2006 г.
Справочник по Debian
[
назад ]
[
Содержание ]
[
1 ]
[
2 ]
[
3 ]
[
4 ]
[
5 ]
[
6 ]
[
7 ]
[
8 ]
[
9 ]
[ 10 ]
[
11 ]
[
12 ]
[
13 ]
[
14 ]
[
15 ]
[
A ]
[
вперед ]
Osamu Aoki, перевод Ильи В. Головко, qref.sourceforge.net
Глава 10 - Network configuration
This chapter focuses on network administration in Debian. For a general
introduction to GNU/Linux networking read the Net-HOWTO.
In order for a Debian host to be able to access the Internet its network
interfaces need to be supported by the kernel and properly configured.
The first requirement is kernel support for network interface devices such as
Ethernet cards, Wi-Fi cards, and modems. To obtain this support you may need
to recompile the kernel or add modules to it as described in The Linux kernel under Debian, Глава 7.
Configuration of network devices is explained below. The information in this
chapter has been updated for Sarge. Much of it does not apply to earlier
releases.
10.1 Basics of IP networking
A Debian host may have several interfaces each with a different Internet
Protocol (IP) address. Interfaces may be of several different types,
including:
-
Loopback: lo
-
Ethernet: eth0, eth1, ...
-
Wi-Fi: wlan0, wlan1, ... [42]
-
Token Ring: tr0, tr1, ...
-
PPP: ppp0, ppp1, ...
There is a wide range of other network devices available, including SLIP, PLIP
(serial and parallel line IP), "shaper" devices for controlling the
traffic on certain interfaces, frame relay, AX.25, X.25, ARCnet, and LocalTalk.
Every network interface connected directly to the Internet (or to any IP-based
network) is identified by a unique 32 bit IP address. [43] The IP address can be divided
into the part that addresses the network and the part that addresses the host.
If you take an IP address, set to 1 the bits that are part of the network
address and set to 0 the bits that are part of the host address then you get
the net mask of the network.
Traditionally, IP networks were grouped into classes whose net address parts
were 8, 16 or 24 bits in length. [44]
IP addresses net mask length
Class A 1.0.0.0 - 126.255.255.255 255.0.0.0 = /8
Class B 128.0.0.0 - 191.255.255.255 255.255.0.0 = /16
Class C 192.0.0.0 - 223.255.255.255 255.255.255.0 = /24
IP addresses not in these ranges are used for special purposes.
There are address ranges in each class reserved for use on local area networks
(LANs). These addresses are guaranteed not to conflict with any addresses on
the Internet proper. (By the same token, if one of these addresses is assigned
to a host then that host must not access the Internet directly but must access
it through a gateway that acts as a proxy for individual services or else does
Network Address Translation.) These address ranges are given in the following
table along with the number of ranges in each class.
network addresses length how many
Class A 10.x.x.x /8 1
Class B 172.16.x.x - 172.31.x.x /16 16
Class C 192.168.0.x - 192.168.255.x /24 256
The first address in an IP network is the address of the network itself. The
last address is the broadcast address for the network. [45] All other addresses may be
allocated to hosts on the network. Of these, the first or the last address is
usually allocated to the Internet gateway for the network.
The routing table contains the kernel's information on how to send IP packets
to their destinations. Here is a sample routing table printout for a Debian
host on a local area network (LAN) with IP address 192.168.50.x/24. Host
192.168.50.1 (also on the LAN) is a router for the corporate network
172.20.x.x/16 and host 192.168.50.254 (also on the LAN) is a router for the
Internet at large.
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
127.0.0.0 * 255.0.0.0 U 0 0 2 lo
192.168.50.0 * 255.255.255.0 U 0 0 137 eth0
172.20.0.0 192.168.50.1 255.255.0.0 UG 1 0 7 eth0
default 192.168.50.254 0.0.0.0 UG 1 0 36 eth0
-
The first line after the heading says that traffic destined for network
127.x.x.x will be routed through lo, the loopback
interface.
-
The second line says that traffic destined for hosts on the LAN will be routed
through eth0.
-
The third line says that traffic destined for the corporate network will be
routed toward gateway 192.168.50.1 also through eth0.
-
The fourth line says that traffic destined for the Internet at large will be
routed toward gateway 192.168.50.254 also through
eth0.
IP addresses in the table may also appear as names that are obtained by looking
up addresses in /etc/networks or by using the C Library resolver.
In addition to routing, the kernel can perform network address translation,
traffic shaping and filtering.
See the Net-HOWTO and
other
networking HOWTOs for more background information.
10.2 Low level network configuration
The traditional low level network configuration tools on GNU/Linux systems are
the ifconfig and route programs which come in the
net-tools package. These tools have officially been superseded by
ip which comes in the iproute package. The
ip program works with Linux 2.2 and higher and is more capable
than the old tools. However, the old tools still work and are more familiar to
many users.
10.2.1 Low level network configuration – ifconfig and route
Here is an illustration of how to change the IP address of interface
eth0 from 192.168.0.3 to 192.168.0.111
and to make eth0 the route to network 10.0.0.0 via
192.168.0.1. We begin by running ifconfig and
route without interface arguments in order to display the current
status of all network interfaces and routing.
# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:46:7A:02:B0
inet addr:192.168.0.3 Bcast:192.168.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23363 errors:0 dropped:0 overruns:0 frame:0
TX packets:21798 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:13479541 (12.8 MiB) TX bytes:20262643 (19.3 MiB)
Interrupt:9
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:230172 errors:0 dropped:0 overruns:0 frame:0
TX packets:230172 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22685256 (21.6 MiB) TX bytes:22685256 (21.6 MiB)
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.0.1 255.255.255.255 UG 0 0 0 eth0
First we bring down the interface.
# ifconfig eth0 inet down
# ifconfig
lo Link encap:Local Loopback
... (no more eth0 entry)
# route
... (no more routing table entries)
Then we bring it up with the new IP address and new routing.
# ifconfig eth0 inet up 192.168.0.111 \
netmask 255.255.255.0 broadcast 192.168.0.255
# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.1 dev eth0
The result:
# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:46:7A:02:B0
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
...
