TCP/IP is often used as a synonym for the infrastructure that the Internet uses. To access Internet you need for instance a Ethernet or a Wireless interface:
The command ifconfig shows its status and requires su privilege.
Actually there should be at least two interfaces:
eth0 is the Ethernet interface of your network card
lo is the local loopback, it is just software that lets programs talking to each other as would they be on different machines. Software that makes use of that is therefore easy to use over the net.
Sometimes it is difficult to know what device driver the kernel has used for TCP/IP. After having emerge ethtool type ethtool -i eth0 to know.
The TCP/IP uses data packets (size a couple of hundred Bytes) that are transmitted, from the sender to the receiver. Usually Ethernet is used, however a well known alternative is WLAN. Sender and receiver have to be uniquely be identified, this is done by the 6 byte MAC address of the network cards.
MAC addresses are not directly used for TCP/IP, IP addresses are used. This allows to change hardware and therefore MAC addresses without notice. A IP address (IP4 4Byte) is assigned to the computers network interface (MAC Address 6 Byte).
The sender uses Ethernet the MAC address to address “a” receiver. However the sender normally does not put the MAC address of the final receiver in the data packet, since numerous Ethernet routers are probably between sender and receiver and the MAC address of the final receiver might be unknown. Therefore the sender uses often the MAC address of the next router.
The command arp -e shows the MAC addresses were the computers network interfaces send their data. arp -a shows the same but also the corresponding IP addresses.
Behind arp is a protocol that finds out those things. If a MAC address is unknown a broadcast Ethernet messages containing the IP Address of interest is sent.
Routers know that they need to do more work and send back their MAC address. They receive then packages to be forwarded.
The ARP table is not static. Entries are removed from the table when a time out expires.
Not all all IP addresses are unique, those addresses for a private network and can not directly used with the Internet. Most home networks are such private networks using addresses from 192.168.0.0 to 192.168.255.255
Since IP addresses got rare also Internet provides assign to home router such private network addresses in the range of 10.0.0.0 to 10.255.255.255
An other public network uses 172.16.0.0 to 172.31.255.255
NAT (Network Address Translation) is used by routers to pass data from a private to the public Internet.
The router has a single public IP address (and hopefully not a private address of a bigger private network) and has many private IP addresses.
To work on the Internet the router must exchange the many private addresses with its single Internet address. The responses from the Internet arrive at the router and the router mus now pass it to the correct private address. For http traffic to manage this the router makes use of different port addresses than the standard 80. Port forwarding is an other method, the router can be configured that traffic to a port are forwarded to a private address.
The next problems are:
The sender wants to send more data than fits into a single package.
The sender wants to send the data not just to a computer, it wants to address a running program (service, process).
Therefore 16 bit wide port numbers are introduced and the additional created data including the 16
bit sender and the 16 bit receiver port number is put into the IP packet. Port numbers and services are
defined /etc/services
. Observing this file will show UDP and TCP
after the port number. If UDP data is stuffed into the IP packet then a UDP/IP packed is on the net
and when TCP data is stuffed into the IP packed then a TCP/IP packet is on the net.
UDP/IP is simpler and faster than TCP/IP and is mainly used when the required data fits into a Ethernet packet (minus IP and UDP overhead). There is always a possibility that a packet gets lost on the way to the receiver. UDP does not provide detection and recovery of such lost telegrams. If it is important that all packages arrive, then the service using this UDP port has to take care. e.g. Introduction of a protocol where the receiver has to send acknowledges.
Communication between two computers is not just there up and running. One side has to initiate
the communication (client) and the other one has to react (server). The protocols on top of TCP/IP
(TCP/IP is a synonym because some protocols use UDP/IP) have a client part (e.g. Firefox web browser)
and a server part (e.g. Web server Apache2). For a running service a client and
a server program is required. Services can use single ports (as Telnet =23) or can use more than one port
(as FTP 20 for the data transmission and 21 for the control). See /etc/services
.
