The Little Book of Linux Networking Attaching to a network

Command Reason
Introduction
ifconfig Provides a way of configuring network cards.
This guide was created as reference for the networking part of my
Computer Security course. It is a practical how-to on basic Linux route Allows you to define gateways.
networking tips and contains practical advice on how to get up and ping Allows you to check if a host is up.
running.
This pamphlet contains very little theory and is not intended as a one Step One: Configuring your interfaces:
stop shop for network exam questions. I hope you find this useful. Before we can do anything we need to configure the interface you
want to use. First, check what interfaces are available:
Table of Contents ifconfig -a

Introduction..........................................................................................1 eth0 Link encap:Ethernet HWaddr b8:ac:6f:6a:f9:35

Attaching to a network.........................................................................1 inet addr:10.38.3.68 Bcast:10.38.63.255 Mask:255.255.192.0
Step One: Configuring your interfaces:..........................................1 BROADCAST MULTICAST MTU:1500 Metric:1
A Word About Subnets...............................................................2
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
Step Two: Configuring routing.......................................................3
Configuring the router................................................................4 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Configuring the clients...............................................................4 collisions:0 txqueuelen:1000
A note on DNS................................................................................5 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
How to manipulate an iptables firewall...............................................6
Some commands to know before we get started.............................6 Interrupt:17
Viewing the tables......................................................................6
Deleting a rule............................................................................6 lo Link encap:Local Loopback
A Scenario.......................................................................................7
inet addr:127.0.0.1 Mask:255.0.0.0
Step One: Configuring the firewall's default behaviour.............7
Step Two: Allowing traffic to the WWW server.........................8 inet6 addr: ::1/128 Scope:Host
Step Three: Allowing traffic from the WWW server to the UP LOOPBACK RUNNING MTU:16436 Metric:1
internet........................................................................................9 RX packets:12 errors:0 dropped:0 overruns:0 frame:0
A final note about firewalls.............................................................9
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
Version History...................................................................................10
About this book..................................................................................10 collisions:0 txqueuelen:0
License..........................................................................................11 RX bytes:720 (720.0 B) TX bytes:720 (720.0 B)

The Little Book of Linux Networking CC-BY-NC-SA Page 1

 For example:
wlan0 Link encap:Ethernet HWaddr 00:21:6a:b2:02:ce
UP BROADCAST MULTICAST MTU:1500 Metric:1
172.168.50.0/29 subnet:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
IP Usable?
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 172.168.50.0 No. Reserved.
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 172.168.50.1 Yes.
172.168.50.2 Yes.
Then we need to know the IP address of the network we want to 172.168.50.3 Yes.
connect to is and the network prefix. The network prefix allows us to 172.168.50.4 Yes.
define how many hosts can be in a subnet and is a value of 32 or
below. To work out how many hosts you can fit into a subnet use the 172.168.50.5 Yes.
following formula: 172.168.50.6 Yes.

32−(network prefix)=n 172.168.50.7 No. Broadcast address.

2n=amount of hosts Now we are finally ready to connect to the network. We can do this
easily using the ifconfig command. The general syntax of the
So, for example, if we had a network with the address and prefix of command is:
172.168.50.0/29 we would have 8 hosts per subnet. We can work this
ifconfig [interface] [operation]
out by doing:
32−29=3 So if we wanted to connect our computer to the 172.168.50.0/29
network with the IP address 172.168.50.1 we would type at the
23=8 terminal:
ifconfig eth0 172.168.50.1/29

A Word About Subnets Finally, we can confirm that we are connected to the network by
issuing a single ifconfig command.
Just because you have 8 hosts in your subnet doesn't mean that you
have 8 hosts available. The bottommost address is reserved and the
topmost address is a broadcast address. Meaning in a subnet with 8
hosts, only 6 are usable.

