Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK CONFIGURATION

Network Protocols

  • IPV4 addressing

    Classless InterDomain Routing (CIDR) blocks are also refered to as "24-bit block (/8)", "20-bit block (/12)" and "16-bit (/16)" block.

    Class CIDR Bits Address Range ID(bits) No. of Networks
    A /8 8 0. - 127. 0 128|(2**7)
    B /16 16 128.0. - 191.255. 10 16,384|(2**14)
    C /24 24 192.0.0. - 223.255.255. 110 2,097,152|(2**21)

    Networks 0. & 127. are reserved/have special function.

    Reserved private network addresses

    rfc 1918 - Private Address Space. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets.

    Range No. of IPs Class description Largest CIDR block
    10.0.0.0 - 10.255.255.255 16,777,216 single class A 10.0.0.0/8
    172.16.0.0 - 172.31.255.255 1,048,576 16 contiguous class Bs 172.16.0.0/12
    192.168.0.0 - 192.168.255.255 65,536 256 contiguous class Cs 192.168.0.0/16
  • IPv4 subnetting
    • Subnetting reduces the size of the Internet's routing tables.
    • One network address can contain/encompass multiple networks (sub networks) thereby allowing an organisation to subdivide its network.
    • A subnet mask is logically anded to an IP address obscuring the host portion of the address.
    IP Binary representation Network Address Host address
    Class A 96.3.3.3 01100000.00000011.00000011.00000011
    Mask 255.0.0.0 11111111.00000000.00000000.00000000
    and'd 01100000.00000000.00000000.00000000 96 3.3.3
    Class B 131.3.3.3 10000011.00000011.00000011.00000011
    Mask 255.255.0.0 11111111.11111111.00000000.00000000
    and'd 10000011.00000011.00000000.00000000 131.3 3.3
    Class C 195.254.254.6 11000011.11111110.11111110.00000110
    Mask 255.255.255.0 11111111.11111111.11111111.00000000
    and'd 11000011.11111110.11111110.00000000 195.254.254 6

    Some Class C subnets

                                          No. of    Network  B'cast    IP  address   No. of    Total
                                          subnets   address  address   range         hosts     hosts
    255.255.255.128                       2         0        127       1  - 126      126
    11111111.11111111.11111111.10000000             128      255       129 - 254     126       252
    
    255.255.255.192                       4         0        63        1  - 62       62
    11111111.11111111.11111111.11000000             64       127       65 - 126      62
                                                    128      191       129 - 191     62
                                                    192      255       193 - 254     62        248
    
    255.255.255.224                       8         0        31        1  - 30       30
    11111111.11111111.11111111.11100000             32       63        33 - 62       30
                                                    64       95        65 - 94       30
                                                    96       127       97 - 126      30
                                                    128      159       129 - 158     30
                                                    160      191       161 - 190     30
                                                    192      223       193 - 222     30
                                                    224      255       225 - 254     30        240
    
    255.255.255.240                       16        0        15        1  - 14       14
    11111111.11111111.11111111.11110000             16       31        17 - 30       14
                                                    32       47        33 - 46       14
                                                    48       63        49 - 62       14
                                                    64       79        65 - 78       14
                                                    80       95        81 - 94       14
                                                    96       111       97 - 110      14
                                                    112      127       113 - 126     14
                                                    128      143       129 - 142     14
                                                    144      159       145 - 158     14
                                                    160      175       161 - 174     14
                                                    176      191       177 - 190     14
                                                    192      207       193 - 206     14
                                                    208      223       209 - 222     14
                                                    224      239       225 - 238     14
                                                    240      255       241 - 254     14        224
    

    As the number of subnets increase, the total number of available hosts decreases.

    Each subnet loses 2 host addresses on the subnet - these are used as the subnet's network and broadcast addresses.

  • IPv6 addressing

    IPV6 is being introduced to overcome at least three big problems with IPV4.

    • Running out of IP addresses, especially Class B
    • 32 bit addresses are inadequate for the predicted long term growth of the Internet
    • Current routing structure is flat as opposed to hierarchical requiring one routing table entry per network

    Basic differences from IPV4

    • IPV6 attempts to address network configuration through automation.
    • IPV6 uses 128 bit address resulting in a total of more than 3 x10 to the 38 addresses.
    • IPV6 uses hex numbers (base 16, 0- F) instead of decimal.
    • IPV6 compresses the resulting address by allowing the removal of some zeros.
    Addressing

    IPV6 long form address

    DEAD: BEEF: 0000: 0000: 0000: 0073: FEED: F00D
    DEAD: BEEF: 0000: 5300: 0000: 0073: FEED: F00D
    

    Separators are now colons rather than full stops.