Where clients are often started by human beings sitting in front of the computers, servers mostly have to be started during the boot process. To not start all servers and use a lot of resources for just being ready, a Internet service daemon as xined can be installed. This daemon waits and starts the servers on request.
To see whats up type
netstat -a
The explosion of Internet users around the world has caused a shortage on available IP addresses! This is one of the reason why your Internet provider probably wants some money for the static address that he would have to give to you permanently, and this is also a reason why the 4 Byte IPv4 runs out of addresses and IPv6 will introduced. IPv6 will not have 6 bytes, it will get 8 bytes since 6 means version 6. Having 8 byte should make it nearly impossible to run out of IP addresses again, since this results in billions of IP addresses per square millimeter on the surface of our planet.
IPv6 will be quite different, the first 4 bytes build a prefix and is provided by the Internet provider, the second 4 Bytes form a Device_ID, this allows to address individual devices directly from the Internet, no address translation by a router is required.http://[2001:0db8:00000:0000:08d3:8a2e:0070:7344]:8080/ is an example to address a web site using IPv6 on port 8080. An alternative to write the address is possible to skip preceding zeros: http://[2001:db8:::8d3:8a2e::7344]:8080/
To introduce IPv6 smoothly, IPv4 can run in parallel. The PC will run a IPv4 and IPv6 network stack in parallel.
Gentoo Linux has the ipv6 useflag to enable support for it.
This is done using the /etc/conf.d/net
file. This file
defines interfaces but also the modules used. It can therefore map modules to interfaces.
Example are:
Various implementations of DHCP servers exist. So a specific DHCP server implementation can be mapped to a specific Ethernet interface.
There are to implementations for the wireless operation: iwconfig and wpa_supplicant.
For laptops and other PC's that find themselves in various locations with and without Ethernet, WLAN, the package netplug (alternative is ifplugd) can be installed.
It is enough to emerge netplug, since this is handled by the net scripts of gentoo.
For Laptops it is probably better to use NetworkManager and its GUI front end for KDE KnetworkManager.
IP addresses can be assigned statically, dynamically or randomly as by Zeroconf uses.
Dynamically is more flexible however there must be a DHCP server on the network always be turned on and the attached devices must have a DHCP client configured. Luckily, in the age of RJ45 connections is is common to have a Ethernet router that can act as DHCP server, WLAN access point, and firewall toward the Internet.
The DHCP client has to search for the DHCP server to ask for a valid IP address. A DHCP client daemon that runs in background is dhcpcd.
Note emerge dhcpcd is recommended by gentoo.
Maybe you are not always attached to a network, dhcpd would the try to get an IP address and
would be trying for a while before it gets up with an error message. To avoid this, you could us
either a static address or make a shorter timeout. Set in /etc/conf.d/net
dhcpcd_eth0="-t 5"
This set the time to 5 seconds. The file /etc/conf.d/net
is read by a script but the dhcpd client can more directly be configured using
/etc/dhcpd.conf
As alternative, there is an other DHCP client available (the networkmanager uses this as default, but newer versions of it, have a useflag to select dhcpcd). To get this one
emerge dhcp. The configuration files are /etc/dhcp/dhcp.conf
and /etc/dhcp/dhclient.conf
.
Some DHCP server support static DHCP, this is as DHCP but the MAC address of your PC is known and therefore the DHCP server assigns all the time the same IP address. This makes live easier when your PC acts as a server see:DNS (Domain Name System)
If you run a server than having different IP addresses would make the clients to fail. Therefore a fix IP addresses might be the simple way out.
Add the following two lines in netmask notation to /etc/conf.d/net
config_eth0=( "192.168.1.3 netmask 255.255.255.0" ) routes_eth0=( "default via 192.168.1.1" )
or in CIDR notation
config_eth0=( "192.168.1.3/24" ) routes_eth0=( "default via 192.168.1.1" )
The first line is the static address of the server PC and the second line is the gateway the device that connects your LAN to the Internet.