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
10.0.0.0 192.168.0.1 255.0.0.0 UG 0 0 0 eth0
For more information see ifconfig(8) and route(8).
10.2.2 Low level network configuration – ip
The ip equivalents of the preceding ifconfig and
route commands are:
-
ip link show
-
ip route list
-
ip link set eth0 down
-
ip addr del dev eth0 local 192.168.0.3
-
ip addr add dev eth0 local 192.168.0.111/24 broadcast
192.168.0.255
-
ip link set eth0 up
-
ip route add dev eth0 to 10.0.0.0/8 src 192.168.0.111 via
192.168.0.1
The ip program prints its command syntax when run with the
argument help. For example, ip link help prints:
Usage: ip link set DEVICE { up | down | arp { on | off } |
dynamic { on | off } |
multicast { on | off } | txqueuelen PACKETS |
name NEWNAME |
address LLADDR | broadcast LLADDR |
mtu MTU }
ip link show [ DEVICE ]
See also ip(8).
10.2.3 Configuring a Wi-Fi interface
For Wi-Fi interfaces the iwconfig program which comes in the
wireless-tools package is used in addition to either
ifconfig or ip.
See iwconfig(8).
10.2.4 Configuring a PPP interface
If you access the Internet through a modem connected to a dial-up telephone
line then the connection is negotiated using the Point-to-Point Protocol (PPP).
Such connections are accessed as network interface ppp0,
ppp1, and so on.
A PPP interface is managed by the PPP daemon pppd which comes in
the ppp package. Thus, for the user, configuring a PPP interface
means configuring pppd.
10.2.4.1 Configuring pppd manually
For a network link to be established, a communication port (usually a serial
port) needs to be opened, commands have to be sent to a communication device
(usually a modem), a telephone number may have to be dialed, identity has to be
authenticated to a foreign PPP daemon, a PPP interface has to be created and
then routing tables have to be modified so that traffic can be sent over the
link. pppd can do all of this and consequently has a very long
list of operating options. These options are described in
pppd(8).
On a Debian system, global options are set up in /etc/ppp/options.
User-specific options are set up in ~/.ppprc. Options that must
depend on the communication port used are stored in
/etc/ppp/options.portname. For example, suppose you
have two modems—a built-in Lucent LT modem accessed through /dev/LT-modem
and an external modem accessed through /dev/ttyS0. Create the following two
options files.
# cat > /etc/ppp/options.LT-modem <<EOF
115200
init "/usr/sbin/chat -f /etc/chatscripts/setup-LT-modem"
EOF
# cat > /etc/ppp/options.ttyS0 <<EOF
115200
init "/usr/sbin/chat -f /etc/chatscripts/setup-ttyS0"
EOF
These refer to the following chat scripts. First,
/etc/chatscripts/setup-LT-modem.
ABORT ERROR
'' ATZ
OK 'ATW2X2 S7=70 S11=55'
OK AT
Second, /etc/chatscripts/setup-ttyS0.
ABORT ERROR
'' ATZ
OK 'ATL1M1Q0V1W2X4&C1&D2 S6=4 S7=70 S11=55 S95=63 S109=1 +FCLASS=0'
OK AT
The contents of these files must depend on your hardware, of course.
Options can also be given to pppd as arguments.
In Debian pppd is usually started using the pon
command. When pon is used its first argument names an options
file in /etc/ppp/peers/ which is also read by pppd.
[46] This is where you set up
options that are specific to a particular peer—for example, a particular
Internet Service Provider (ISP).
Suppose for example you commute between Amsterdam and Den Haag. In each city
you have access to two ISP services—Planet and KPN. First create a basic
options file for each ISP.
# cat > /etc/ppp/peers/KPN <<EOF
remotename KPN
noauth
user kpn
noipdefault
ipparam KPN
EOF
# cat > /etc/ppp/peers/Planet <<EOF
remotename Planet
auth
user user3579@planet.nl
noipdefault
mru 1000
mtu 1000
ipparam Planet
EOF
These files set options that differ between the two ISPs. Options common to
both ISPs can be placed in /etc/ppp/options or in one of the
interface-specific options files as appropriate.
Now create options files for each ISP in each city. In our example the only
difference between connecting to an ISP in one location versus connecting in
another is the chatscript that is required. (The chatscript is different
because the local access telephone number is different.)
# cat > /etc/ppp/peers/KPN-Amsterdam <<EOF
connect "/usr/sbin/chat -v -f /etc/chatscripts/KPN-Amsterdam"
file /etc/ppp/peers/KPN
EOF
# cat > /etc/ppp/peers/KPN-DenHaag <<EOF
connect "/usr/sbin/chat -v -f /etc/chatscripts/KPN-DenHaag"
file /etc/ppp/peers/KPN
EOF
# cat > /etc/ppp/peers/Planet-Amsterdam <<EOF
connect "/usr/sbin/chat -v -f /etc/chatscripts/Planet-Amsterdam"
file /etc/ppp/peers/Planet
EOF
# cat > /etc/ppp/peers/Planet-DenHaag <<EOF
connect "/usr/sbin/chat -v -f /etc/chatscripts/Planet-DenHaag"
file /etc/ppp/peers/Planet
EOF
The file directives each include one of the options files shown
earlier. The connect directive specifies the command that
pppd uses to make the connection. Normally one uses the
chat program for this, adapting the chatscript to the ISP. Here
are the chatscripts for Den Haag; the chatscripts for Amsterdam might be
similar except for the telephone number or they might be different if the ISP
offers service through another company there.