    IPV6 shorthand address

    DEAD: BEEF:: 73: FEED: F00D
    DEAD: BEEF:: 5300: 0000: 73: FEED: F00D
    

    Shorthand convention

    Leading zeros within the four digit groups can be dropped, so 0073 becomes 73.

    A group of consecutive 16 bit numbers with the value of zero (0000 or 0000:0000 or 0000:0000:0000 ... ) can be replaced with a double colon ::.

    Only one null/zero string can be replaced with the double colon as in the second shorthand address above.

    Expressing an IPv4 address in IPV6 (intermediate) format

    Long format

    0000: 0000: 0000: 0000: 0000: 0000: 194.153.11.222
    

    Short format

    :: 194. 153.11.222
    

    This convention uses the old style dot notation for the last 32 bits of the address.

    Added security

    • IPV6 specification incorporates security right at the lowest level.
    • The security protocols are known as IP-Sec and are implemented using the optional headers to provide authentication and what's known as the Encapsulating Security Payload (ESP).
    • Some of these facilities are available in IPv4.
  • Internet protocols

    There are many internet protocols, each used to varying degrees. Here are the basics and arguably the most common.

    TCP - Transport Control Protocol

    Connection orientated transport layer/agent (used by SMTP, telnet, FTP, ... ).

    UDP - User Datagram Protocol

    Connectionless transport agent (used by DNS, NFS, ... ).

    ICMP - Internet Control Message Protocol

    Used for passing messages between networked devices.

    • Flow control (source quench)
    • Destination unreachable (network, host, protocol, port ... 16 in all)
    • Routing redirection (for network, host, type of service & network, TOS and host)
    • Echo request (ping)
    • Echo reply (ping)
    • Router advertising
    • Router solicitation
    • Time exceeded (traceroute), transit and reassembly
    • Parameter problems, bad IP header (catch all), required option missing
    • Timestamp request and reply
    • Address mask request and reply
    IP - Internet Protocol

    Connectionless, datagram delivery service.

    Common TCPIP ports and services

    Port Used by
    20 ftp data
    21 ftp control
    23 telnet server
    25 SMTP server (sendmail)
    53 DNS server
    67 BOOTP/DHCP server
    68 BOOTP/DHCP client
    80 HTTP server
    110 POP3 (Post Office Protocol - mail client applications use to connect to server)
    119 NNTP server (news, Usenet)
    139 NetBios
    143 IMAP (Internet message access protocol), another type of mail
    161 SNMP (Simple Network Management Protocol - systems monitoring)

    /etc/services file

    # All well-know ports and services are defined in this file
    
     .....
    # Each line describes one service, and is of the form:
    # service-name  port/protocol  [aliases ...]   [# comment]
    tcpmux          1/tcp                           # TCP port service multiplexer
    tcpmux          1/udp                           # TCP port service multiplexer
    rje             5/tcp                           # Remote Job Entry
    .....
    
  • Address Resolution Protocol (ARP)

    Used to determine a MAC (Media Access Control) address (the hardware address) from an IP address. Pertinent files include:

    File Description
    /etc/networks Zero-conf information
    /proc/sys/net/ipv4/neigh// Default, lo, eth0, wlan0 ... one dir. per configured interface
    /proc/sys/net/ipv4/neigh//gc_stale_time 60 (secs. the default) - consider cache entries as stale after this period
    /proc/net/arp The arp table
    /etc/ethers MAC to IP mappings - used by RARP daemon
    /etc/hosts Local IP to hostname mappings

    ARP table - /proc/net/arp

    $ more arp
    IP address       HW type     Flags       HW address            Mask     Device
    192.168.0.1      0x1         0x2         c4:3d:c7:13:89:1b     *        wlan0
    

    RARP (Reverse ARP) - /etc/ethers

    08:23:00:31:0d:00 myhost                
    

    MAC to IP mapping table , can be a hostname as above.

  • Manipulate the system ARP cache
    /usr/sbin/arp

    In all places where a hostname is expected an IP address in dotted-decimal notation can be used.

    Command usage

    arp [-vn] [-H type] [-i if] [-a] [hostname]
    arp [-v] [-i if] -d hostname [pub]
    arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
    arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
    arp [-v] [-H type] [-i if] -Ds hostname ifname [netmask nm] pub
    arp [-vnD] [-H type] [-i if] -f [filename]
    
    Options:
     -d hostname                       Delete entry from arp table
     -s hostname  hw_addr              Set up a new table entry
     -v | --verbose
     -n | --numeric                    Shows numerical addresses
     -H type | --hw-type type          Class of entries to check for.  Default=ether
                                       Other possible values: 
                                       arcnet, pronet, ax25 and netrom
                                       '-e' is a synonym for '-H ether'
     -a                                Use BSD style output format - no fixed columns
     -D | --use-device                 Use interface device name instead of a hw_addr
     -i If | --device If               Select an interface
     -f fname | --file fname           Similar to the '-s', address info is taken from 
                                       file fname - very often /etc/ethers
     pub                               Proxy arp entry
     temp                              Temporary table entry, default is permanent
    

