Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK CONFIGURATION

Routing

  • Multi-homed systems

    A router. To turn a system into a multi-homed one enable IP forwarding:

    Set /proc/sys/net/ipv4/ip_forward = 1

    # sysctl -w net.ipv4.ip_forward=1
                                                        (or)
    # sysctl -p -                                       (Provide option via stdin)
    net.ipv4.ip_forward=1
    ctrl D
                                                        (or)
    # echo "1" > /proc/sys/net/ipv4/ip_forward
    
    Or you can:

    Edit '/etc/sysctl.conf' and add the line

    .....
    net.ipv4.ip_forward=1
    

    then

    $ sudo sysctl -p [/etc/sysctl.conf]
    

    Default is '/etc/sysctl.conf'

    Debian

    Set ip_forward=yes in /etc/network/options

    Then set this system's interface as the default route on other connected hosts.

  • List routes with pretty output format
    /usr/bin/routel

    Helper script that uses 'ip route' but outputs the information in a more friendly format.

    routel [tablenr [raw ip args...]]
    

    Display the current routing table in a pretty format

    $ routel
             target            gateway          source    proto    scope    dev tbl
        192.168.0.0 24                     192.168.0.3   kernel     link   eth0
        169.254.0.0 16                                              link   eth0
            default        192.168.0.1                   static            eth0
    .....
             fe80:: 64                                   kernel            eth0
            default        unreachable                     none              lo unspec
                ::1                 ::                     none              lo local
    fe80::21d:92ff:fee1:73cd        ::                     none              lo local
             ff00:: 8                                                      eth0 local
            default        unreachable                     none              lo unspec
    
  • Helper script to flush routes
    /usr/bin/routef
    • Flush routing tables.
    • Takes no parameters so flushes all tables => system is left with no networking.
    • Need to restart the network subsystem after using.
  • Classless InterDomain Routing (CIDR)

    Classless sub-netting

    • Routing decisions are based on masking operations of the entire 32 bit IP address.
    • Does not matter which address class the IP address is in - hence 'classless'.
    • A way to prevent the explosion in the size of Internet routing tables.
    • Also called 'supernetting'.
    • The aim is to allocate multiple Class C addresses in a way that allows them to be summarised into a smaller number of routing table entries.

    If a single site is allocated 16 Class C addresses that can be summarised, then all 16 can be referenced through a single routing table entry.

    In other words, if 8 different sites are connected to the same ISP through the same Internet connection point and the 8 different sites are allocated IP addresses that can be summarised, then only a single routing table on the Internet is required for all 8 sites.

    • Take a Class C network address range 194.0.0.0 - 195.255.255.255, representing 131,072 network IDs.
    • All the network IDs share the same high-order 7 bits which means that a single 32 bit mask can be used to route all of these networks.
    194.0.0.0          11000010.00000000.00000000.00000000
    195.255.255.255    11000011.11111111.11111111.11111111
    mask 254.0.0.0     11111110.00000000.00000000.00000000
    

    For CIDR to work

    • multiple IP addresses to be summarised for routing must share the same high-order bits of their addresses.
    • routing tables and routing algorithms must be extended to base their routing decisions on a 32 bit IP address and 32 bit mask.
    • routing protocols used must be extended to carry the 32 bit mask as well as the 32 bit address.
    • OSPF (open shortest path first) and RIP-2 (Routing Internet Protocol) are both capable of this.

    CIDR also uses a technique where the mask with the greatest number of '1's is taken as the best match.

    An example

    A provider needs two entry points for the address range 194.0.0.0 - 195.255.255.255.

    • (1) one for the 194.0.16.0 - 194.0.31.255 address range
    • (2) and another for all the remaining ones

    Routing table entry (1) 194.0.16.0 - 194.0.31.255, mask 255.255.240.0

    11111111.11111111.11110000.00000000        
    

    Routing table entry (2) 194.0.0.0 - 194.0.15.255, 194.0-32.0 - 195.255.255.255, mask 254.0.0.0

    11111110.00000000.00000000.00000000        
    

    Example address - 194.0.22.1

    11000010.00000000.00010110.00000001        194.0.22.1
    11111111.11111111.11110000.00000000        mask 255.255.240.0 (high order 20 bits)
    11000010.00000000.00010000.00000000        applying this mask results in a match
    11000010.00000000.00010110.00000001        194.0.22.1
    11111110.00000000.00000000.00000000        mask 254.0.0.0  (high order 7 bits)
    11000010.00000000.00000000.00000000        so does this mask
    

    Since the mask 255.255.240 has the greatest number of 1's it is used as the best match meaning this address will be routed correctly using Routing table entry 1.