# cat > /etc/chatscripts/KPN-DenHaag <<EOF
ABORT BUSY
ABORT 'NO CARRIER'
ABORT VOICE
ABORT 'NO DIALTONE'
ABORT 'NO DIAL TONE'
ABORT 'NO ANSWER'
ABORT ERROR
OK-AT-OK ATDT 0676012321
CONNECT \d\c
EOF
# cat > /etc/chatscripts/Planet-DenHaag <<EOF
ABORT BUSY
ABORT 'NO CARRIER'
ABORT VOICE
ABORT 'NO DIALTONE'
ABORT 'NO DIAL TONE'
ABORT 'NO ANSWER'
ABORT ERROR
OK-AT-OK ATDT 0676002505
CONNECT \d\c
EOF
To be able to connect to these ISPs you need client names and passwords that
pppd can supply to the peer on demand. This information is stored
either in /etc/ppp/pap-secrets (if the PAP protocol is used) or in
/etc/ppp/chap-secrets (if the CHAP protocol is used). Although
CHAP is more secure, PAP is still more widely used. Because these files
contain secrets, group and world should not have permission to read or write
them. The format of these files is explained in pppd(8). A
"secret" (third field) is looked up in the file by finding the client
name (first field) and/or the server name (second field). When connecting to
an ISP one generally doesn't know the server name, so one supplies a client
name instead; this was done on the user lines in
peers/KPN and peers/Planet above.
# client name server name secret
kpn * kpn
user3579@planet.nl * myfavoritepet
See /usr/share/doc/ppp/README.Debian.gz for more information.
10.2.4.2 Configuring pppd using pppconfig
A quick way to configure pppd is to use the pppconfig
program which comes in the package of the same name. pppconfig
sets up files like those above after asking the user questions through a menu
interface.
10.2.4.3 Configuring a PPP interface using wvdial
A different approach to using pppd is to run it from
wvdial which comes in the wvdial package. Instead of
pppd running chat to dial in and negotiate the
connection, wvdial does the dialing and initial negotiating and
then starts pppd to do the rest. Given only phone number,
username, and password wvdial succeeds in making the connection in
most cases.
10.3 Naming the computer
10.3.1 Hostname
A Debian system sometimes needs to identify itself by name. For this purpose a
hostname is maintained by the kernel.
The initscript /etc/init.d/hostname.sh sets the hostname at boot
time (using the hostname command) to the name stored in
/etc/hostname. This file should contain only the
hostname, not a fully qualified domain name.
To print out the current hostname run hostname without an
argument.
10.3.2 Mailname
The mailname of a host is the name that mail-related programs
use to identify the host. The file /etc/mailname contains of this
name followed by a newline. The mailname is usually one of the host's fully
qualified domain names. See mailname(5).
What the recipient of e-mail sees in the From: header of mail sent
by your Debian host depends on how Mail User Agents (MUA) and Mail Transfer
Agents (MTA) are configured. Suppose a local user foo
sends a mail from a host with mailname myhost.dom. The
From: header of outgoing e-mail will be:
-
"From: foo@myhost.dom" if the MUA
has no From: header set;
-
"From: bar@myhost.dom" if the MUA
has "From: bar" set;
-
"From: bar@bogus.dom" if the MUA
has "From: bar@bogus.dom" set.
Even when the MUA has a From: header set the MTA may add a
"Sender:foo@herman.dom" header to
indicate its true origin.
Of course when any involved MTA performs address rewriting as discussed in Setting up a catchall for nonexistent
email addresses under Exim, раздел 9.6.1.3 and Configuring selective address rewriting
for outgoing mail under Exim, раздел 9.6.1.4, the e-mail address seen by
the recipient can be changed to anything.
10.4 Domain Name Service (DNS)
Hosts are referred to by domain name as well as by IP address. DNS is a
client-server system in which name resolvers consult nameservers in order to
associate domain names with IP addresses and other properties of hosts. The
GNU C Library resolver(3) can also look up IP addresses in files
or consult Network Information Services (NIS).
To see what domain name is associated with the local host, use the
hostname --fqdn command. This prints out the first fully
qualified domain name that the resolver finds for the local hostname. [47]
10.4.1 The resolver
The job of finding out what IP addresses are associated with a particular
domain name is the job of a resolver. The most commonly used resolver is the
set of functions that go by that name (resolver(3)) in the GNU C
Library. Another is the FireDNS resolver which comes in the
libfiredns package.
How the LIBC resolver resolves names is governed by the hosts line
in the /etc/nsswitch.conf configuration file. This line lists the
services that should be used to resolve a name: e.g., dns,
files, nis, nisplus. [48] See
nsswitch.conf(5). Insofar as the files service is
used, the behavior of the resolver is also governed by the
/etc/hosts configuration file. See hosts(5).
All of the above files are static and can be edited with your favorite editor.
Insofar as the dns service is used, the behavior of the resolver
is also governed by the /etc/resolv.conf configuration file. See
resolv.conf(5). One of the important functions of
resolv.conf is to list the IP addresses of nameservers that will
be contacted to resolve the name. This list often has to depend upon the
network environment and the network environment may change from time to time
while your computer is running. Programs such as pppd and
dhclient are able to manipulate resolv.conf to add
and remove lines, but these features do not always work properly and they
conflict with one another. The resolvconf package solves the
problem better by providing a standard framework for updating this file. See
Managing nameserver information –
resolvconf, раздел 10.4.2.
10.4.2 Managing nameserver information – resolvconf
The resolvconf package provides a framework for dynamic management
of information about available nameservers. It solves the long standing
problem of how to maintain dynamic lists of nameservers for the resolver and
DNS caches to use. Resolvconf sets itself up as the intermediary between
programs that control network interfaces and supply nameserver information, and
applications that need nameserver information.
resolvconf is designed to work without any manual configuration
needing to be done. However, the package is quite new and may require some
manual intervention to get it to work properly. This is certainly true if you
have ever customized packages so that they update
/etc/resolv.conf: you will need to disable your customizations.
See /usr/share/doc/resolvconf/README.gz
for details.
10.4.3 Caching looked-up names – nscd, dnsmasq, pdnsd, bind9
If your nameserver is slow to respond then you may want to use
nscd to cache the results of things that are looked up using the
libc6 resolver.
If you want to cache results for other hosts on your local network then you may
want to run a caching forwarding nameserver such as dnsmasq or
pdnsd.
If you wish you can also use bind9's named as a
caching forwarding nameserver. It is a heavy program, though, so unless you
need its advanced features you are better off with one of the packages
mentioned earlier.
All of these packages work well with resolvconf.
10.4.4 Providing Domain Name Service – bind
If you need to provide authoritative name service for a domain then you need a
fully fledged nameserver such as named which comes in the
bind9 package.
