
37 KiB
HTML
1054 lines
37 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
|
|
|
|
<title>Debian GNU/Linux Network Administrator's Manual (Obsolete Documentation) - TCP/IP</title>
|
|
|
|
<link href="index.html" rel="start">
|
|
<link href="ch-overview.html" rel="prev">
|
|
<link href="ch-uucp.html" rel="next">
|
|
<link href="index.html#contents" rel="contents">
|
|
<link href="index.html#copyright" rel="copyright">
|
|
<link href="ch-intro.html" rel="chapter" title="1 Introduction">
|
|
<link href="ch-overview.html" rel="chapter" title="2 Overview of a Debian GNU/Linux System">
|
|
<link href="ch-tcpip.html" rel="chapter" title="3 TCP/IP">
|
|
<link href="ch-uucp.html" rel="chapter" title="4 UUCP">
|
|
<link href="ch-ppp.html" rel="chapter" title="5 PPP, SLIP, PLIP">
|
|
<link href="ch-nfs.html" rel="chapter" title="6 NFS">
|
|
<link href="ch-nis.html" rel="chapter" title="7 NIS">
|
|
<link href="ch-bind.html" rel="chapter" title="8 DNS/BIND">
|
|
<link href="ch-router.html" rel="chapter" title="9 Router">
|
|
<link href="ch-mail.html" rel="chapter" title="10 Mail">
|
|
<link href="ch-news.html" rel="chapter" title="11 News">
|
|
<link href="ch-ftp.html" rel="chapter" title="12 FTP">
|
|
<link href="ch-www.html" rel="chapter" title="13 WWW">
|
|
<link href="ch-security.html" rel="chapter" title="14 Security">
|
|
<link href="ch-firewall.html" rel="chapter" title="15 Firewall">
|
|
<link href="ch-kernel.html" rel="chapter" title="16 Kernel Configuration">
|
|
<link href="ch-index.html" rel="chapter" title="17 Index">
|
|
<link href="ch-intro.html#s1.1" rel="section" title="1.1 About this manual">
|
|
<link href="ch-intro.html#s1.2" rel="section" title="1.2 Where to find newer versions">
|
|
<link href="ch-intro.html#s1.3" rel="section" title="1.3 How this manual came about">
|
|
<link href="ch-tcpip.html#s3.1" rel="section" title="3.1 Intro">
|
|
<link href="ch-tcpip.html#s3.2" rel="section" title="3.2 IP Addresses">
|
|
<link href="ch-tcpip.html#s3.3" rel="section" title="3.3 IP Interface Configuration">
|
|
<link href="ch-tcpip.html#s3.4" rel="section" title="3.4 Basic IP Routing">
|
|
<link href="ch-tcpip.html#s3.5" rel="section" title="3.5 Domain Name Service (DNS)">
|
|
<link href="ch-tcpip.html#s3.6" rel="section" title="3.6 ICMP and IP Troubleshooting">
|
|
<link href="ch-tcpip.html#s3.7" rel="section" title="3.7 TCP and UDP">
|
|
<link href="ch-tcpip.html#s3.8" rel="section" title="3.8 Servers, Daemons and the Superserver">
|
|
<link href="ch-bind.html#s-bindnecessary" rel="section" title="8.1 Obtaining the necessary files">
|
|
<link href="ch-bind.html#s-bindconfig" rel="section" title="8.2 Configuring BIND">
|
|
<link href="ch-bind.html#s-bindadvance" rel="section" title="8.3 Advanced Configuration">
|
|
<link href="ch-bind.html#s-bindprimary" rel="section" title="8.4 Setting up a Primary DNS Server">
|
|
<link href="ch-bind.html#s-bindsecondary" rel="section" title="8.5 Setting up a Secondary DNS Server">
|
|
<link href="ch-bind.html#s-bindtest" rel="section" title="8.6 Testing">
|
|
<link href="ch-bind.html#s-bindhelp" rel="section" title="8.7 Obtaining Help With BIND">
|
|
<link href="ch-mail.html#s10.1" rel="section" title="10.1 Post Office Protocol (POP3) software">
|
|
<link href="ch-mail.html#s10.2" rel="section" title="10.2 Interactive Mail Access Protocol (IMAP) software">
|
|
<link href="ch-mail.html#s10.3" rel="section" title="10.3 Simple Mail Transfer Protocol (SMTP) software">
|
|
<link href="ch-mail.html#s10.4" rel="section" title="10.4 Other mail processing tools">
|
|
<link href="ch-mail.html#s10.5" rel="section" title="10.5 Mailing lists handling software">
|
|
<link href="ch-www.html#s13.1" rel="section" title="13.1 Chosing a Web Server that's best for you">
|
|
<link href="ch-www.html#s13.2" rel="section" title="13.2 Setting up your Web Server">
|
|
<link href="ch-www.html#s13.3" rel="section" title="13.3 Web Proxies">
|
|
<link href="ch-www.html#s13.4" rel="section" title="13.4 Tools and Other Programs">
|
|
<link href="ch-www.html#s13.5" rel="section" title="13.5 Finding Help">
|
|
<link href="ch-security.html#s14.1" rel="section" title="14.1 Before you begin">
|
|
<link href="ch-security.html#s14.2" rel="section" title="14.2 Security from a Network standpoint">
|
|
<link href="ch-security.html#s14.3" rel="section" title="14.3 Security from a User standpoint">
|
|
<link href="ch-security.html#s14.4" rel="section" title="14.4 Security Tools">
|
|
<link href="ch-security.html#s14.5" rel="section" title="14.5 Things you can do">