The above assumes the following configuration, check that your ADSL router has this address.
192.168.1.1 ADSL router is default gateway and DNS (link to Internet)
192.168.1.2 first computer
192.168.1.3 second computer
255.255.255.0 subnet mask
DHCP is widely to connect devices to the network and access the Internet. Accessing such a device is has the issue of a IP Address assigned randomly.
To find out the IP Adresses without checking it on the computer itself or at the DCHP server Avahi http://avahi.org/ a free implementation of Zeroconf can be used.
Other names are Bonjour from Apple (or earlier rendezvous).
With Zeroconf a system name as raspberrypi.local can be taken instead its numeric IP address. .local is important since it is assumed that this is and stays inside the local network.
There is a server and a client involved to find the computers.
For Gentoo Linux checkhttps://wiki.gentoo.org/wiki/Avahi
rc-update add avahi-daemon default
rc-service avahi-daemon start
ping -c 3 <hostname>
.local
Zeroconf usually tests and then picks unused IP-addresses between 169.254.1.0 and 169.254.254.255.
I your web browser type in 192.168.1.1 as address and login to the ADSL router, to check the dhcp tables and the space for static addresses.
Remember to start as root, when it does not let you select an network interface.
When the dhcp client got successfully an IP address, then it overwrites the file
/etc/resolv.conf
. Therefore check the date of this file!
Sometimes you see something as : 192.168.0.0/24 and you wonder what is 24?
24 is the netmask 255.255.255.0 there are 8+8+8=24 bits in the subnet mask.
To see if a DHCP server is around emerge dhcping. To test if 192.168.1.1 has a alive DHCP server by providing your IP and MAC address, type
dhcping -c 192.168.1.3 -h 00:13:d4:f6:aa:9b -s 192.168.1.1
Got answer from: 192.168.1.1
Working with IP numbers might be good for the computer but are not that what a human being remembers easily, something as https://www.gentoo.org/ can easily be remembered. Additionally IP addresses can be dynamically assigned, so when you login on the Internet you probably get not the same IP address assigned from your Internet provider than before. In fact, if you always want to get the same IP address then you probably have to pay your Internet provider to get a static address.
Since IP addresses as well as domain names have to be unique on the network there assignments has to be coordinated and who is servers as below show who has reserved them: http://www.networksolutions.com/whois/index.jsp
The reservation of those names is coordinated by http://www.icann.org/.
Now what is needed is a big table that converts all IP numbers in text addresses. The table would be far too big and the access to slow, so the Domain Name System is the solution, you basically ask a computer that has a DNS server installed for the corresponding IP number of https://www.gentoo.org/. If this computer knows it, than it returns it to you, if not it will ask an alternative computer or your computer ask an alternative DNS server. Finally and hopefully you will get from somewhere the answer. The big table is therefore slitted allover the world wide net and gets updated by remembering requests.
Fine, but nobody will know the names of your computers and devices in your local area network (LAN). You probably have a Internet router (ADSL, or whatever) that gets a single IP address of your service provider. Your router is a DHCP server and assigns IP addresses as 192.168.1.30 to your first computer. Addresses in this range are not be sent over the Internet (Wide Area Network WAN). To avoid communicating via IP numbers to your LAN devices. There are two solutions:
The /etc/hosts
holds a list of computer names and their IP
addresses. This is a fixed table and might get in conflict if your DHCP server in your router assigns
different addresses. Fortunately many routers acting as DHCP servers allow Static DHCP, so always the same IP address is assigned to each MAC address known and
therefore also the computer names have always the same IP addresses.
The second solution sounds cleaner. One of your computers has to have a local DNS server. Unfortunately this is not that easy:
This computer would have to run all the time.
DHCP and DNS are not on the same machines (unfortunately Internet routers do not support DNS "yet"?). When DHCP assigns new numbers the DNS server would have to be noticed to update its DNS table.
Due to to the simplicity I recommend the first solution.