If you install bind9 you should also install
dnsutils. You may also want to install these utility packages:
bind9-host; dns-browse; dnscvsutil;
nslint. You may also want to install this documentation package:
bind9-doc. You may also want to install these development
packages: libbind-dev; libnet-dns-perl. If you
configure interfaces using DHCP then you may find this package useful:
dhcp-dns.
Install bind9 or dpkg-reconfigure it to do the basic
set-up. Configuration consists of editing named.conf. In Debian
this file is found in /etc/bind/ and is used mainly to define the
basic DNS zones; it includes two other files:
named.conf.local, used for defining local zones, and
named.conf.options, used for setting options. (The latter is
processed by resolvconf to produce
/var/run/bind/named.options which is the same as the original
except that the forwarders specification is a list of the
currently available non-local nameservers. To make use of this, change the
include line in named.conf so that it includes
/var/run/bind/named.options. See Managing nameserver information –
resolvconf, раздел 10.4.2.)
Database files named in named.conf* without a full pathname will
be stored in /var/cache/bind/. This is the right place to store
files generated by named: for example, database files for zones
for which the daemon is secondary. Static database files in
/etc/bind/ are and must be referred to in named.conf
by their full path names. See /usr/share/doc/bind9/README.Debian.gz
for details.
10.5 Configuring network interfaces using DHCP
Low-level configuration of network interfaces can be automated by means of the
Dynamic Host Configuration Protocol (DHCP). Your firewall or router box or
your broadband ISP may furnish IP addresses and other parameters this way.
To make this work you must install one of the following packages:
-
dhcp3-client (version 3, Internet Software Consortium)
-
dhcpcd (Yoichi Hariguchi and Sergei Viznyuk)
-
pump (Red Hat)
pump is simple and widely used. dhcp3-client is
complex but more configurable. [49]
10.6 High level network configuration in Debian
In order to make network configuration easier Debian provides a standard high
level network configuration tool consisting of the ifup and
ifdown programs and the /etc/network/interfaces file.
[50] If you choose to use
ifupdown to do your network configuration then normally you should
not use low-level commands too. [51] The ifupdown
program was written with the intent that it alone be used to configure and
deconfigure network interfaces.
To update interface configuration do this:
# ifdown eth0
# editor /etc/network/interfaces # tweak as you wish
# ifup eth0
For more information see interfaces(5), /usr/share/doc/ifupdown/examples/network-interfaces.gz,
and ifup(8).
10.6.1 Configuring an interface with a static IP address
Suppose you want to configure an Ethernet interface such that it has a fixed IP
address of 192.168.0.111. This address begins with
192.168.0 so it must be on a LAN. Suppose further that
192.168.0.1 is the address of the LAN's gateway to the Internet.
Edit /etc/network/interfaces so that it includes a stanza like
this:
iface eth0 inet static
address 192.168.0.111
netmask 255.255.255.0
gateway 192.168.0.1
You can configure other aspects of the interface or perform other actions after
the interface is brought up or before it is brought down by specifying
appropriate commands on "up" and "down" lines.
iface eth0 inet static
address 192.168.0.111
netmask 255.255.255.0
gateway 192.168.0.1
up route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.2 dev $IFACE
down route del -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.2 dev $IFACE
up echo Interface $IFACE going up | /usr/bin/logger -t ifup
down echo Interface $IFACE Going down | /usr/bin/logger -t ifdown
Alternatively, commands can be inserted into scripts in the
/etc/network/if-up.d and /etc/network/if-down.d
directories. Such scripts can also implement extended options. See
interfaces(5) for details. For example, the
resolvconf package includes scripts that allow you to add options
specifying DNS information to be included in /etc/resolv.conf
while the interface is up:
iface eth0 inet static
address 192.168.0.111
netmask 255.255.255.0
gateway 192.168.0.1
dns-search somedomain.org
dns-nameservers 195.238.2.21 195.238.2.22
The argument somedomain.org of the dns-search option
corresponds to the argument of a search option in
resolv.conf(5). The arguments 195.238.2.21 and
195.238.2.22 of the dns-nameservers option correspond
to the arguments of nameserver options. Other recognized options
are dns-domain and dns-sortlist. See Managing nameserver information –
resolvconf, раздел 10.4.2.
10.6.2 Configuring an interface using DHCP
To configure an interface using DHCP edit /etc/network/interfaces
so that it includes a stanza like this:
iface eth0 inet dhcp
In order for this to work you must have installed one of the DHCP clients
mentioned in Configuring network interfaces using DHCP,
раздел 10.5.
10.6.3 Configuring a Wi-Fi interface
The wireless-tools package includes a hook script
/etc/network/if-pre-up.d/wireless-tools which makes it possible to
configure Wi-Fi (802.11a/b/g) hardware before the interface is brought up.
Configuration is done using the iwconfig program; see
iwconfig(8). For each possible command parameter of
iwconfig you can include an option in
/etc/network/interfaces named like that parameter with a
"wireless-" prefix. For example, to set the ESSID of
eth0 to myessid and the encryption key to
123456789e prior to bringing eth0 up using DHCP, edit
/etc/network/interfaces so that it includes a stanza like this:
iface eth0 inet dhcp
wireless-essid myessid
wireless-key 123456789e
Note that you should not use this method of setting the ESSID and key if you
are running waproamd for this interface. By the time
ifup is run waproamd has already set the ESSID and
key. See Triggering network configuration
– waproamd, раздел 10.10.4.
10.6.4 Configuring a PPP interface
The ifup and ifdown programs use pon and
poff to add and remove PPP interfaces so first read Configuring a PPP interface, раздел 10.2.4.
Suppose you have set up PPP to work with peer myisp. Edit
/etc/network/interfaces so that it includes a stanza like this:
iface ppp0 inet ppp
provider myisp
With this stanza in place, ifup ppp0 does
pon myisp
Unfortunately it is currently not possible to provide additional
pppd options in a ppp stanza in
/etc/network/interfaces. [52]
It is currently not possible to use ifupdown to perform auxiliary
configuration of PPP interfaces. Because pon exits before
pppd has finished making the connection, ifup runs
up scripts before the PPP interface is ready for use. Until this
bug [53] is fixed it remains
necessary to do auxiliary configuration in /etc/ppp/ip-up or
/etc/ppp/ip-up.d/.