|
|
<link href="ch-security.html#s14.6" rel="section" title="14.6 Finding Help">
|
|
<link href="ch-firewall.html#s15.1" rel="section" title="15.1 Background information">
|
|
<link href="ch-firewall.html#s15.2" rel="section" title="15.2 ipfwadm">
|
|
<link href="ch-firewall.html#s15.3" rel="section" title="15.3 IP Masquerading (NAT)">
|
|
<link href="ch-firewall.html#s15.4" rel="section" title="15.4 Using Proxy's">
|
|
<link href="ch-firewall.html#s15.5" rel="section" title="15.5 Finding Help">
|
|
<link href="ch-bind.html#s8.2.1" rel="subsection" title="8.2.1 bindconfig">
|
|
<link href="ch-bind.html#s8.2.1.1" rel="subsection" title="8.2.1.1 Step 1 (Ignore this step if installing for the first time via dselect or apt-get)">
|
|
<link href="ch-bind.html#s8.2.1.2" rel="subsection" title="8.2.1.2 Step 2">
|
|
<link href="ch-bind.html#s8.2.1.3" rel="subsection" title="8.2.1.3 Step 3">
|
|
<link href="ch-bind.html#s8.2.1.4" rel="subsection" title="8.2.1.4 Step 4">
|
|
<link href="ch-bind.html#s8.2.1.5" rel="subsection" title="8.2.1.5 Step 5">
|
|
<link href="ch-bind.html#s8.2.2" rel="subsection" title="8.2.2 resolv.conf">
|
|
<link href="ch-bind.html#s8.3.1" rel="subsection" title="8.3.1 named.conf">
|
|
<link href="ch-bind.html#s8.3.2" rel="subsection" title="8.3.2 zone files">
|
|
<link href="ch-bind.html#s8.3.2.1" rel="subsection" title="8.3.2.1 domain zone files">
|
|
<link href="ch-bind.html#s8.3.2.2" rel="subsection" title="8.3.2.2 Reverse Files">
|
|
<link href="ch-bind.html#s8.4.1" rel="subsection" title="8.4.1 Preparation">
|
|
<link href="ch-bind.html#s8.4.2" rel="subsection" title="8.4.2 Configuring BIND for your new DNS Domain">
|
|
<link href="ch-bind.html#s8.4.2.1" rel="subsection" title="8.4.2.1 zone files">
|
|
<link href="ch-bind.html#s8.4.2.2" rel="subsection" title="8.4.2.2 named.conf">
|
|
<link href="ch-bind.html#s8.5.1" rel="subsection" title="8.5.1 Preparation">
|
|
<link href="ch-bind.html#s8.5.2" rel="subsection" title="8.5.2 Configuring BIND as a Secondary Server for your new DNS Domain">
|
|
<link href="ch-bind.html#s8.5.2.1" rel="subsection" title="8.5.2.1 Changes to Primary Server">
|
|
<link href="ch-bind.html#s8.5.2.2" rel="subsection" title="8.5.2.2 named.conf">
|
|
<link href="ch-bind.html#s8.5.2.3" rel="subsection" title="8.5.2.3 zone files">
|
|
<link href="ch-bind.html#s8.5.2.4" rel="subsection" title="8.5.2.4 Information">
|
|
<link href="ch-mail.html#s10.1.1" rel="subsection" title="10.1.1 qpopper">
|
|
<link href="ch-mail.html#s10.1.2" rel="subsection" title="10.1.2 ipop3d">
|
|
<link href="ch-mail.html#s10.2.1" rel="subsection" title="10.2.1 imapd">
|
|
<link href="ch-mail.html#s10.3.1" rel="subsection" title="10.3.1 sendmail">
|
|
<link href="ch-mail.html#s10.3.2" rel="subsection" title="10.3.2 smail">
|
|
<link href="ch-mail.html#s10.3.3" rel="subsection" title="10.3.3 exim">
|
|
<link href="ch-mail.html#s10.3.4" rel="subsection" title="10.3.4 postfix">
|
|
<link href="ch-mail.html#s10.3.5" rel="subsection" title="10.3.5 zmailer">
|
|
<link href="ch-mail.html#s10.3.6" rel="subsection" title="10.3.6 ssmtp">
|
|
<link href="ch-mail.html#s10.4.1" rel="subsection" title="10.4.1 procmail">
|
|
<link href="ch-mail.html#s10.4.2" rel="subsection" title="10.4.2 mailagent">
|
|
<link href="ch-mail.html#s10.4.3" rel="subsection" title="10.4.3 deliver">
|
|
<link href="ch-mail.html#s10.4.4" rel="subsection" title="10.4.4 smtp-refuser">
|
|
<link href="ch-mail.html#s10.5.1" rel="subsection" title="10.5.1 smartlist">
|
|
<link href="ch-mail.html#s10.5.2" rel="subsection" title="10.5.2 majordomo">
|
|
<link href="ch-mail.html#s10.5.3" rel="subsection" title="10.5.3 listar">
|
|
<link href="ch-mail.html#s10.5.4" rel="subsection" title="10.5.4 mailman">
|
|
<link href="ch-www.html#s13.2.1" rel="subsection" title="13.2.1 Apache">
|
|
<link href="ch-www.html#s13.2.2" rel="subsection" title="13.2.2 Apache with SSL">
|
|
<link href="ch-www.html#s13.2.3" rel="subsection" title="13.2.3 Boa">
|
|
<link href="ch-www.html#s13.2.4" rel="subsection" title="13.2.4 CERN HTTP">
|
|
<link href="ch-www.html#s13.2.5" rel="subsection" title="13.2.5 dhttpd">
|
|
<link href="ch-www.html#s13.2.6" rel="subsection" title="13.2.6 NCSA">
|
|
<link href="ch-www.html#s13.2.7" rel="subsection" title="13.2.7 wn">
|
|
<link href="ch-www.html#s13.3.1" rel="subsection" title="13.3.1 Squid">
|
|
<link href="ch-www.html#s13.4.1" rel="subsection" title="13.4.1 Log Tools">
|
|
<link href="ch-www.html#s13.4.2" rel="subsection" title="13.4.2 Perl/CGI/Java related items">
