book

Linux Network Administrator's Guide, Second Edition

by Olaf Kirch, Terry Dawson

June 2000

Intermediate to advanced

512 pages

15h 18m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Linux Network Administrator’s Guide, 2nd Edition
Preface
Purpose and Audience for This Book
Sources of Information
Documentation Available via FTPDocumentation Available via WWWDocumentation Available CommerciallyLinux Journal and Linux MagazineLinuxUsenet NewsgroupsLinux Mailing ListsOnline Linux SupportLinux User GroupsObtaining Linux
File System Standards
Standard Linux Base
About This Book
The Official Printed Version
Overview
Conventions Used in This Book
Submitting Changes

Acknowledgments
The Hall of Fame
1. Introduction to Networking
History
TCP/IP Networks
Introduction to TCP/IP NetworksEthernetsOther Types of HardwareThe Internet ProtocolIP Over Serial LinesThe Transmission Control ProtocolThe User Datagram ProtocolMore on PortsThe Socket Library
UUCP Networks
Linux Networking
Different Streaks of DevelopmentWhere to Get the Code
Maintaining Your System
System Security
2. Issues of TCP/IP Networking
Networking Interfaces
IP Addresses
Address Resolution
IP Routing
IP NetworksSubnetworksGatewaysThe Routing TableMetric Values
The Internet Control Message Protocol
Resolving Host Names
3. Configuring the Networking Hardware
Kernel ConfigurationKernel Options in Linux 2.0 and HigherKernel Networking Options in Linux 2.0.0 and Higher
A Tour of Linux Network Devices
Ethernet Installation
Ethernet Autoprobing
The PLIP Driver
The PPP and SLIP Drivers
Other Network Types
4. Configuring the Serial Hardware
Communications Software for Modem Links
Introduction to Serial Devices
Accessing Serial Devices
The Serial Device Special Files
Serial Hardware
Using the Configuration Utilities
The setserial CommandThe stty Command
Serial Devices and the login: Prompt
Configuring the mgetty Daemon
5. Configuring TCP/IP Networking
Mounting the /proc Filesystem
Installing the Binaries
Setting the Hostname
Assigning IP Addresses
Creating Subnets
Writing hosts and networks Files
Interface Configuration for IP
The Loopback InterfaceEthernet InterfacesRouting Through a GatewayConfiguring a GatewayThe PLIP InterfaceThe SLIP and PPP InterfacesThe Dummy InterfaceIP Alias
All About ifconfig
The netstat Command
Displaying the Routing TableDisplaying Interface StatisticsDisplaying Connections
Checking the ARP Tables
6. Name Service and Resolver Configuration
The Resolver LibraryThe host.conf FileResolver environment variablesThe nsswitch.conf FileConfiguring Name Server Lookups Using resolv.confResolver Robustness
How DNS Works
Name Lookups with DNSTypes of Name ServersThe DNS DatabaseReverse Lookups
Running named
The named.boot FileThe BIND 8 host.conf FileThe DNS Database FilesCaching-only named ConfigurationWriting the Master FilesVerifying the Name Server SetupOther Useful Tools
7. Serial Line IP
General Requirements
SLIP Operation
Dealing with Private IP Networks
Using dip
A Sample ScriptA dip ReferenceThe modem commandsThe echo commandThe get commandThe print commandVariable namesThe if and goto commandssend, wait, and sleepmode and default
Running in Server Mode
8. The Point-to-Point Protocol
PPP on Linux
Running pppd
Using Options Files
Using chat to Automate Dialing
IP Configuration Options
Choosing IP AddressesRouting Through a PPP Link
Link Control Options
General Security Considerations
Authentication with PPP
PAP Versus CHAPThe CHAP Secrets FileThe PAP Secrets File
Debugging Your PPP Setup
More Advanced PPP Configurations
PPP ServerDemand DialingPersistent Dialing
9. TCP/IP Firewall
Methods of Attack
What Is a Firewall?
What Is IP Filtering?
Setting Up Linux for Firewalling
Kernel Configured with IP FirewallThe ipfwadm UtilityThe ipchains UtilityThe iptables Utility
Three Ways We Can Do Filtering
Original IP Firewall (2.0 Kernels)
Using ipfwadmA naïve exampleAn important refinementListing our rulesA More Complex ExampleSummary of ipfwadm ArgumentsCategoriesCommandsParametersOptional argumentsICMP datagram types
IP Firewall Chains (2.2 Kernels)
Using ipchainsipchains Command SyntaxCommandsRule specification parametersOptionsOur Naïve Example RevisitedListing Our Rules with ipchainsMaking Good Use of ChainsUser-defined chainsThe ipchains support scripts
Netfilter and IP Tables (2.4 Kernels)
Backward Compatability with ipfwadm and ipchainsUsing iptablesCommandsRule specification parametersOptionsExtensionsTCP Extensions: used with -m tcp -p tcpUDP Extensions: used with -m udp -p udpICMP Extensions: used with -m icmp -p icmpMAC Extensions: used with -m macOur Naïve Example Revisited, Yet Again
TOS Bit Manipulation
Setting the TOS Bits Using ipfwadm or ipchainsSetting the TOS Bits Using iptables
Testing a Firewall Configuration
A Sample Firewall Configuration
10. IP Accounting
Configuring the Kernel for IP Accounting
Configuring IP Accounting
Accounting by AddressAccounting by Service PortAccounting of ICMP DatagramsAccounting by Protocol
Using IP Accounting Results
Listing Accounting Data with ipfwadmListing Accounting Data with ipchainsListing Accounting Data with iptables
Resetting the Counters
Flushing the Ruleset
Passive Collection of Accounting Data
11. IP Masquerade and Network Address Translation
Side Effects and Fringe Benefits
Configuring the Kernel for IP Masquerade
Configuring IP Masquerade
Setting Timing Parameters for IP Masquerade
Handling Name Server Lookups
More About Network Address Translation
12. Important Network Features
The inetd Super Server
The tcpd Access Control Facility
The Services and Protocols Files
Remote Procedure Call
Configuring Remote Login and Execution
Disabling the r; CommandsInstalling and Configuring sshThe ssh daemonThe ssh clientUsing ssh
13. The Network Information System
Getting Acquainted with NIS
NIS Versus NIS+
The Client Side of NIS
Running an NIS Server
NIS Server Security
Setting Up an NIS Client with GNU libc
Choosing the Right Maps
Using the passwd and group Maps
Using NIS with Shadow Support
14. The Network File System
Preparing NFS