10.6.5 Configuring a PPPoE interface
Many broadband Internet Service Providers (ISPs) use PPP to negotiate
connections even though customer machines are connected to them through
Ethernet and/or ATM networks. This is accomplished by means of PPP over
Ethernet (PPPoE) which is a technique for the encapsulation of PPP streams
inside of Ethernet frames. Suppose your ISP is called
myisp. First configure PPP and PPPoE for peer
myisp. The easiest way to do this is to install the
pppoeconf package and to run pppoeconf from the
console. Then edit /etc/network/interfaces so that it includes a
stanza like this:
iface eth0 inet ppp
provider myisp
There are sometimes Maximum Transmit Unit (MTU) issues with PPPoE over Digital
Subscriber Line (DSL). See DSL-HOWTO for details.
Note that if your broadband modem contains a router then the modem/router
handles the PPPoE connection itself and appears on the LAN side as a simple
Ethernet gateway to the Internet.
10.6.6 Configuring multiple Ethernet interfaces for a gateway
Suppose eth0 is connected to the Internet with a DHCP-configured
IP address and eth1 is connected to the LAN with static IP address
192.168.1.1. Edit /etc/network/interfaces so that it
includes stanzas like these:
iface eth0 inet dhcp
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
If you activate NAT on this host as described in Building a gateway router, раздел 10.14 then you can
share the Internet connection with all the hosts on the LAN.
10.6.7 Configuring virtual interfaces
Using virtual interfaces you can configure a single Ethernet card to be an
interface to several IP subnetworks. For example, suppose your host is on LAN
network 192.168.0.x/24. You want to connect the host to the Internet using a
public IP address provided via DHCP using your existing Ethernet card. Edit
/etc/network/interfaces so that it includes stanzas like these:
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
iface eth0:0 inet dhcp
The interface eth0:0 is a virtual interface. When it is brought
up, so will its parent eth0.
10.7 Network configuration using logical interface definitions
In the following it will be important for the reader to understand the
difference between a physical interface and a logical
interface. [54] A
physical interface is what we have been calling "the
interface", the thing that the kernel names eth0,
eth1, ppp0, or what have you. A
logical interface is a set of values that can be assigned to
the variable parameters of a physical interface. If you find that confusing,
replace the expression "configured as logical interface X"
with the expression "configured with interface profile X"
as you read.
The iface definitions in /etc/network/interfaces are
actually definitions of logical interfaces, not of physical interfaces. [55] If you never want to
reconfigure your interfaces then you can ignore this fact since the physical
interface foo will by default be configured as logical interface
foo.
However, suppose your computer is a laptop that you transport between home and
work. When you connect the computer to the corporate network or to your home
LAN you need to configure eth0 accordingly.
First define two logical interfaces home and work
(instead of eth0 as we did earlier) which describe how the
interface should be configured for the home network and the work network,
respectively.
iface home inet static
address 192.168.0.123
netmask 255.255.255.0
gateway 192.168.0.1
iface work inet static
address 81.201.3.123
netmask 255.255.0.0
gateway 81.201.1.1
Then physical interface eth0 can be brought up for the home
network with the appropriate configuration by specifying it on the command
line:
# ifup eth0=home
To reconfigure eth0 for the work network issue the commands:
# ifdown eth0
# ifup eth0=work
Note that with the interfaces file written as above it will no
longer be possible to bring up eth0 by doing ifup
eth0 alone. The reason is that ifup uses the physical
interface name as the default logical interface name and now in our example no
eth0 logical interface is defined.
10.8 Magic network configuration
Interface names can be "mapped" to other names when ifup
runs. How names are mapped can be made to depend on circumstances. Thus
ifup can be so configured that it brings up a given physical
interface as the appropriate logical interface among a set of predefined
alternatives.
Logical interface name mapping occurs as follows:
-
If no logical interface name is given on the
ifup command line
then the physical interface name is used as the initial logical interface name.
-
If the logical interface name matches the glob-pattern of a
mapping stanza then that mapping is applied to generate a new
logical interface name. This is done for each mapping stanza in turn.
-
If the final logical interface name is the label of a logical interface
definition in
/etc/network/interfaces then the physical interface
is brought up as that logical interface. Otherwise ifup prints a
message that it is "Ignoring unknown interface" and exits.
The syntax of a mapping stanza is:
mapping glob-pattern
script script-name
[map script input]
The script named in the mapping stanza is always run with the
physical interface name as its argument and with the contents
of all following "map" lines in the stanza (without the word
"map" itself) provided to it on its standard input. The script
prints the result of the mapping on its standard output before exiting.
For example, the following mapping stanza will cause
ifup to bring up interface eth0 as the
home logical interface.
mapping eth0
script /usr/local/sbin/echo-home
where /usr/local/sbin/echo-home is:
#!/bin/sh
echo home
Because mapping is done with a script it is possible to select the logical
interface automatically — based on some sort of test. See Logical interface selection using guessnet, раздел
10.8.1 for an example of this.
10.8.1 Logical interface selection using guessnet
Install guessnet and then add a stanza like the following to
/etc/network/interfaces:
mapping eth0
script guessnet-ifupdown
map home
map work
Now when you ifup eth0, guessnet will check whether
eth0 can be brought up as home or work.
To do this it uses information stored in the logical interface definitions.
10.8.2 Automatic network configuration using laptop-net
The laptop-net package takes a different approach to automagic
network reconfiguration. Laptop-net does not make use of
ifupdown's logical interfaces but instead has its own system of
configuration "schemes" and system "profiles". Laptop-net
still uses ifup and ifdown to configure physical
interfaces, though. For more information consult the well written
documentation in laptop-net-doc.
10.9 Dealing with inconsistent naming of interfaces by the kernel
The names eth0, eth1, etc. are assigned by the
kernel in the order that the kernel creates the interfaces that go by those
names. While adapters that are detected at boot time are usually detected in
the same order every time, and are therefore assigned the same names every
time, the same is not true of adapters that are hot plugged. These can be
detected in any order and end up getting assigned different names by the kernel
on different occasions.