    Example address 194.0.15.1

    11000010.00000000.00001111.00000001        194.0.15.1
    11111111.11111111.11110000.00000000        mask 255.255.240.0
    11000010.00000000.00000000.00000000        this fails to match
    11000010.00000000.00001111.00000001        194.0.15.1
    11111110.00000000.00000000.00000000        mask 254.0.0.0
    11000010.00000000.00000000.00000000        matches and will be routed accordingly 
                                               using Routing table entry 2
    
  • Show the IP routing table
    /sbin/route

    Show, manipulate the IP routing table. Two uses - listing and manipulating.

    List kernel routing table(s)

    route [-nNvee] [-FC] [<AF>]
    
    Options:
     -v | --verbose        Be verbose
     -n | --numeric        Don't resolve names. Use if a problem with DNS.
     -e | --extend         Display using netstat format, '-ee' more information.
     -F | --fib            Display Forwarding Information Base (default)
     -C | --cache          Display routing cache instead of FIB
     <AF>                  Specify address family. 
                           Can also use '-A <af>' or '--<af>'. Default=inet
    

    List of possible address families (which support routing)

    inet (DARPA Internet), inet6 (IPv6), ax25 (AMPR AX.25), netrom (AMPR NET/ROM), ipx (Novell IPX), ddp (Appletalk DDP), x25 (CCITT X.25)

    Display the routing cache

    # route -C
    kernel IP routing cache
    source          Destination     Gateway         Flags Metric Ref    Use Iface
    84.53.178.105   cpc1-burn3-0-0- cpc1-burn3-0-0- l     0      0       20 lo
    img.snv.mediapl cpc1-burn3-0-0- cpc1-burn3-0-0- l     0      0        4 lo
    theridion.web.n cpc1-burn3-0-0- cpc1-burn3-0-0- l     0      0       12 lo
    cpc1-burn3-0-0- cache1.ntli.net cpc1-burn3-0-0-       0      0      172 eth0
    .....
    

    Display the routing table (FIB), do not resolve names

    # route -n
    kernel IP routing table
    destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.0.0     0.0.0.0         255.255.255.252 U     0      0        0 eth1
    81.110.236.0    0.0.0.0         255.255.252.0   U     0      0        0 eth0
    169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
    0.0.0.0         81.110.236.1    0.0.0.0         UG    0      0        0 eth0
    

    where:

    Destination:    Destination network or destination host
    Gateway:        Gateway address or '*' if none set
    Genmask:        Netmask for the destination net; '255.255.255.255' for a host 
                    destination and '0.0.0.0' for the default route
    Flags:
     U              Route is up
     H              Target is a host
     G              Use gateway
     R              Reinstate route for dynamic routing
     D              Dynamically installed by daemon or redirect
     M              Modified from routing daemon or redirect
     A              Installed by addrconf
     C              Cache entry
     !              Reject route
    
    Metric:         The distance to the target (usually counted in hops). Not used
                    by recent kernels
    Ref:            Number of references to this route. (Not used in the Linux kernel.)
    Use:            Count of lookups for route.  Route cache misses (-F) or hits (-C).
    Iface:          Interface to which packets for this route will be sent.
    MSS:            Default maximum segment size for TCP connections over this route.
    Window:         Default window size for TCP connections over this route.
    irtt:           Initial RTT (Round Trip Time). Kernel uses to guess the best TCP 
                    protocol parameters.
    HH:             Number of ARP entries and cached routes that refer to the hardware
                    header cache (cached only).
    Arp:            Whether or not the hardware address for the cached route is up to
                    date (cached only).
    
  • Modify the IP routing table
    /sbin/route

    Show, manipulate the IP routing table. Two uses - listing and manipulating.

    Modify the kernel routing table(s)

    route [-A] [-v] [-FC] {add|del|flush} [-net|-host] target [if]
    

    Delete the route to network 169.254.0.0

    # route del -net 169.254.0.0 gw 0.0.0.0 netmask 255.255.0.0 eth1
    

    Add a route to network 192.56.76.x via eth0

    # route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0
    

    Delete the current default route

    # route del default
    

    The one that is labeled "default" or 0.0.0.0 in the destination field of the current routing table.

    Add a default route

    # route add default gw isp-gw
    

    The gateway needs to be reachable, if it requires a static route then this should be set up first - before the default route.