Mounting an NFS Volume
The NFS Daemons
The exports File
Kernel-Based NFSv2 Server Support
Kernel-Based NFSv3 Server Support
15. IPX and the NCP Filesystem
Xerox, Novell, and History
IPX and Linux
Caldera SupportMore on NDS Support
Configuring the Kernel for IPX and NCPFS
Configuring IPX Interfaces
Network Devices Supporting IPXIPX Interface Configuration ToolsThe ipx_configure CommandThe ipx_interface Command
Configuring an IPX Router
Static IPX Routing Using the ipx_route CommandInternal IPX Networks and Routing
Mounting a Remote NetWare Volume
A Simple ncpmount ExampleThe ncpmount Command in DetailHiding Your NetWare Login PasswordA More Complex ncpmount Example
Exploring Some of the Other IPX Tools
Server ListSend Messages to NetWare UsersBrowsing and Manipulating Bindery Data
Printing to a NetWare Print Queue
Using nprint with the Line Printer DaemonManaging Print Queues
NetWare Server Emulation
16. Managing Taylor UUCP
UUCP Transfers and Remote ExecutionThe Inner Workings of uucicouucico Command-line Options
UUCP Configuration Files
A Gentle Introduction to Taylor UUCPWhat UUCP Needs to KnowSite NamingTaylor Configuration FilesGeneral Configuration Options Using the config FileHow to Tell UUCP About Other Systems Using the sys FileSystem nameTelephone numberport and speedThe login chatAlternatesRestricting call timesIdentifying Available Devices Through the port FileHow to Dial a Number Using the dial FileUUCP Over TCPUsing a Direct Connection
Controlling Access to UUCP Features
Command ExecutionFile TransfersForwarding
Setting Up Your System for Dialing In
Providing UUCP AccountsProtecting Yourself Against SwindlersBe Paranoid: Call Sequence ChecksAnonymous UUCP
UUCP Low-Level Protocols
Protocol OverviewTuning the Transmission ProtocolSelecting Specific Protocols
Troubleshooting
uucico Keeps Saying “Wrong Time to Call”uucico Complains That the Site Is Already LockedYou Can Connect to the Remote Site, but the Chat Script FailsYour Modem Does Not DialYour Modem Tries to Dial but Doesn’t Get OutLogin Succeeds, but the Handshake Fails
Log Files and Debugging
17. Electronic Mail
What Is a Mail Message?
How Is Mail Delivered?
Email Addresses
RFC-822Obsolete Mail FormatsMixing Different Mail Formats
How Does Mail Routing Work?
Mail Routing on the InternetMail Routing in the UUCP WorldMixing UUCP and RFC-822
Configuring elm
Global elm OptionsNational Character Sets
18. Sendmail
Introduction to sendmail
Installing sendmail
Overview of Configuration Files
The sendmail.cf and sendmail.mc Files
Two Example sendmail.mc FilesTypically Used sendmail.mc ParametersCommentsVERSIONID and OSTYPEDOMAINFEATURELocal macro definitionsDefining mail transport protocolsConfigure mail routing for local hosts
Generating the sendmail.cf File
Interpreting and Writing Rewrite Rules
sendmail.cf R and S CommandsSome Useful Macro DefinitionsThe Lefthand SideThe Righthand SideA Simple Rule Pattern ExampleRuleset SemanticsInterpreting the rule in our example
Configuring sendmail Options
Some Useful sendmail Configurations
Trusting Users to Set the From: FieldManaging Mail AliasesUsing a Smart HostManaging Unwanted or Unsolicited Mail (Spam)The Real-time Blackhole ListThe access databaseBarring users from receiving mailConfiguring Virtual Email HostingAccepting mail for other domainsForwarding virtual-hosted mail to other destinations
Testing Your Configuration
Running sendmail
Tips and Tricks
Managing the Mail SpoolForcing a Remote Host to Process its Mail QueueAnalyzing Mail Statisticsmailstatshoststat
19. Getting Exim Up and Running
Running Exim
If Your Mail Doesn’t Get Through
Compiling Exim
Mail Delivery Modes
Miscellaneous config Options
Message Routing and Delivery
Routing MessagesDelivering Messages to Local AddressesLocal usersForwardingAlias FilesMailing Lists
Protecting Against Mail Spam
UUCP Setup
20. Netnews
Usenet History
What Is Usenet, Anyway?
How Does Usenet Handle News?
21. C News
Delivering News
Installation
The sys File
The active File
Article Batching
Expiring News
Miscellaneous Files
Control Messages
The cancel Messagenewgroup and rmgroupThe checkgroups Messagesendsys, version, and senduuname
C News in an NFS Environment
Maintenance Tools and Tasks
22. NNTP and the nntpd Daemon
The NNTP ProtocolConnecting to the News ServerPushing a News Article onto a ServerChanging to NNRP Reader ModeListing Available GroupsListing Active GroupsPosting an ArticleListing New ArticlesSelecting a Group on Which to OperateListing Articles in a GroupRetrieving an Article Header OnlyRetrieving an Article Body OnlyReading an Article from a Group
Installing the NNTP Server
Restricting NNTP Access
NNTP Authorization
nntpd Interaction with C News
23. Internet News
Some INN Internals
Newsreaders and INN
Installing INN
Configuring INN: the Basic Setup
INN Configuration Files
Global ParametersThe inn.conf fileConfiguring NewsgroupsThe active and newsgroups filesConfiguring NewsfeedsThe newsfeeds fileThe nntpsend.ctl fileControlling Newsreader AccessThe incoming.conf fileThe nnrp.access fileExpiring News ArticlesThe expire.ctl fileHandling Control MessagesThe control.ctl file
Running INN
Managing INN: The ctlinnd Command
Add a New GroupChange a GroupRemove a GroupRenumber a GroupAllow/Disallow NewsreadersReject Newsfeed ConnectionsAllow Newsfeed ConnectionsDisable News ServerRestart News ServerDisplay Status of a NewsfeedDrop a NewsfeedBegin a NewsfeedCancel an Article
24. Newsreader Configuration
tin Configuration
trn Configuration
nn Configuration
A. Example Network: The Virtual Brewery
Connecting the Virtual Subsidiary Network
B. Useful Cable Configurations
A PLIP Parallel Cable
A Serial NULL Modem Cable
C. Linux Network Administrator’s Guide, Second Edition Copyright Information
0. Preamble
1. Applicability and Definitions
2. Verbatim Copying
3. Copying in Quantity
4. Modifications
5. Combining Documents
6. Collections of Documents
7. Aggregation with Independent Works
8. Translation
9. Termination
10. Future Revisions of this License
D. SAGE: The System Administrators Guild
Index
Colophon