Because of this fact, on a system into which network adapters are hot plugged
it won't always do to define logical interfaces in
/etc/network/interfaces with names eth0,
eth1, etc., and to rely on the default mapping. Instead you must
give distinct names to the logical interfaces and use one of the following two
methods to restrict which logical interfaces can be assigned to which adapters.
One method is to use either the nameif utility (in the
net-tools package) or the more flexible ifrename
utility (in the ifrename package) to make the kernel assign names
to interfaces according to properties of the underlying adapters. With this
naming scheme in effect, the physical interface name can be used to infer which
adapter underlies it.
Another method is to use ifup's mapping mechanism in such a way
that a logical interface is chosen for a physical interface being brought up
according to some property of the adapter that underlies it.
Suppose, for example, you have two different network adapters which you use
with networks net1 and net2, respectively. The
/usr/share/doc/ifupdown/examples/ directory contains a mapping
script that can be used to select a logical interface based on the Media Access
Controller address (MAC address) of the adapter. First install the script to
an appropriate directory.
# install -m770 /usr/share/doc/ifupdown/examples/get-mac-address.sh \
/usr/local/sbin/
Then add a stanza like the following to /etc/network/interfaces:
mapping eth0
script /usr/local/sbin/get-mac-address.sh
map 02:23:45:3C:45:3C net1
map 00:A3:03:63:26:93 net2
See Multi-stage mapping, раздел 10.11
for a more complex example.
In applying either method the property that is most commonly used to identify
the adapter is the MAC address.
10.10 Triggering network configuration
We have seen how interfaces can be configured or reconfigured. This needs to
be done at appropriate times.
Traditionally the network was configured during the boot sequence via the
/etc/rcS.d/S40networking initscript and was rarely reconfigured.
Services that depended on networking were started later in the boot sequence.
On shutdown or reboot the initscripts were run in the opposite order.
Currently, however, there is a trend in GNU and Linux toward supporting
hardware and circumstances that change dynamically. First support was added
for hot swappable PCMCIA cards; more recently the hotplug
mechanism has been added so that many more peripherals can be swapped in and
out while the computer is running. This includes networking hardware. Note
that services that depend on hardware that is hot swapped must only be started
after the hardware is inserted and must be stopped when the hardware is
removed. This means that such services must be removed from the control of the
System V init system and put under the control of ifupdown
instead.
For example, suppose service foo controlled by initscript
/etc/init.d/foo depends on dynamically reconfigured network
interface eth0.
10.10.1 Triggering network configuration at boot time
On boot the /etc/rcS.d/S40networking init script runs the command
ifup -a. This brings up all physical interfaces listed in
auto stanzas in /etc/network/interfaces.
These days it is often better to handle network configuration using dynamic
methods. Once mechanisms for supporting dynamically changing hardware are in
place it becomes simplest to treat static hardware as if it were dynamic too.
Booting can then be treated as just another hotplug event. (See Triggering network configuration –
hotplug, раздел 10.10.2.)
However, in almost all cases one wants at least the loopback interface
lo to be brought up on boot. Therefore, make sure that
/etc/network/interfaces includes the following stanzas.
auto lo
iface lo inet loopback
You can list additional physical interface names in auto stanzas
if you want them to be brought up on boot too. Never list
PCMCIA interfaces in auto stanzas. The PCMCIA
cardmgr is started later in the boot sequence than when
/etc/rcS.d/S40networking runs.
10.10.2 Triggering network configuration – hotplug
For hot-plug support install the hotplug package.
Networking hardware can be hot plugged either at boot time or after a card
(e.g., a PCMCIA card) is inserted into the machine or after a utility such as
discover runs and loads necessary driver modules.
When the kernel detects new hardware it initializes the driver for the hardware
and then runs the hotplug program to configure it. Later if the
hardware is removed then the kernel runs hotplug again with
different environment variable settings. In Debian, when hotplug
is called it runs scripts in /etc/hotplug/ and
/etc/hotplug.d/. See hotplug(8) for details.
Newly inserted network hardware is configured by the script
/etc/hotplug/net.agent. [57] Suppose your PCMCIA network card has been inserted
resulting in interface eth0 becoming available for use.
/etc/hotplug/net.agent does the following [58] :
ifup eth0=hotplug
Unless you have added a logical interface definition or mapping named
hotplug to /etc/network/interfaces, this command will
do nothing. To make it so that the command will configure eth0,
add the following stanza to /etc/network/interfaces:
mapping hotplug
script echo
As explained in Network configuration using logical
interface definitions, раздел 10.7 this will map the command shown above so
that it is equivalent to the following:
ifup eth0=eth0
(Do not include a mapping stanza like this if you are using
ifplugd or waproamd instances started by
hotplug to control the interface.)
If you want only eth0 and no other interfaces to be brought up on
hot plug then use grep instead of echo as follows:
mapping hotplug
script grep
map eth0
See Magic network configuration, раздел 10.8
and /usr/share/doc/hotplug/README.Debian
for more tips.
10.10.3 Triggering network configuration – ifplugd
The ifplugd daemon brings an interface up or down according to
whether or not its underlying hardware is plugged in to a network. The program
can detect a live cable connected to an Ethernet interface or an access point
associated to a Wi-Fi interface (although waproamd is probably
what you want to use in the latter case). When ifplugd sees that
the state of the link has changed it runs a proxy script which by default calls
ifup or ifdown.
10.10.4 Triggering network configuration – waproamd
The waproamd daemon is just like ifplugd except that
it is designed to be used with Wi-Fi cards. It actively scans for access
points to which the Wi-Fi hardware is able to associate. When association is
achieved, waproamd runs ifup.
If you are using waproamd then in general you configure the Wi-Fi
card via waproamd and not via wireless-* options in
/etc/network/interfaces.
10.10.5 Network configuration and PCMCIA
There are several possible approaches to configuring PCMCIA network interfaces
(for 2.4 and 2.6 kernels).