The Little Book of Linux Networking CC-BY-NC-SA Page 2

 ifconfig Step Two: Configuring routing
eth0 Link encap:Ethernet HWaddr b8:ac:6f:6a:f9:35
Now you are connected the next step is to configure gateways into
inet addr:172.168.50.1 Bcast:172.168.50.7 Mask:255.255.255.248 other networks, such as to the internet or to a neighbouring network.
inet6 addr: fe80::baac:6fff:fe6a:f935/64 Scope:Link This section will look at two areas of routing:
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
• Setting up a router.
RX packets:1116621 errors:0 dropped:0 overruns:0 frame:0
• Configuring a client to use a router.
TX packets:572927 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 For all the examples we will be using the following network layout:
RX bytes:1689735097 (1.6 GB) TX bytes:40629387 (40.6 MB)
Interrupt:17

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:700 errors:0 dropped:0 overruns:0 frame:0
TX packets:700 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:57352 (57.3 KB) TX bytes:57352 (57.3 KB)

wlan0 Link encap:Ethernet HWaddr 00:21:6a:b2:02:ce

UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
This layout has two networks. One being 192.168.70.0/28 (with 16
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) available hosts) and the other is 172.168.50.0/29 (with 8 available
hosts). GW1 will act as the router between the two networks.

The Little Book of Linux Networking CC-BY-NC-SA Page 3

Configuring the router.
The router in this network will be the computer GW1. This computer
will have 2 network cards: eth0 (which will be connected to the
172.168.50.0/29 network) and eth1 (which will be connected to the
192.168.70.0/28 network).
First of all we need to use what we have learned so far to connect the
router to these networks. To make our life easier, we will use a bit of
command line magic to connect to both networks at the same time by
joining the two commands with the && operator.
Ifconfig eth0 172.168.50.2/29 && ifconfig eth1 192.168.70.3/28
That little command should have correctly configured the interfaces.
Remember it's always worth an ifconfig to make sure that everything
has worked correctly. Now you should be able to ping all the hosts on
the two networks. To use ping we structure a command like this:
ping [options] host
Some useful options we can use with ping are -c1, which sends a
single ping request rather than flooding the network with pings until
you Ctrl-C the ping program, and -R, which shows the routing
information – effectively all the computers the ping request has
passed through.
To make sure we can see the hosts on each network we could run the
following commands:
ping -c1 172.168.50.5
PING 172.168.50.5 (172.168.50.5) 56(84) bytes of data.
64 bytes from 172.168.50.5: icmp_req=1 ttl=64 time=1.08 ms
--- 172.168.50.5 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.089/1.089/1.089/0.000 ms
The Little Book of Linux Networking
ping -c1 192.168.70.2
PING 192.168.70.2 (192.168.70.2) 56(84) bytes of data.
64 bytes from 192.168.70.2: icmp_req=1 ttl=64 time=0.841 ms
--- 192.168.70.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.841/0.841/0.841/0.000 ms
Now GW1 is on both networks, we can configure it to allow the
forwarding of traffic from one network to another. By default, a
normal Linux box doesn't allow traffic to be forwarded and we need
to 'flick a switch' in order to allow it to happen. Luckily, to flick this
switch we just need to put a 1 in the file located in
/proc/sys/net/ipv4/ip_forward.
echo 1 >> /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
1
Now all we need to do is make the clients able to use the router...
Configuring the clients.
Configuring the clients is actually a one line task for each client. We
will assume that everyone on the 172.168.50.0/29 network needs to
connect through GW1 and the clients on the 192.168.70.0/28 network
only routes traffic through GW1 to reach the 172.* network.
Firstly, to set up GW as the default gateway for machine CLIENT1
we need to use the route command. The route command allows you
to define certain hosts to send traffic to. The syntax for it is a little bit
odd compared to everything else we have used so far.
CC-BY-NC-SA Page 4
 route [operation...] [...on what] [parameters]
This looks confusing but in practice the route command is quite
simple. If you want to see all the parameters and options (which is
beyond the scope of this pamphlet) then check out the route man
page.
Changing the DNS server is just a matter of changing the IP address
that follows nameserver. To change the DNS server in GW1 and
CLIENT1 we will open up this file in the command line text editor
nano.
nano /etc/resolv.conf