Content preview from Linux Network Administrator's Guide, Second Edition

General Security Considerations

A misconfigured PPP daemon can be a devastating security breach. It can be as bad as letting anyone plug their machine into your Ethernet (and that can be very bad). In this section, we discuss a few measures that should make your PPP configuration safe.

Note

Root privilege is required to configure the network device and routing table. You will usually solve this by running pppd setuid root. However, pppd allows users to set various security-relevant options.

To protect against any attacks a user may launch by manipulating pppd options, you should set a couple of default values in the global /etc/ppp/options file, like those shown in the sample file in Section 8.3,” earlier in this chapter. Some of them, such as the authentication options, cannot be overridden by the user, and thus provide reasonable protection against manipulations. An important option to protect is the connect option. If you intend to allow non-root users to invoke pppd to connect to the Internet, you should always add the connect and noauth options to the global options file /etc/ppp/options. If you fail to do this, users will be able to execute arbitrary commands with root privileges by specifying the command as their connect command on the pppd line or in their personal options file.

Another good idea is to restrict which users may execute pppd by creating a group in /etc/group and adding only those users who you wish to have the ability to execute the PPP daemon. You should ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Linux Network Administrator's Guide, 3rd Edition

Publisher Resources

ISBN: 1565924002Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Linux Network Administrator's Guide, Second Edition

by Olaf Kirch, Terry Dawson

General Security Considerations

Note

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Linux Network Administrator's Guide, 3rd Edition

Mastering Linux Administration

Linux Foundation Certified System Administrator (LFCS)

Red Hat RHCSA 8 Cert Guide: EX200, 2nd Edition

Publisher Resources