-
For 32 bit PCI (CardBus) PCMCIA network cards:
-
ifupdown controlled by hotplug
-
For 16 bit ISA PCMCIA network cards:
-
ifupdown controlled by hotplug with
pcmcia-cs confined to loading modules
-
recommended
-
In Woody and Sarge you must locally disable
pcmcia-cs's default
behavior of controlling ifupdown by adding the line exit
0 to the beginning of /etc/pcmcia/network. Also, you must
locally enable hotplug's control of ifupdown by
adding a mapping stanza to /etc/network/interfaces as described in
Triggering network configuration –
hotplug, раздел 10.10.2.
-
ifupdown controlled by pcmcia-cs via the default
/etc/pcmcia/network
-
deprecated but still the default for Woody and Sarge
-
low level tools controlled by
pcmcia-cs via special code in
/etc/pcmcia/network
-
deprecated
-
In Woody and Sarge the special code is enabled by editing
/etc/pcmcia/network.opts
The recommended approach for 16 bit cards takes advantage of the fact that the
Linux 2.4 hotplug subsystem now supports PCMCIA. [59]
PCMCIA network cards are hot pluggable. Accordingly, any services that require
networking through a PCMCIA card should be so configured that they get started
on card insertion and get stopped on card removal. This is usually
accomplished by arranging for the service to start on ifup and
stop on ifdown. Some people, however, choose to confine
themselves to cold plugging their PCMCIA network card: they insert the card
before booting the system and they start services that require networking
through the card in the boot sequence. If you are such a person then in order
to ensure that the card is fully configured before the services are started you
should do the following:
-
Set CARDMGR_OPTS="-f" in
/etc/default/pcmcia in order to force cardmgr to run
in the foreground.
-
Rename
/etc/rc?.d/S20pcmcia to something like
/etc/rc?.d/S12pcmcia.
This hack only works for 16 bit PCMCIA cards.
Note that pcmcia-cs is still needed if you use 16 bit PCMCIA
cards. The cardmgr daemon that the package contains is
responsible for managing the sockets and loading driver modules. We just don't
want it to call network configuration programs via
/etc/pcmcia/network.
In order for cardmgr to work properly you may need to edit
/etc/pcmcia/config.opts in order to configure resources assigned
to 16 bit PCMCIA cards. See PCMCIA, раздел 7.2.1 and the
Linux PCMCIA
HOWTO for more information.
10.11 Multi-stage mapping
Suppose your network adapters are hotplugged and you enable automatic
configuration as described in Triggering network
configuration – hotplug, раздел 10.10.2. Suppose
further that you need to map logical interfaces to "physical"
interfaces depending both on the adapter underlying the physical interface (as
described in Dealing with inconsistent naming of
interfaces by the kernel, раздел 10.9) and on the network connected to the
interface (as described, for example, in Logical
interface selection using guessnet, раздел 10.8.1). You can accomplish
this with multi-stage mapping.
The first mapping stage takes the hotplug group name and outputs
the kernel-assigned interface name if the interface is to be hot plugged. The
second mapping stage takes a kernel-assigned interface name and outputs an
adapter name. The third mapping stage maps adapter names to logical interface
names based on the network environment.
# Allow hotplug to bring up interfaces
mapping hotplug
script echo
# Determine whether interface is wired or Wi-Fi
mapping eth?
script /usr/local/sbin/get-mac-address.sh
map 02:23:45:3C:45:3C wired
map 00:A3:03:63:26:93 wifi
# Detect which wired network is available
mapping wired
script guessnet-ifupdown
map work-wired
map home
# Detect which Wi-Fi network is available
mapping wifi
script ifscout
map starbucks
map work-wireless
iface work-wired inet static
...
10.12 Network service configuration
Typical network service configuration on the desktop or home server environment
involves:
-
The Internet super-server and TCP/IP daemon wrapper, see Restricting access to services, раздел 9.2.5.
-
ssh: OpenSSH secure shell, see SSH, раздел 9.5.
-
/etc/ssh/ssh_config
-
/etc/ssh/sshd_config
-
exim: mail transport agent, see Mailname,
раздел 10.3.2 and Mail transport agents
(MTAs), раздел 9.6.1.
-
/etc/exim/exim.conf
-
/etc/mailname
-
/etc/aliases
-
/etc/email-addresses
-
fetchmail: daemon to fetch mail from a POP3 account, see Fetching mail – Fetchmail, раздел
9.6.2.
-
procmail: local mail delivery and filter program, see Processing mail – Procmail, раздел
9.6.3.
-
Hostname and DNS (proxy, cache, ...), see Hostname,
раздел 10.3.1 and Domain Name Service (DNS), раздел
10.4.
-
/etc/host.conf
-
/etc/hostname
-
/etc/hosts
-
/etc/hosts.allow
-
/etc/hosts.deny
-
/etc/resolv.conf
-
/etc/bind/named.conf (edit)
-
/etc/bind/db.lan (add for LAN hosts)
-
/etc/bind/db.192.168.0 (add for LAN reverse)
-
DHCP, see Configuring network interfaces using DHCP,
раздел 10.5.
-
/etc/dhcp3/dhclient.conf (DHCP client side)
-
/etc/default/dhcp3-server (DHCP server side)
-
/etc/dhcp3/dhcpd.conf (DHCP server side)
-
cvs: concurrent versions system, see Concurrent Versions System (CVS), раздел 12.1.
-
/etc/cvs-cron.conf
-
/etc/cvs-pserver.conf
-
nfs-kernel-server: network file system, see Конфигурация NFS, раздел 3.4. (for
unix-like systems)
-
samba: network file and printer share for Windows, see Настройка Samba, раздел 3.5 and Samba, раздел 8.6.37.
-
Printer daemon system, see Настройка
принтера, раздел 3.6.
-
apache and apache2: web server.
-
/etc/apache/*
-
/etc/apache2/*
-
squid: web proxy cache server.
10.13 Network troubleshooting
If you encounter problems then check the output of the following as the first
reality check:
# ifconfig
# cat /proc/pci
# cat /proc/interrupts
# dmesg | more
Also see the sections following Network
testing basics, раздел 8.6.28.