|
|
<link href="ch-www.html#s13.4.3" rel="subsection" title="13.4.3 Web Development">
|
|
<link href="ch-www.html#s13.4.3.1" rel="subsection" title="13.4.3.1 Automation">
|
|
<link href="ch-www.html#s13.4.3.2" rel="subsection" title="13.4.3.2 Other Tools">
|
|
<link href="ch-security.html#s14.2.1" rel="subsection" title="14.2.1 Securing your Web Server">
|
|
<link href="ch-security.html#s14.2.2" rel="subsection" title="14.2.2 Securing your Mail Server">
|
|
<link href="ch-security.html#s14.2.3" rel="subsection" title="14.2.3 Securing FTP">
|
|
<link href="ch-security.html#s14.2.4" rel="subsection" title="14.2.4 Securing DNS">
|
|
<link href="ch-security.html#s14.2.5" rel="subsection" title="14.2.5 Securing Telnet">
|
|
<link href="ch-security.html#s14.2.6" rel="subsection" title="14.2.6 Protecting from Denial of Service attacks">
|
|
<link href="ch-security.html#s14.2.7" rel="subsection" title="14.2.7 Securing everything else">
|
|
<link href="ch-security.html#s14.2.8" rel="subsection" title="14.2.8 Monitoring Tools">
|
|
<link href="ch-security.html#s14.3.1" rel="subsection" title="14.3.1 File permissions">
|
|
<link href="ch-security.html#s14.3.2" rel="subsection" title="14.3.2 Installed applications">
|
|
<link href="ch-security.html#s14.3.3" rel="subsection" title="14.3.3 Other items">
|
|
<link href="ch-security.html#s14.3.4" rel="subsection" title="14.3.4 Monitoring tools">
|
|
<link href="ch-firewall.html#s15.2.1" rel="subsection" title="15.2.1 Obtaining and installing the software">
|
|
<link href="ch-firewall.html#s15.2.2" rel="subsection" title="15.2.2 Kernel changes">
|
|
<link href="ch-firewall.html#s15.2.3" rel="subsection" title="15.2.3 Setting up ipfwadm">
|
|
<link href="ch-firewall.html#s15.2.4" rel="subsection" title="15.2.4 Using ipfwadm in conjunction with PPP">
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<p><a name="ch-tcpip"></a></p>
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch-overview.html">previous</a> ]
|
|
[ <a href="index.html#contents">Contents</a> ]
|
|
[ <a href="ch-intro.html">1</a> ]
|
|
[ <a href="ch-overview.html">2</a> ]
|
|
[ 3 ]
|
|
[ <a href="ch-uucp.html">4</a> ]
|
|
[ <a href="ch-ppp.html">5</a> ]
|
|
[ <a href="ch-nfs.html">6</a> ]
|
|
[ <a href="ch-nis.html">7</a> ]
|
|
[ <a href="ch-bind.html">8</a> ]
|
|
[ <a href="ch-router.html">9</a> ]
|
|
[ <a href="ch-mail.html">10</a> ]
|
|
[ <a href="ch-news.html">11</a> ]
|
|
[ <a href="ch-ftp.html">12</a> ]
|
|
[ <a href="ch-www.html">13</a> ]
|
|
[ <a href="ch-security.html">14</a> ]
|
|
[ <a href="ch-firewall.html">15</a> ]
|
|
[ <a href="ch-kernel.html">16</a> ]
|
|
[ <a href="ch-index.html">17</a> ]
|
|
[ <a href="ch-uucp.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h1>
|
|
Debian GNU/Linux Network Administrator's Manual (Obsolete Documentation)
|
|
<br>Chapter 3 - TCP/IP
|
|
</h1>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
author = Duncan C Thomson <code><a
|
|
href="mailto:duncan@sciuro.demon.co.uk">duncan@sciuro.demon.co.uk</a></code>
|
|
</p>
|
|
|
|
<p>
|
|
topics = IP protocol, TCP protocol, IP addresses, IP interfaces, Routing
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.1"></a>3.1 Intro</h2>
|
|
|
|
<p>
|
|
TCP/IP, as the name suggests, is a pair of protocols, and what most of the
|
|
Internet is built on. Although physically the Internet is made up of a wide
|
|
range of networking technologies, from slow modem links through Ethernet, to
|
|
high-speed ATM-based switched networks, and a wide range of different
|
|
applications run over it - the WWW and e-mail to name only two, the protocols
|
|
which tie everything together are Internet Protocol (IP), and, perhaps almost
|
|
as great an extent, Transmission Control Protocol. Another protocol, UDP, is
|
|
used in place of TCP for some applications, especially in LAN environments, but
|
|
on the Internet the TCP/IP partnership rules.
|
|
</p>
|
|
|
|
<p>
|
|
diagram: various physical networks, IP, TCP and UDP, apps
|
|
</p>
|
|
|
|
<p>
|
|
This chapter describes firstly the basics of IP networking, and later describes
|
|
some of the more advanced features of TCP/IP available to the Debian user.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.2"></a>3.2 IP Addresses</h2>
|
|
|
|
<p>
|
|
Every computer connected directly to the Internet (or to any IP-based network)
|
|
is identified by an IP address. IP addresses are four bytes long, and are
|
|
usually written as four decimal numbers separated by dots, as in the examples
|
|
below.