To test if name resolving works ping to a name:
ping -c 3 www.gentoo.org
If not successful check if /etc/resolv.conf
(that gets
updated via dhcpd server) holds something as
nameserver 192.168.1.1
This causes the computer to ask the ADSL router to help out resolving the names.
When having DHCP then the dhcpc client writes the /etc/resolv.conf
, but when having static IP adresses you might have to put
dns_servers_eth0=( “192.168.1.1” )
in /etc/resolv.conf
To resolve the IP addresses there are 3 files involved /etc/host.conf
that tells how, /etc/hosts
that holds the LAN
devices and /etc/resolv.conf
that holds the DNS server IP
addresses, the latter will be updated by the DHCP client.
A computer can be identified by
<computername>
.<domain name>
where <domain name>
can have multiple parts
<computername>
.<first part>
.<second part>
Your Internet router gets an IP address assigned from your Internet provider. However you can not relay on the fact that this will be always the same (since you might have no static IP). If you want to have your computer being accessed from the outside you have to face that fact, that this IP addresses is unknown.
There is a way to have an URL (Uniform Resource Locator or URI Uniform Resource Identifier) without having a static IP address. This is called Dynamic DNS and it is highly probable that your Internet router supports it.
Using Dynamic DNS, each time your router gets a new address your router sends this new assigned IP address to a Dynamic DNS provider. A common protocol used for that. The Dynamic DNS provider updates and maintains a list containing your URL and your dynamically assigned IP address. If somebody types in your URL he will end up at your Dynamic DNS provider and will receive your newly assigned IP address. This explains why there are some restriction in the choice of URL names.
There are different Dynamic DNS provider:
https://www.changeip.com/dns.php is free
https://www.noip.com/remote-access has a free option that needs to be reactivated every 30 days
http://dyn.com/remote-access/ that was once free, but now costs
Since the assignments of names to IP addresses done by http://www.icann.org/ did not make everybody happy, alternatives have been created:
https://www.opennicproject.org/.
OpenNIC (NIC = Network Information Center) can be considered to be a parallel Internet, this makes obviously not everybody happy. Having OpenNIC installed you should find new url's as .oss, .geek, .ing, .free, .bbs, .gopher.
To test if it works, check
https://www.opennicproject.org/ for
some NIC DNS servers IP addresses. Then modify /etc/resolv.conf
to have something as:
nameserver 85.126.4.170 nameserver 192.168.1.1
Do not restart you network, since this file would probably get rewritten, and the modification would be lost. Then try to open in a web server: http://www.opennic.glue or ping -c3 www.opennic.glue
Just add the OpenNIC nameservers to the nameservers in the /etc/conf.d/net
dns_servers_eth0=( “<ip from open nic>
192.168.1.1”)
Now restart eth0
/etc/init.d/net.eth0 restart
Adding those name servers to /etc/resolv.conf
and will
not satisfy since they will be overwritten after next boot by dhcpcd.
However dhcpcd offers the feature to add the content of /etc/resolv.conf.head
to /etc/resolv.conf
:
echo "nameserver <ip from open nic>
" >> /etc/resolv.conf.head
Then try to open in a web server:
http://www.opennic.glue/ or ping -c3 www.opennic.glue
Other but more complicated solutions would be emerge openresolve or even install a local nameserver as bind.
There is a firefox plug-in HostIP.info that shows where IP addresses are.
nmap is a port and security scanner. nmap -A www.linurs.org or nmap 192.168.1.8 if ping is disabled then nmap -Pn <url>
Or to see if a wireguard port is there nmap -Pn -p 51820 -sU <ip address or url>
netdiscover -r 192.168.1.0/24 to find IP and MAC addresses on the net
https://curl.se/ is a command line tool to interact with Internet things. In the past telnet could be used but telnet has its limits as when it comes to TLS
To download a file via https:
curl https://www.linurs.org
To download a file using ftp:
curl -u <username>
:<password>
ftp://141.hosttech.eu/httpdocs/index.html
Laptops are used in all kind of places, so networkmanager is probably the way to go https://wiki.archlinux.org/index.php/NetworkManager
Network manager uses gnome keyring to remember all the different passwords. If the keyring has an own password (not just using the login password) then this password must be entered. The keyring files might be deleted to restart collecting passwords from scratch.