    Add normal loopback entry

    # route add -net 127.0.0.0 netmask 255.0.0.0 dev lo
    

    Add network route via eth0

    # route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0
    

    Add rejecting route

    # route add -net 10.0.0.0 netmask 255.0.0.0 reject
    

    Add default IPv6 route

    # route inet6 add net default 2008:7:6:5:4:3:2:1
    
  • Show, manipulate routing
    /sbin/ip

    Show, manipulate routing, devices, policy routing and tunnels.

    Command usage

    ip [options] object command [dev]
    
    Some options:
     -s | -stats | -statistics
     -f | -family [family]
     -r | -resolve
    
     object  = link, addr, route, rule, neigh, tunnel, maddr, mroute, monitor
     command = add, delete, show|list
    

    Display an interfaces's IP

    # ip address show [eth0]
    
    $ ip address show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/ether 60:a4:4c:64:0f:b1 brd ff:ff:ff:ff:ff:ff
        inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
        inet6 fe80::62a4:4cff:fe64:fb1/64 scope link 
           valid_lft forever preferred_lft forever
    

    Configure an interfaces's address

    # ip addr add local x.x.x.x broadcast x.x.x.x eth0
    # ip addr add peer x.x.x.x[/nn] ppp0
    

    Display the route to a specific destination

    $ ip route get 69.90.69.231
    69.90.69.231 via 192.168.0.1 dev eth0  src 192.168.0.2 
        cache 
    

    Add/Delete a route for an interfaces

    # ip route add to 192.168.0.1 dev eth0 [src addr]
    # ip route del to 192.168.0.1
    

    Display the routing table - can use list instead of show

    # ip route show
    192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
    .....
    

    Display the cache entry for a route

    # ip route show cache 192.168.0.1
    192.168.0.1 dev eth0  src 192.168.0.2
        cache  mtu 1500 advmss 1460 hoplimit 64
    

    Display statistics for a route's cache entry

    # ip -s route show cache 192.168.0.1
    192.168.0.1 dev eth0  src 192.168.0.2
        cache  users 1 used 5 age 46sec mtu 1500 advmss 1460 hoplimit 64
    

    Add a static route to a network

    # ip route add 10.38.0.0/16 via 192.168.100.1
    

    Add a static prohibiting route to a network

    # ip route add prohibit 209.10.26.51
    # ip route add prohibit 209.10.26.51 from 192.168.99.35
    

    192.168.99.35 is blocked from 209.10.26.51.

    When using prohibit a user sees 'No route to host' as a response. With an iptables REJECT rule, user sees 'Connection refused'.

    Add a default route

    # ip route add default via 192.168.99.254                                 (Just need GW's IP)
    # ip route add default via 205.254.211.254 src 205.254.211.198 table 7
    

    src option provides a hint to the kernel for source address selection. Any packet which originates on this box (or is masqueraded) will have its source IP set to 205.254.211.198.

    Identify route to delete with ip route show

    # ip route show
    192.168.99.0/24 dev eth0  scope link
    192.168.98.0/24 via 192.168.99.1 dev eth0
    10.38.0.0/16 via 192.168.100.1 dev eth3
    127.0.0.0/8 dev lo  scope link
    default via 205.254.211.254 dev eth1
    

    Cut and past the output of the desired route to delete into the del command

    # ip route del 10.38.0.0/16 via 192.168.100.1 dev eth3
    # ip route del default via 192.168.0.1 dev wlan0
    

    Alter an existing routes

    # ip route change default via 192.168.99.113 dev eth0
    

    Does not inform the routing cache of the change so ..

    Flush the cache

    # ip route flush cache
    

    Remove a specific route, if it exists

    # ip route flush 10.38
    Nothing to flush.
    # ip route flush 10.38.0.0/16
    

    Empty the main routing table

    # ip route flush table main
    # ip route flush cache
    

    Can save some troubleshooting time by getting into the habit of finishing routing commands with 'ip route flush cache'

    Test routing tables

    Simulating a request for the specified destination by running 'ip route get' which causes the routing selection algorithm to be run. When complete it prints out the resulting path to the destination.

    # ip -s route get 213.40.66.84
    213.40.66.84 via 192.168.0.1 dev eth0  src 192.168.0.2
        cache  users 1 mtu 1500 advmss 1460 hoplimit 64
    
  • Routing deamons
    gated, routed
    • Programs that can automatically adjust routing tables based on changes in the network.
    • If there are multiple possible paths to a certain destination and you want an alternate route to that destination to be selected automatically (in case the default route to that destination is not usable for some reason) the 'routed' program can do this for you automatically.
    Program Description
    routed Routing daemon configured with /etc/gateway
    gated Routing daemon configured with /etc/gate.conf

    For more information check out their respective man pages.