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
10.34.92.111
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
127.0.0.1
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
172.19.220.2
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.109
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
IP addresses typically identify two things. Firstly, they identify the network
|
|
on which a particular computer is located. Secondly, they identify a
|
|
particular computer on that network. Both these pieces of information are
|
|
present in an IP address, and they can be called the <em>network part</em> and
|
|
the <em>host part</em>. Two special values for the host part should be
|
|
mentioned here - if the host part is all zeros, the address refers to a network
|
|
(ie it is a <em>network address</em> as opposed to a <em>host address</em>).
|
|
If, alternatively, the host part is all ones, the address refers to all hosts
|
|
on the network (ie it is a <em>broadcast</em> address).
|
|
</p>
|
|
|
|
<p>
|
|
In order to identify which part of the IP address is the host part, and which
|
|
part is the network part, there are two methods we can use. The first (and
|
|
original) way is the easier by far to understand, so let's start by having a
|
|
look at how it works. IP addresses are split into a number of
|
|
<em>classes</em>, and it is this class which tells us how to split an IP
|
|
address into its network and host parts.
|
|
</p>
|
|
<dl>
|
|
<dt>Class A</dt>
|
|
<dd>
|
|
<p>
|
|
A class A IP address has as its first byte a number between 1 and 126. The
|
|
first byte of a class A IP address identifies the network, and the remaining
|
|
three bytes identify the host.
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>Class B</dt>
|
|
<dd>
|
|
<p>
|
|
A class B IP address has as its first byte a number between 128 and 191. Its
|
|
first two bytes are the network identifier, and the remaining two bytes are the
|
|
host identifier on that network.
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>Class C</dt>
|
|
<dd>
|
|
<p>
|
|
A class C IP address has as its first byte a number between 192 and 223. Its
|
|
first three bytes identify the network, and the remaining byte identifies an
|
|
individual host on that network.
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p>
|
|
From the above list you might notice that IP addresses beginning with bytes
|
|
from 224 and upwards are missing. These belong to other classes of IP address,
|
|
not used for a normal IP host, and are beyond the discussion in this section.
|
|
</p>
|
|
|
|
<p>
|
|
You might also notice that IP addresses beginning with 127 are missing. IP
|
|
addresses beginning with 127 are known as <em>loopback</em> addresses, and can
|
|
be used for testing TCP/IP without actually having a network connection.
|
|
</p>
|
|
|
|
<p>
|
|
This is all very well, but what if we have been assigned a single class C
|
|
address range, but want to split it among several networks? This is where the
|
|
second method of specifying the network and host parts can be used. This
|
|
method specifies, along with an IP address, a <em>netmask</em>, which has its
|
|
bits set to one in the network part, and set to zero in the host part. So, for
|
|
example, the default netmask for the various classes of network as as below:
|
|
</p>
|
|
<dl>
|
|
<dt>Class A</dt>
|
|
<dd>
|
|
<p>
|
|
255.0.0.0
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>Class B</dt>
|
|
<dd>
|
|
<p>
|
|
255.255.0.0
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>Class C</dt>
|
|
<dd>
|
|
<p>
|
|
255.255.255.0
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p>
|
|
These don't give us any new information beyond what the original address
|
|
classes told us. The power in using netmasks, though, is that we can choose
|
|
arbitrary splits between the network and host parts - for example, a netmask of
|
|
255.255.255.192 would allow us to split a class C network into four parts, each
|
|
with 62 host addresses. Confused? Let's look at that example in more detail.
|
|
</p>
|
|
|
|
<p>
|
|
Let's suppose we've been allocated a class C network with IP addresses
|
|
beginning with 192.168.50. If we convert the netmask 255.255.255.192 into
|
|
binary, we can see that in the last byte, the first two bits are one (that is,
|
|
they are included in the network part of the address) and the last six bits are
|
|
zeros (that is, they form the host part). So, by using the IP addresses we
|
|
have been given, along with this netmask, we have split our network into four,
|
|
with <em>network addresses</em> given by setting these two bits to their four
|
|
possible combinations (00, 01, 10, 11) while keeping the host part set to zeros
|
|
(to identify the network):
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.0
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.64
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.128
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.192
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Now we know where our four network addresses come from. What about our host
|
|
addresses? They come from setting the host part in each <em>subnet</em> to all
|
|
values from 000001 to 111110 (remember - all ones is a broadcast address).
|
|
That gives us a total of 62 hosts in each network, with addresses:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.1 - 192.168.50.62
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.65 - 192.168.50.126
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.129 - 192.168.50.190
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.50.193 - 192.168.50.254
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
In Linux, if we don't mention what netmask we are using, it's usually assumed
|
|
by the software that we want to use the default netmask for that particular
|
|
class of IP addresses. You should only need to specify a netmask if you are
|
|
using one which is not the standard scheme for a particular class of IP
|
|
addresses. It never does any harm to specify it though.