When using network manager the gentoo scripts /etc/init.d/net.eth0
is no longer required and should be deactivated (otherwise too many managers create a mess):
rc-update del net.eth0 or rc-update del net.enp2s0
Network manager relies on a dhcp client. It takes per default dhcp. For Gentoo there is a useflag to get dhcpcd instead.
The following line makes sense to put into /etc/conf.d/net
:
dhcpcd_eth0=-t 5”
This line makes that the start script gives up after 5 seconds to wait for a wired dhcp server.
If you want to stick with dhcp as dhcp client, emerge dhcp and check the configuration files:
/etc/dhcp/dhcp.conf
and /etc/dhcp/dhclient.conf
.
After having made the choice of the dhcp client emerge networkmanager
Then start it: /etc/init.d/NetworkManager start
and rc-update add NetworkManager default
When the PC requests a IP address via DHCP and the environmental variable HOSTNAME is not set or
is localhost then the DHCP server delivers an HOSTNAME that will not be changed by the hostname in
/etc/config.d/hostname. To still define at PC level the host name it can be set in the
/etc/dhcp/dhcpd.conf
:
hostname athlon
Or if there is none or just an empty /etc/dhcp/dhcpd.conf
it is better to avoid a redundant definitions and create a link:
ln -s /etc/config.d/hostname /etc/dhcp/dhcpd.conf
This works, however networkmanager is not the standard way for gentoo and has some conflicts with the boot scripts. In fact per default the boot scripts try to get an IP address via the dhcpcd ebuild (not the dhcp ebuild). If no cabled network is present they fail and networkmanager using dhcp takes place and probably finds the WLAN and is successful.
The drawback is that NetworkManager starts a connection after you have logged in. So it is not a tool for server applications.
For console but also for troubleshoot emerge cnetworkmanager. To see what access points are around: cnetworkmanager -a
To connect depends on how the access point is configured, the following commends might be used:
cnetworkmanager -C<SSID>
--wpa-pass=<password>
cnetworkmanager -C<SSID>
--wpa-psk-hex=<hex password>
cnetworkmanager -C<SSID>
--unprotect
For Gnome and LXDE do emerge nm-applet to get a gui.
For xfce4 emerge xfce4-xfapplet-plugin, so xfce4 can use the gnome nm-applet, then do emerge nm-applet. The nm-applet is not manually selectable. You must start it in the root console nm-applet, after that it should be saved with the session and come alive at next reboot. To be sure add it to the list of Application Autostart (Settings > Session and Startup)
wicd is an alternative to networkmanager http://wicd.sourceforge.net/ (if you use kde set the wicd useflag), emerge wicd and start it as wicd-client
nftables (the successor of iptables) allows to manipulate network package content and is going to replace iptables
https://wiki.gentoo.org/wiki/Nftables
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
https://www.linode.com/docs/guides/how-to-use-nftables/
nftables gets configured using tables. There tables contain and limit their configuration to one of the different address types/families
ip for IP4
ip6 for IP6
inet for both IP4 and IP6
arp, bridge, netdev
The tables are usually created by the script /etc/nftables.conf that calls the interpreter nft
The script syntax allows to define variables, comments, and include files
The kernel has 5 hook points (input, output, forward, prerouting and postrouting). https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks Packets appear on those hooks and then passed forward. Prerouting feeds input or forward. Postrouting gets packages from forward or output. For arp there are no prerouting, postrouting and forward hooks.
nftables allows adding chains to those hooks so packets appear pass the chain before they passed forward. Chains with named hooks are called base chains. So if more than one chain is added to the same hook point, then the priority number defines the sequence a package flows through the chains. There are just chain types filter, route, nat
Chains hold where they are hooked into the kernel, they have rules telling what to do with the package at the hook. Rules have an match expression and one or more action expression. The rules in the chains have also a priority number the lower the number then higher the priority. There are also standard priority names that can be used instead of numbers see man 8 nft.