If you have problems with certain websites, see Странные проблемы доступа на некоторые
web-сайты, раздел 3.7.5.
10.14 Building a gateway router
A Debian host can be an all-purpose gateway machine that does Network Address
Translation (NAT, also known as masquerading), mail transfer, DHCP, DNS
caching, HTTP proxy caching, CVS service, NFS serving, and Samba serving. See
Хосты и IP-адреса для использования в
локальных сетях, раздел 3.1.9 for the example of such set up.
10.14.1 Netfilter configuration
The netfilter/iptables project is a firewalling subsystem for Linux 2.4 and
after. See Netfilter,
where many network configuration issues are explained.
10.14.1.1 Basics of netfilter
Netfilter process packets use five built-in chains: PREROUTING, INPUT, FORWARD,
OUTPUT, and POSTROUTING.
routing
decision
IN ------> PRE ---> ------> FORWARD -----> ----> POST -----> OUT
interface ROUTING \ filter / ROUTING interface
DNAT | tracking ^ SNAT
REDIRECT | | MASQUERADE
v |
INPUT OUTPUT
| filter ^ filter,DNAT
v |
\--> Local Process --/
user-space programs
10.14.1.2 Netfilter table
Packets are processed at each built-in chain using the following tables.
-
filter (packet filter, default)
-
INPUT (for packets coming into the box itself)
-
FORWARD (for packets being routed through the box)
-
OUTPUT (for locally generated packets).
-
nat (network address translation )
-
PREROUTING (for altering packets as soon as they come in)
-
OUTPUT (for altering locally generated packets before routing)
-
POSTROUTING (for altering packets as they are about to go out)
-
mangle (network address mangling, good only after 2.4.18)
-
all five built-in chains.
10.14.1.3 Netfilter target
Firewall rules have several targets:
-
four basic targets:
-
ACCEPT means to let the packet through.
-
DROP means to drop the packet.
-
QUEUE means to pass the packet to userspace (if supported by the kernel).
-
RETURN means stop traversing this chain and resume at the next rule in the
previous (calling) chain.
-
extended targets:
10.14.1.4 Netfilter commands
The basic commands of iptables are:
iptables -N chain # create a chain
iptables -A chain \ # add rule to chain
-t table \ # use table (filter, nat, mangle)
-p protocol \ # tcp, udp, icmp, or all,
-s source-address[/mask] \
--sport port[:port] \ # source port if -p is tcp or udp
-d destination-address[/mask] \
--dport port[:port] \ # dest. port if -p is tcp or udp
-j target \ # what to do if match
-i in-interface-name \ # for INPUT, FORWARD, PREROUTING
-o out-interface-name # for FORWARD, OUTPUT, POSTROUTING
10.14.1.5 Network Address Translation
Machines on a LAN can access Internet resources through a gateway that
translates IP address on the LAN to IP addresses usable on the Internet.
# apt-get install ipmasq
Apply example rules to strengthen the ipmasq protection. See
/usr/share/doc/ipmasq/examples/stronger/README.
For Debian kernel-image-2.4 under woody, make sure to load the proper modules.
Sarge version of ipmasq fixed this issue. See Network function, раздел 7.2.3 for
configuration instructions.
For Debian kernel-image-2.2, edit Z92timeouts.rul in
/etc/masq/rules as follows to ensure a longer connection to remote
sites (good for large emails, etc.):
# tcp, tcp-fin, udp
# 2hr, 10 sec, 160 sec - default
# 1 day, 10 min, 10 min - longer example
$IPCHAINS -M -S 86400 600 600
Also, if the network is accessed through a PCMCIA NIC, ipmasq
needs to be started either from /etc/pcmcia/network.opts (read:
/usr/share/doc/ipmasq/ipmasq.txt.gz)
or from /etc/network/interfaces (read: Network configuration and PCMCIA, раздел 10.10.5
and Triggering network configuration, раздел
10.10).
10.14.1.6 Redirect SMTP connection (2.4)
Suppose you have a notebook PC which is configured to use other LAN
environments and you want to use your mail user agent on the notebook PC
without reconfiguring it.
Adding the following rules through the iptables command to the
gateway machine will redirect the SMTP connection to the gateway machine.
# iptables -t nat -A PREROUTING -s 192.168.1.0/24 -j REDIRECT \
-p tcp --dport smtp --to-port 25 # smtp=25, INPUT is open
For a more thorough redirect rule set consider installing the
ipmasq package and adding M30redirect.def/etc/ipmasq/rules/ directory.
10.14.2 Manage multiple net connections
[FIXME] Policy routing (by Phil Brutsche pbrutsch@tux.creighton.edu):
See the iproute manual for
details. Traffic control (tc) may also be interesting.
Environment:
eth0: 192.168.1.2/24; gateway 192.168.1.1
eth1: 10.0.0.2/24; gateway 10.0.0.1
No masquerading on this machine.
Special magic:
-
ip rule add from 192.168.1.2 lookup 1
-
ip rule add from 10.0.0.2 lookup 2
-
ip route add to default via 10.0.0.1 metric 0
-
ip route add to default via 192.168.1.1 metric 1
-
ip route add table 1 to 192.168.1.0/24 via eth0
-
ip route add table 1 to 10.0.0.2/24 via eth1
-
ip route add table 1 to default via 192.168.1.1
-
ip route add table 2 to 192.168.1.0/24 via eth0
-
ip route add table 2 to 10.0.0.2/24 via eth1
-
ip route add table 2 to default via 10.0.0.2
[FIXME] I've never done this. How to set up dialup as backup to a fast
connection with autodial features? Please send me a patch here :)
[ назад ]
[ Содержание ]
[ 1 ]
[ 2 ]
[ 3 ]
[ 4 ]
[ 5 ]
[ 6 ]
[ 7 ]
[ 8 ]
[ 9 ]
[ 10 ]
[ 11 ]
[ 12 ]
[ 13 ]
[ 14 ]
[ 15 ]
[ A ]
[ вперед ]
🔥 VPS до 5.7 ГГц под любые задачи с AntiDDoS в 7 локациях
Виртуальные VPS серверы в РФ и ЕС