To add GW1 as the default gateway for the machine CLIENT1 we

would use the route command:
route add -net default gw 172.168.50.2
Broken down, all this command means is add 172.168.50.2 as the
default gateway to get to any network beyond CLIENT1's own. Now
the next command for DNS1 has to be a bit more specific since we
want it to only use GW1 to contact the 172.* network. The command
would then be shaped like this:
route add -net 172.168.50.0/29 gw 192.168.70.0.3
This command follows similar logic and means if you want to get to
network 172.168.50.0/29 then go through 192.168.70.3. The only
tricky thing here is to remember to attach the network prefix as well.

A note on DNS...
A DNS server isn't automatically agreed upon when you statically Save and close nano with Ctrl-O and Ctrl-X and we are done!
configure your network like it is when you use DHCP. Therefore you
will have to configure it.
From the previous examples, imagining that DNS1 is the DNS server
– because our network manager is very imaginative with names – and
we wanted to configure GW1 and CLIENT1 to use DNS1 as their
DNS server we would need to define it in a configuration file named
resolv.conf.
Typically the only line is resolv.conf is:
nameserver [ip address here]

The Little Book of Linux Networking CC-BY-NC-SA Page 5

How to manipulate an iptables firewall. Some commands to know before we get started.
iptables is the default firewall in all modern Linux systems. It is a Before we get started constructing firewall rules, it's important we
very powerful tool in that you can configure rules very precisely and know some of the housekeeping around the iptables command.
build up your rules in sets known as policies. Namely, tasks such as viewing our rules and tables and deleting rules
that have gone wrong would be very useful to know.
Broadly speaking there are three policies that you need to be aware
of.
Viewing the tables.
• INPUT
iptables -L -nv
◦ Deals with any incoming traffic to the computer.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
• FORWARD pkts bytes target prot opt in out source destination
◦ Deals with packets being forwarded to other hosts. This is
the most obvious policy for a router.
• OUTPUT Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
◦ Deals with all traffic leaving the computer.
Each of these policies can have a number of different rules attached
to them to form chains of rules.
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Deleting a rule.
iptables -D [policy] [ID]
INPUT FORWARD OUTPUT Policy: The table you want to reference. Needs to be INPUT,
FORWARD or OUTPUT.
ID: With the first rule in the policy starting as one, the rule
number as counted from the top down.
Firewall
For example, if I wanted to delete the third rule in the FORWARD
policy I would use the command:
Internet iptables -D FORWARD 3

The Little Book of Linux Networking CC-BY-NC-SA Page 6

A Scenario.
Our network scenario is that we have a firewall that needs to allow
traffic from the internet (10.0.0.0/24) to a local web server
(172.168.50.2) on our network.
Step One: Configuring the firewall's default
behaviour.
By default the firewall allows everything to pass through unchecked.
This state is called ACCEPT. Obviously, we only want web traffic on
TCP port 80 to pass between the internet and the web server so this
default behaviour will need to be changed.
This means the first thing we need to do is change the FORWARD
policy to DROP. DROP means all packets are blocked at the firewall.
This gives us room to define the traffic we want to flow through this
computer.
Changing FORWARD's state to DROP is quite an easy challenge and
can be done with a single command.
iptables -P FORWARD DROP
iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Imagine that you have just booted the firewall, configured the
network interfaces and enabled forwarding. We have three firewall
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
tasks we need to do.
pkts bytes target prot opt in out source destination
1. Change the default FORWARD policy behaviour from
ACCEPT to DROP.
2. Create a rule to allow tcp port 80 traffic to WWW.
3. Create a rule to allow traffic from WWW back to the internet
on port 80.