    Display all current arp cache entries

    # arp -a
    wireless-router (192.168.0.1) at 00:0E:2E:FB:7B:63 [ether] on eth0
    usb-wireless (192.168.0.11) at 00:0F:EA:CB:7A:C4 [ether] on eth0
    ? (192.168.0.3) at 00:0F:EA:CB:7A:C4 [ether] on eth0
    

    '?' => cannot resolve hostname

    Verbosely display all current arp cache entries of type ether, no name resolution

    # arp -evn
    Address                  HWtype  HWaddress           Flags Mask            Iface
    192.168.0.1              ether   00:0E:2E:FB:7B:63   C                     eth0
    192.168.0.11             ether   00:0F:EA:CB:7A:C4   C                     eth0
                                                        (C flag => complete entry)
                                                        (M flag => permanent entry)
                                                        (P flag => published entry)
    

    Add a temporary arp entry

    $ sudo arp -v -H ether -i wlan0 -s 192.168.0.11 b8:76:3f:24:01:c1 temp
    
    $ arp 
    Address                  HWtype  HWaddress           Flags Mask            Iface
    192.168.0.1              ether   c4:3d:c7:13:89:1b   C                     wlan0
    wireless                 ether   b8:76:3f:24:01:c1   C                     wlan0
    

    Delete the entry

    $ sudo arp -i wlan0 -d wireless 
    

    Man page examples:

    Answer ARP requests for 10.0.0.2 on eth0 with the MAC address for eth1 (proxyarp)

    # arp -i eth0 -Ds 10.0.0.2 eth1 pub
    

    Add ARP entries from a file

    # arp -f /etc/ethers
    
  • Keep track of MAC/IP address pairings
    /usr/sbin/arpwatch

    Keeps track of ethernet/ip address pairings, it syslogs activity and reports certain changes via email.

    File Description
    /var/lib/arpwatch Default directory
    /var/lib/arpwatch/arp.dat Ethernet/ip address database
    /usr/share/arpwatch/ethercodes.dat vendor Ethernet block list
    /etc/arpwatch.conf Debian-specific way to watch multiple interfaces
    /etc/default/arpwatch Global options for arpwatch

    Command usage

    arpwatch [ options ]
    
    Options:
     -d                  Debugging, does not fork nor email reports. Outputs to stderr
     -N                  Disables reporting any bogons
     -f datafile         Set the ethernet/ip address database filename.  The default 
                         is arp.dat
     -i interface        Override the default interface
     -n net[/width]      Additional local networks, width not specified then the 
                         default netmask is used
     -r file             A savefile (tcpdump) to read from instead of the network. 
                         Arpwatch does not fork.
     -e addr             E-mail address to send reports to
    

    Stop/start arpwatch daemon

    /etc/init.d/arpwatch [ stop | start | restart | ... ]
    
  • Arpwatch configuration file
    /etc/arpwatch.conf

    Sample entries

    # If the system's MTA supports plus addressing monitor
    # eth0 and mail alerts to root's mailbox
    #eth0 -m root+eth0
    
    # Protect against arp sppofing on eth0 amd mail alerts to 
    # alerts.here@mydomain.com
    #eth0 -a -n 192.168.0.0/24 -m alerts.here@mydomain.com
    

    Restart after changes to arpwatch.conf

    $ sudo /etc/init.d/arpwatch restart
    

    Debian, ubuntu defaults - /etc/default/arpwatch

    ARGS="-N -p"           # Debian: don't report bogons, don't use PROMISC.
    RUNAS="arpwatch"       # Debian: run as `arpwatch' user.  Empty this to 
                           # run as root.
    

    Arpwatch report message types

    Report entry Meaning
    New activity Ethernet/ip addr pair has been used for the first time six months or more
    New station Ethernet addr has not been seen before
    Flip flop Ethernet addr has changed from most recently seen addr to the 2nd. most recently seen addr.
    Changed ethernet address Host switched to a new ethernet address

    Syslog message types

    Message entry Meaning
    ethernet broadcast MAC ethernet addr of the host is a broadcast address
    ip broadcast IP address of the host is a broadcast address
    bogon Source ip address is not local to the local subnet
    ethernet broadcast Source mac or arp ethernet address was all ones or all zeros
    ethernet mismatch Source mac ethernet address didn't match the address inside the arp packet
    reused old ethernet address Ethernet addr changed from most recently seen addr to the third least recently seen address
    suppressed DECnet flip flop "flip flop" report was suppressed because one of the two addr was a DECnet addr.