  • TCPIP routing software packages
    quagga, zebra
    • A TCPIP routing software package, RIPv1, RIPv2, RIPng, OSPFv2, OSPFv3, BGP-4, and BGP-4+
    • 5 routing daemons - ripd, ripngd, ospfd, ospf6d, bgpd
    • 1 manager daemon - zebra
    • Several config files, one per daemon /etc/quagga/<daemon>.conf e.g. */etc/quagga/zebra.conf

    Sample configuration - /etc/quagga/zebra.conf

    ! or a # starting a line starts a  comment
    
    ! Zebra configuration file
    !
    hostname Router
    password zebra
    enable password zebra
    !
    log stdout
    !
    

    Set up a static route for 10.0.0.0/8 via gateway 10.0.0.2

    zebra> ip route 10.0.0.0/8 10.0.0.2
    

    Static route using gateway to interface ppp0

    zebra> ip route 10.0.0.0/8 ppp0
    

    Install a blackhole route

    zebra> ip route 10.0.0.0/8 null0
    

    Same three previous commands using subnet as opposed to CIDR notation

    zebra> ip route 10.0.0.0 255.255.255.0 10.0.0.2
    zebra> ip route 10.0.0.0 255.255.255.0 ppp0
    zebra> ip route 10.0.0.0 255.255.255.0 null0
    

    Show current routes in zebra DB

    zebra> show ip route
    

    Show if host's ipforwarding is enabled

    zebra> show ipforward
    
  • Kernel routing tables mapping file
    rt_tables
    • The kernel routing cache.
    • The kernel can support up to 252 routing tables.
    • Generally, commands that interact with routing information have built in support for (operate on by default) the two most common tables - main and local.
    • The administrator maintained rt_tables file maps other tables to digits so that commands like 'ip' and 'iproute' can operate on tables other than the defaults.

    Sample entries - /etc/iproute2/rt_tables

    $ more /etc/iproute2/rt_tables
    #
    # reserved values
    #
    255 local
    254 main
    253 default
    0   unspec
    #
    # local
    #
    #1  inr.ruhep
    

    Add a new routing table

    $ sudo sh -c 'echo 7 special >> /etc/iproute2/rt_tables'
    $ more /etc/iproute2/rt_tables
    #
    # reserved values
    #
    255 local
    254 main
    253 default
    .....
    #1  inr.ruhep
    7 special
    

    Table is empty

    Populate the new routing table

    $ sudo ip route add table special default via 192.168.0.1
    $ ip route show table special
    default via 192.168.0.1 dev eth0 
    

    Display a specific routing table - local

    $ ip route show table local
    broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
    local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 
    local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
    broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
    broadcast 192.168.0.0 dev eth0  proto kernel  scope link  src 192.168.0.2 
    local 192.168.0.2 dev eth0  proto kernel  scope host  src 192.168.0.2 
    broadcast 192.168.0.255 dev eth0  proto kernel  scope link  src 192.168.0.2 
    

    Delete recently added route and remove access to it's routing table

    $ ip route show table special
    default via 192.168.0.1 dev eth0 
    
    $ sudo ip route del table special default 
    $ ip route show table special
    
    $ grep '^7 special$' /etc/iproute2/rt_tables
    7 special
    $  sudo sh -c 'sed -i "/^7 special$/d" /etc/iproute2/rt_tables'
    

    Just be very careful with the last command ..

  • Network Address Translation (NAT)

    Involves two commands:

    • one to add a component to rewrite the inbound packet (ip route add nat)
    • another to add a component to rewrite the outbound packet (ip rule add nat).

    NAT for a single IP

    # ip route add nat 205.254.211.17 via 192.168.100.17
    # ip route show table local | grep ^nat
    nat 205.254.211.17 via 192.168.100.17  scope host
    

    Tells the kernel to rewrite any inbound packet bound for 205.254.211.17 to 192.168.100.17.

    NAT route for an entire network

    # ip route add nat 205.254.211.32/29 via 192.168.100.32
    # ip route show table local | grep ^nat
    nat 205.254.211.32/29 via 192.168.100.32  scope host
    

    Any inbound IP packets destined for any address between 205.254.211.32 and 205.254.211.39 will be rewritten to the corresponding address in the range 192.168.100.32 through 192.168.100.39.

    This is only a small part of the story for NAT. With 'iproute2' need to use 'ip rule add nat <address>' as well as the 'ip route ...' and the 'ip rule flush' for immediate effect.

    See the man pages - 'ip route', 'ip rule'.