|
|
</p>
|
|
|
|
<p>
|
|
Each IP address should be <em>unique</em> on the Internet, or whichever IP
|
|
network you are connected to. This means that your cannot assign IP addresses
|
|
at random to your machines, since most IP addresses are already in use on the
|
|
Internet. In order to get a legal set of IP addresses for your machines, you
|
|
will normally go through an Internet Service Provider (ISP). If you have not
|
|
been assigned such a range of addresses, you should use one of the range of
|
|
<em>private</em> IP addresses, set aside for internet or testing use. Be aware
|
|
that you will not be able to connect to the Internet directly from such a
|
|
network; you will need to use some form of Network Address Translation (NAT) to
|
|
do this. The ranges of IP addresses set aside for private use are:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
10.0.0.0: a single class A network
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
172.16.0.0 - 172.31.0.0: 16 class B networks
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
192.168.0.0 - 192.168.255.0: 256 class C networks
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.3"></a>3.3 IP Interface Configuration</h2>
|
|
|
|
<p>
|
|
Once we know what IP address we wish to use for our machine, we will have to
|
|
bring up one of our network interfaces, and assign that IP address (possibly
|
|
along with a netmask) to it. On most Debian systems this is done when
|
|
installing the system, and you are seldom likely to need to change it on a
|
|
simple system.
|
|
</p>
|
|
|
|
<p>
|
|
The <code>ifconfig</code> command is used to configure interfaces in order to
|
|
use IP with them. There are a number of different network interfaces available
|
|
with the Linux kernel, some of which are summarised below:
|
|
</p>
|
|
<dl>
|
|
<dt>Loopback</dt>
|
|
<dd>
|
|
<p>
|
|
The loopback interface (<samp>lo</samp>), usually configured as IP address
|
|
127.0.0.1
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>Ethernet</dt>
|
|
<dd>
|
|
<p>
|
|
Ethernet interfaces (with names like <samp>eth0</samp>, <samp>eth1</samp>,
|
|
<samp>eth2</samp>) are used to access Ethernet cards
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>PPP</dt>
|
|
<dd>
|
|
<p>
|
|
PPP stands for Point-to-Point Protocol, and is used to run a variety of
|
|
networking protocols, including IP, over any kind of serial lines (null modem,
|
|
modem, ISDN). They have names like <samp>ppp0</samp>, <samp>ppp1</samp>
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>Token Ring</dt>
|
|
<dd>
|
|
<p>
|
|
Token Ring devices are accessed with device names like <samp>tr0</samp>,
|
|
<samp>tr1</samp>
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>Dummy</dt>
|
|
<dd>
|
|
<p>
|
|
The dummy network drivers are used in systems who have an interface which is
|
|
not always used, in order to provide a permanent IP interface for the relevant
|
|
address. The device names are <samp>dummy</samp>, or <samp>dummy0</samp>,
|
|
<samp>dummy1</samp>, and so on
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p>
|
|
There are a wide range of other network devices available, including SLIP, PLIP
|
|
(serial and parallel line IP), `shaper' devices for controlling the traffic on
|
|
certain interfaces, the ability to have several IP addresses on a single
|
|
device, as well as frame relay, AX.25, X.25, ARCnet, LocalTalk and more. Here,
|
|
though, we'll concentrate on one of the most common - the Ethernet interface.
|
|
</p>
|
|
|
|
<p>
|
|
In many cases, if you wish your kernel to automatically load modules for
|
|
certain device drviers, you may require to make changes to your
|
|
<code>/etc/conf.modules</code> or <code>/etc/modules</code> file. For example,
|
|
to automatically load the NE2000 driver, you could have the line:
|
|
</p>
|
|
|
|
<pre>
|
|
alias eth0 ne
|
|
</pre>
|
|
|
|
<p>
|
|
in your <code>/etc/conf.modules</code> file.
|
|
</p>
|
|
|
|
<p>
|
|
The simplest way to call <code>ifconfig</code> is to simply type its name:
|
|
</p>
|
|
|
|
<pre>
|
|
# /sbin/ifconfig
|
|
lo Link encap:Local Loopback
|
|
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
|
|
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
|
|
RX packets:18584 errors:0 dropped:0 overruns:0 frame:0
|
|
TX packets:18584 errors:0 dropped:0 overruns:0 carrier:0
|
|
Collisions:0
|
|
</pre>
|
|
|
|
<p>
|
|
which simply returns information about the interfaces currently configured. If
|
|
we wish now to bring up an Ethernet interface with the address 192.168.50.23,
|
|
we'd specify the interface name and the IP address on <code>ifconfig</code>'s
|
|
command line:
|
|
</p>
|
|
|
|
<pre>
|
|
# /sbin/ifconfig eth0 192.168.50.23
|
|
# /sbin/ifconfig
|
|
lo Link encap:Local Loopback
|
|
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
|
|
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
|
|
RX packets:18584 errors:0 dropped:0 overruns:0 frame:0
|
|
TX packets:18584 errors:0 dropped:0 overruns:0 carrier:0
|
|
Collisions:0
|
|
|
|
eth0 Link encap:Ethernet HWaddr 00:00:E8:C5:64:2A
|
|
inet addr:192.168.50.23 Bcast:192.168.50.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
RX packets:55 errors:0 dropped:0 overruns:0 frame:0
|
|
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
|
|
Collisions:7
|
|
Interrupt:10 Base address:0x300
|
|
</pre>
|
|
|
|
<p>
|
|
As can be seen from the example, the <code>ifconfig</code> now gives
|
|
information about the new interface, including the netmask, network statistics,
|
|
and information about the network driver itself. The <code>ifconfig</code>
|
|
also allows the specification of a netmask when the interface is configured,
|
|
for example:
|
|
</p>
|
|
|
|
<pre>
|
|
# /sbin/ifconfig eth0 192.168.50.23 netmask 255.255.255.192
|
|
</pre>
|
|
|
|
<p>
|
|
Finally, to bring down an interface, use the following invocation of
|
|
<code>ifconfig</code>:
|
|
</p>
|
|
|
|
<pre>
|
|
# /sbin/ifconfig eth0 down
|
|
</pre>
|
|
|
|
<p>
|
|
Full information on the options available to <code>ifconfig</code> are
|
|
available in the manual page - <code>ifconfig(8)</code>.