The Little Book of Linux Networking CC-BY-NC-SA Page 7

Step Two: Allowing traffic to the WWW server. Command Description
This is where the commands start becoming a little more Element
complicated. Because of the power of iptables you can generate quite -A FORWARD This means to append a rule to the table
long commands just because you are being precise and informative as FORWARD.
to what you want to happen. For this reason, I will simply put the -p tcp This defines the protocol to be TCP. This means
command up and explain it afterwards. UDP or ICMP can not connect.
iptables -A FORWARD -p tcp -d 172.168.50.2 --dport 80 -i eth1 -o
eth0 -j ACCEPT
-d 172.168.50.2 This defines the packet destination. In this case the
value is the IP address of the WWW server.
iptables -L -nv
--dport 80 This defines the destination port to be on port 80.
Chain INPUT (policy ACCEPT 6138 packets, 4508K bytes) Port 80 is the standard port for web traffic.
pkts bytes target prot opt in out source destination
-i eth1 The input interface. In this case it's eth1 as eth1 is
the receiving device from the internet network.
-o eth0 The output interface. This is eth0 because it's the
Chain FORWARD (policy DROP 0 packets, 0 bytes) interface the packet leaves to reach it's target.
pkts bytes target prot opt in out source destination
-j ACCEPT This means what to do with the packet. In this
case, we want to accept it.
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 172.168.50.2
tcp dpt:80

Chain OUTPUT (policy ACCEPT 6308 packets, 923K bytes)

pkts bytes target prot opt in out source destination

The Little Book of Linux Networking CC-BY-NC-SA Page 8

Step Three: Allowing traffic from the WWW server Dropping -d and --dport in favour of -s and --sport is done because
to the internet. the firewall needs to know where the source of the packet is coming
from rather than the destination it is going to.
As before I am just going to put the command down and show the
results. It should be fairly self explanatory in function apart from a
slight change in some of the flags. A final note about firewalls.
iptables -A FORWARD -p tcp -s 172.168.50.2 --sport 80 -i eth0 -o The view taken of firewalls in this guide is very simplistic. If you
eth1 -j ACCEPT want a full list of things the firewall can do it would be worth
iptables -L -nv
checking the iptables man page.
Chain INPUT (policy ACCEPT 6536 packets, 4599K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 172.168.50.2

tcp dpt:80
0 0 ACCEPT tcp -- eth0 eth1 172.168.50.2 0.0.0.0/0
tcp spt:80

Chain OUTPUT (policy ACCEPT 6827 packets, 985K bytes)

pkts bytes target prot opt in out source destination

The changes here are in the -s(port) flags and the switching of
interfaces for the -i and the -o flags. The reason we have switched the
interfaces on the -i and -o flags is because the interface the packet
sees on the return leg of the journey first is eth0 and it leaves on eth1.

The Little Book of Linux Networking CC-BY-NC-SA Page 9

Version History. About this book.
Version Comments This book was written for my personal use but I have decided to
share it out to anyone who may find it useful. Because this is a draft
1.0 This is the first release and probably contains errors. I make no guarantees about it's accuracy or it's readability.
Expect it to be flakey in places and not amazingly full
fledged. If you would like to contribute to this pamphlet then where ever this
document is published I will make a odt file available. If you have
changes to make please edit your copy of the document, add a
comment to the document where you have changed it explaining
what you have done and e-mail it back to me.
p10541008@myemail.dmu.ac.uk
If you have any feedback then please contact me using that e-mail
address and let me know your opinions. If it's positive you may be in
serious danger of making my day.

License.

The Little Book of Linux Networking by Steven Holdway is licensed

under a Creative Commons Attribution-NonCommercial-ShareAlike
2.0 UK: England & Wales License.

The Little Book of Linux Networking CC-BY-NC-SA Page 10

The Little Book of Linux Networking CC-BY-NC-SA Page 11