The kernel must be configured to support nftables. nftables must be started. For systemd
sudo systemctl enable nftables
sudo systemctl start nftables
sudo nft list ruleset to see all
To see what tables are there sudo nft list tables
sudo nft list table inet filter to see one (the default table)
inside the tables there are:
policy what to do as default with the package drop or accept
sudo nft add table inet <table name>
to create a table
sudo nft add chain inet output-table output-filter-chain '{ type filter hook output priority 0; }' to create a chain
sudo nft add rule inet output-table output-filter-chain ip daddr 8.8.8.8 counter to create a rule that counts packages for the destination 8.8.8.8
sudo nft delete table inet <table name>
to delete a table
Instead of adding individual comments, edit the /etc/nftables.conf
script or crate an other similar script.
/etc/nftables.conf
contains the line
flush ruleset
that wipes out all tables.
The common steps are
Edit the script
In case the work is in /etc/nftables.conf
do sudo systemctl restart nftables
In case the work is in an other script start the script (and consider to crate a second script that deletes the tables previously created) sudo nft delete table inet <table name>
Counting packages should not do a lot of harm and is useful to see if the desired packages appear.
Create the following tables either manually using nft or via the nftables.conf script
There is also https://opensource.com/article/22/7/nftwatch-linux-firewall a python script that shows the counters
Create a script and start it
#!/usr/sbin/nft -f add table output-table table inet output-table { chain output-filter-chain { type filter hook output priority filter; policy accept; ip daddr 8.8.8.8 counter } }
Verify sudo nft list table inet output-table and observe the output
From the system running this nftable type ping -c3 8.8.8.8
redo sudo nft list table inet output-table and observe the output table inet output-table { chain output-filter-chain { type filter hook output priority filter; policy accept; ip daddr 8.8.8.8 counter packets 3 bytes 252 } }
sudo nft delete table inet output-table to remove the table
The following assumes that the system running nftables has a web server listening to port 80
#!/usr/sbin/nft -f add table input-table table inet input-table { chain input-filter-chain { type filter hook input priority filter; policy accept; tcp dport 80 counter } }
sudo nft list table inet input-table to verify
From an other computer open in a web browser the website of the system running nftables.
sudo nft list table inet input-table to verify that the package has arrived
sudo nft delete table inet input-table to remove the table
The following rule got used to count packages coming through a wireguard tunnel
#!/usr/sbin/nft -f add table input-table table ip input-table { chain input-filter-chain { type filter hook input priority filter; policy accept; ip saddr 192.168.10.26 counter } }
sudo nft list table ip input-table
The kernel must know where to send packages and what interface to use.
route, ip route or netstat -rn show the kernels routing table and can manipulate it.
route -n show the numeric representation where 0.0.0.0 destination address of the default gateway. For most computers the output will simply have two lines
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 2 0 0 enp4s0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp4s0
If the packages destination address is for the local network 192.168.1.x then send it out via Iface
If the packages destination address is not for the local network (covered by 0.0.0.0 and Genmask 0.0.0.0) then send it to the Gareway 192.168.1.1
Flags U means it is up and running and G means it is a gateway
It is recommended to have a static IP address for the server, so all others can add it to
its /etc/hosts
and can access the server using its name. The
command hostname should pop up the name of the host that is defined in /etc/conf.d/hostname
. Optionally a domainname giving your network a name might be desired
that can be seen by typing domainname. To get a domain name add lines as follows to
/etc/conf.d/net
:
dns_domain_lo="<mynet>
" nis_domain_lo="<mynet>
"
The network interface lo gets the domain assigned.