|
|
</p>
|
|
|
|
<p>
|
|
If you set up the IP addressing on your machine when you installed Debian
|
|
GNU/Linux, you should find that the <code>ifconfig</code> command is run
|
|
automatically on bootup. This is done from the file
|
|
<code>/etc/init.d/network</code>. Looking at this file should reveal a number
|
|
of lines similar to the following:
|
|
</p>
|
|
|
|
<pre>
|
|
IPADDR=192.168.50.23
|
|
NETMASK=255.255.255.0
|
|
BROADCAST=192.168.50.255
|
|
ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
|
|
</pre>
|
|
|
|
<p>
|
|
This is where the setting up of the Ethernet interface takes place. Above
|
|
these lines, you should see a line setting up the loopback interface, and you
|
|
should see a number of lines which appear to run a command called
|
|
<code>route</code>. This program, and its function, is the subject of the next
|
|
section.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.4"></a>3.4 Basic IP Routing</h2>
|
|
|
|
<p>
|
|
Once an IP interface has been set up, it is necessary that the Linux kernel be
|
|
told where to send IP information for various machines on the IP network. The
|
|
kernel holds a table, called a <em>routing table</em>, which lists a number of
|
|
host or network addresses, along with information on how to send IP packets to
|
|
these destinations.
|
|
</p>
|
|
|
|
<p>
|
|
The <code>route</code> command is use to examine or update this table. If only
|
|
your loopback interface has been configured, this command used on its own will
|
|
typically give output which looks something like the following:
|
|
</p>
|
|
|
|
<pre>
|
|
# /sbin/route
|
|
Kernel IP routing table
|
|
Destination Gateway Genmask Flags Metric Ref Use Iface
|
|
127.0.0.0 * 255.0.0.0 U 0 0 2 lo
|
|
</pre>
|
|
|
|
<p>
|
|
This says that any traffic for the network identified as `127' should be routed
|
|
through the loopback interface (<samp>lo</samp>). The `genmask' column
|
|
specifies, in a similar way to a netmask, that this particular routing table
|
|
entry should be used to match any IP address beginning with the number 127, no
|
|
matter what the remainder is.
|
|
</p>
|
|
|
|
<p>
|
|
If our machine is connected to an Ethernet network, then typically we will want
|
|
to make sure that the kernel routing table knows how to send information to
|
|
this. Assuming we have set up our machine to be 192.168.50.23, with a default
|
|
class C netmask, the following command will add a routing table entry for our
|
|
local network:
|
|
</p>
|
|
|
|
<pre>
|
|
# /sbin/route add -net 192.168.50.0
|
|
# /sbin/route
|
|
Kernel IP routing table
|
|
Destination Gateway Genmask Flags Metric Ref Use Iface
|
|
127.0.0.0 * 255.0.0.0 U 0 0 2 lo
|
|
192.168.50.0 * 255.255.255.0 U 0 0 137 eth0
|
|
</pre>
|
|
|
|
<p>
|
|
This tells the kernel that any IP addresses which start with 192.168.50 are on
|
|
our local Ethernet network, and that they should be routed through the `eth0'
|
|
interface. If you are using a non-standard netmask, this can be specified as a
|
|
command line option to the <code>route</code> command:
|
|
</p>
|
|
|
|
<pre>
|
|
/sbin/route add -net 192.158.50.0 netmask 255.255.255.192
|
|
</pre>
|
|
|
|
<p>
|
|
A command like one of the above would be sufficient if our TCP/IP network
|
|
consisted of just a single network, not connected to anywhere else. However,
|
|
the strengths of TCP/IP are its <em>internetworking</em> abilities, and
|
|
normally a IP-based network consists of more than one network. In order to
|
|
route IP packets from your machines to these other networks, you require to
|
|
specify <em>gateway</em> hosts (often called <em>routers</em>) which deal with
|
|
sending information to these other networks. There are in general two
|
|
possibilities.
|
|
</p>
|
|
|
|
<p>
|
|
The first possibility is that we want to route IP packets to a specific
|
|
network, and we know the address of a gateway host or router which deals with
|
|
information for that network. Suppose, for example, that there is a machine
|
|
192.168.50.1 on our network, which is a router for the network 172.20.0.0 (a
|
|
class B network). The following options to the <code>route</code> command
|
|
specify this:
|
|
</p>
|
|
|
|
<pre>
|
|
# route add -net 172.20.0.0 gw 192.168.50.1
|
|
</pre>
|
|
|
|
<p>
|
|
Since our routing table already contains an entry telling us how to send
|
|
information to 192.168.50.1 (it's on our local network), any traffic for the
|
|
remote network 172.20.0.0 is now sent to that machine, which deals with it
|
|
appropriately.
|
|
</p>
|
|
|
|
<p>
|
|
The other possibility is that we use a certain gateway as a <em>default
|
|
route</em> - a route used for all IP packets which don't match other rules in
|
|
our routing table. If, for example, the machine with IP address 192.168.50.254
|
|
is our router to the rest of the world (the Internet, for example), we use the
|
|
<code>route</code> command as follows:
|
|
</p>
|
|
|
|
<pre>
|
|
# /sbin/route add default gw 192.168.23.254
|
|
</pre>
|
|
|
|
<p>
|
|
At this stage, let's have another look at our routing table:
|
|
</p>
|
|
|
|
<pre>
|
|
# /sbin/route
|
|
Kernel IP routing table
|
|
Destination Gateway Genmask Flags Metric Ref Use Iface
|
|
127.0.0.0 * 255.0.0.0 U 0 0 2 lo
|
|
192.168.50.0 * 255.255.255.0 U 0 0 137 eth0
|
|
172.20.0.0 192.168.50.1 255.255.0.0 UG 1 0 7 eth0
|
|
default 192.168.50.254 0.0.0.0 UG 1 0 36 eth0
|
|
</pre>
|
|
|
|
<p>
|
|
Going through the above table one line at a time:
|
|
</p>
|
|
<ol type="1" start="1" >
|
|
<li>
|
|
<p>
|
|
We first specify a loopback address for all 127.*.*.* addresses
|
|
</p>
|
|
</li>
|
|
</ol>
|
|
<ol type="1" start="2" >
|
|
<li>
|
|
<p>
|
|
Next, we specify how to reach all machines on our local network, identified as
|
|
192.168.50.*
|
|
</p>
|
|
</li>
|
|
</ol>
|
|
<ol type="1" start="3" >
|
|
<li>
|
|
<p>
|
|
Next, we give a route to all machines on the network (172.20.*.*) connected to
|
|
the machine 192.168.50.1, which is a router (or gateway) for that network
|
|
</p>
|
|
</li>
|
|
</ol>
|
|
<ol type="1" start="4" >
|
|
<li>
|
|
<p>
|
|
Finally, we specify that the machine 192.168.50.254 will deal with all other IP
|
|
traffic
|
|
</p>
|
|
</li>
|
|
</ol>
|
|
|
|
<p>
|
|
For now, we won't look at what the the various `flags', `metric' and `ref'
|
|
entries mean.
|
|
</p>
|
|
|
|
<p>
|
|
Let's have another look at a typical <code>/etc/init.d/network</code> file,
|
|
setup by Debian's installation procedure on a typical Ethernet-connected
|
|
machine:
|
|
</p>
|
|
|
|
<pre>
|
|
#! /bin/sh
|
|
ifconfig lo 127.0.0.1
|
|
route add -net 127.0.0.0
|
|
IPADDR=192.168.50.23
|
|
NETMASK=255.255.255.0
|
|
NETWORK=192.168.50.0
|
|
BROADCAST=192.168.50.255
|
|
GATEWAY=192.168.50.254
|
|
ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
|
|
route add -net ${NETWORK}
|
|
[ "${GATEWAY}" ] && route add default gw ${GATEWAY} metric 1
|
|
</pre>
|
|
|
|
<p>
|
|
The first two lines of this shell script set up the loopback interface, and add
|
|
an entry to the routing table for it. The variables which follow set up the IP
|
|
address of our machine, the netmask, the address of our local network, the
|
|
broadcast address, and the IP address of our default router. Finally, our
|
|
local Ethernet interface is set up with <code>ifconfig</code>, and two
|
|
invocations of the <code>route</code> command add routing table entries for
|
|
firstly the local network and secondly our default gateway.
|
|
</p>
|
|
|
|
<p>
|
|
You may well find that the addresses (of networks and of machines) in the
|
|
output from the <code>route</code> command do not appear as IP addresses, but
|
|
are named. The names of networks can be set up in the
|
|
<code>/etc/networks</code> file (which is normally set up by a Debian's network
|
|
setup routines at installation times), and the names of hosts can come from a
|
|
variety of machines, including the <code>/etc/hosts</code> file and the Domain
|
|
Name Service (DNS). Let's now have a look at what DNS is and what it does.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.5"></a>3.5 Domain Name Service (DNS)</h2>
|
|
|
|
<p>
|
|
Every computer connected to the Internet, or any network using IP as its
|
|
network protocol, has an IP address, in order that information be able to be
|
|
routed correctly to and from it. IP addresses, though, are a bit difficult for
|
|
humans to remember, and for this reason, each machine is also normally given a
|
|
name. When you install Debian, this is one of the questions you will be asked
|
|
- what the name of your computer will be.
|
|
</p>
|
|
|
|
<p>
|
|
The name of your computer will be stored in a few locations. You can find out
|
|
the name of your computer by typing the <code>hostname</code> command, which
|
|
returns the value in the file <code>/etc/hostname</code>. If you are connected
|
|
to the Internet, this name will usually have several parts, separated from each
|
|
other by dots, for example:
|
|
</p>
|
|
|
|
<pre>
|
|
debian.anon.com
|
|
</pre>
|
|
|
|
<p>
|
|
It is only the first part of this which is the name of your own computer - the
|
|
rest is known as the <em>domain name</em> - this is the <samp>anon.com</samp>
|
|
part. Since there are likely to be several computers with the same name on the
|
|
Internet, each one is made unique by putting it in its own domain. Within a
|
|
domain, normally one person is responsible for giving out computers names, and
|
|
administering a database which holds all the names and addresses of the
|
|
computers in that domain. This system is known as DNS, and is like a telephone
|
|
directory - you can look up a computer by name, and find out its IP address.
|
|
</p>
|
|
|
|
<p>
|
|
Before DNS, people had to remember IP addresses in order to use the Internet,
|
|
and names were only known for a small subset of machines - typically the
|
|
machines in the local network, and maybe one or two machines which were
|
|
permanently connected to our site. These names were stored in a single file -
|
|
<code>/etc/hosts</code> - and you'll normally find that your own machine's name
|
|
and IP address were added to that file when Debian was installed.
|
|
</p>
|
|
|
|
<p>
|
|
DNS is a fairly complex system, and we'll look into more detail on it later,
|
|
along with the software (<code>bind</code>) which allows you to look after your
|
|
own DNS domain.
|
|
</p>
|
|
|
|
<p>
|
|
Here, though, we'll have a look at how DNS works from a <em>client's</em> point
|
|
of view - ie from the point of view of a machine which only needs to look up
|
|
machines in the DNS, rather than one which has to provide a DNS service.
|
|
</p>
|
|
|
|
<p>
|
|
When a Debian machine needs to look up another computer's name in order to find
|
|
out its IP address, it uses a set of routines in the C library called the
|
|
<em>resolver</em>. The resolver routines, in turn, consult firstly the file
|
|
<code>/etc/nsswitch.conf</code>, which, against an entry for <samp>hosts</samp>
|
|
will list the places that the resolver should check in order to find out the IP
|
|
address. There are three possible entries here, and if more than one of them
|
|
is present, the resolver will check each one in order. These entries are:
|
|
</p>
|
|
<dl>
|
|
<dt>files</dt>
|
|
<dd>
|
|
<p>
|
|
Check the file <code>/etc/hosts</code> for an entry for the particular hostname
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>nis</dt>
|
|
<dd>
|
|
<p>
|
|
Check the NIS database (which we will look at later) for the hostname
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt>dns</dt>
|
|
<dd>
|
|
<p>
|
|
Check the Domain Name Service
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p>
|
|
A typical entry in <code>/etc/nsswitch</code> might be:
|
|
</p>
|
|
|
|
<pre>
|
|
hosts: files dns
|
|
</pre>
|
|
|
|
<p>
|
|
This tells the resolver to check firstly the file <code>/etc/hosts</code> and
|
|
then query the DNS.
|
|
</p>
|
|
|
|
<p>
|
|
The DNS is configured by the file <code>/etc/resolv.conf</code>. This file
|
|
normally specifies two things - firstly, the domain in which our machine is,
|
|
and secondly, a number of nameservers to ask for information. An example would
|
|
be:
|
|
</p>
|
|
|
|
<pre>
|
|
domain anon.org
|
|
nameserver 172.19.0.1
|
|
nameserver 172.19.5.1
|
|
</pre>
|
|
|
|
<p>
|
|
The first line tells the resolver library that if we ask for a machine and
|
|
don't specify a domain name, it should have <samp>anon.org</samp> appended to
|
|
it - ie the resolver, assuming that the machine is in our own domain, should
|
|
search it. The two lines beginning with <samp>nameserver</samp> specify the IP
|
|
addresses of machines which we should query using DNS. These should always be
|
|
IP addresses - not names - for obvious reasons.
|
|
</p>
|
|
|
|
<p>
|
|
Most networking utilities will automatically look up a machine's IP address if
|
|
you specify a name, but if you want to query the DNS directly, the
|
|
<samp>dnsutils</samp> package contains a program called <code>nslookup</code>.
|
|
<code>nslookup</code> can be used either one-off, by giving the name of the
|
|
machine you are searching for, possibly along with command-line arguments, or
|
|
interactively, by just typing <code>nslookup</code> on its own. The
|
|
interactive mode allows a number of searches to be made, and provides some
|
|
limited help.
|
|
</p>
|
|
|
|
<p>
|
|
<code>nslookup</code>, along with other programs to query the DNS, and the
|
|
software to provide a DNS service, will all be described in more detail later.
|
|
</p>
|
|
|
|
<p>
|
|
For more information on DNS, please see <a href="ch-bind.html">DNS/BIND,
|
|
Chapter 8</a>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.6"></a>3.6 ICMP and IP Troubleshooting</h2>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.7"></a>3.7 TCP and UDP</h2>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.8"></a>3.8 Servers, Daemons and the Superserver</h2>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch-overview.html">previous</a> ]
|
|
[ <a href="index.html#contents">Contents</a> ]
|
|
[ <a href="ch-intro.html">1</a> ]
|
|
[ <a href="ch-overview.html">2</a> ]
|
|
[ 3 ]
|
|
[ <a href="ch-uucp.html">4</a> ]
|
|
[ <a href="ch-ppp.html">5</a> ]
|
|
[ <a href="ch-nfs.html">6</a> ]
|
|
[ <a href="ch-nis.html">7</a> ]
|
|
[ <a href="ch-bind.html">8</a> ]
|
|
[ <a href="ch-router.html">9</a> ]
|
|
[ <a href="ch-mail.html">10</a> ]
|
|
[ <a href="ch-news.html">11</a> ]
|
|
[ <a href="ch-ftp.html">12</a> ]
|
|
[ <a href="ch-www.html">13</a> ]
|
|
[ <a href="ch-security.html">14</a> ]
|
|
[ <a href="ch-firewall.html">15</a> ]
|
|
[ <a href="ch-kernel.html">16</a> ]
|
|
[ <a href="ch-index.html">17</a> ]
|
|
[ <a href="ch-uucp.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
Debian GNU/Linux Network Administrator's Manual (Obsolete Documentation)
|
|
</p>
|
|
|
|
<address>
|
|
This manual is OBSOLETE and DEPRECATED since 2000, Instead see http://www.debian.org/doc/user-manuals#quick-reference<br>
|
|
<br>
|
|
Ardo van Rangelrooij <code><a href="mailto:ardo.van.rangelrooij@tip.nl">ardo.van.rangelrooij@tip.nl</a></code><br>
|
|
Oliver Elphick <code><a href="mailto:olly@lfix.co.uk">olly@lfix.co.uk</a></code><br>
|
|
Ivan E. Moore II <code><a href="mailto:rkrusty@debian.org">rkrusty@debian.org</a></code><br>
|
|
Duncan C. Thomson <code><a href="mailto:duncan@sciuro.demon.co.uk">duncan@sciuro.demon.co.uk</a></code><br>
|
|
<br>
|
|
</address>
|
|
<hr>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|