TCPIP

TCP/IP is often used as a synonym for the infrastructure that the Internet uses. To access Internet you need for instance a Ethernet or a Wireless interface:

The command ifconfig shows its status and requires su privilege.

Actually there should be at least two interfaces:

eth0 is the Ethernet interface of your network card

lo is the local loopback, it is just software that lets programs talking to each other as would they be on different machines. Software that makes use of that is therefore easy to use over the net.

Sometimes it is difficult to know what device driver the kernel has used for TCP/IP. After having emerge ethtool type ethtool -i eth0 to know.

TCP/IP packets

Ethernet packet

The TCP/IP uses data packets (size a couple of hundred Bytes) that are transmitted, from the sender to the receiver. Usually Ethernet is used, however a well known alternative is WLAN. Sender and receiver have to be uniquely be identified, this is done by the 6 byte MAC address of the network cards.

Arp Address Resolution Protocol

MAC addresses are not directly used for TCP/IP, IP addresses are used. This allows to change hardware and therefore MAC addresses without notice. A IP address (IP4 4Byte) is assigned to the computers network interface (MAC Address 6 Byte).

The sender uses Ethernet the MAC address to address “a” receiver. However the sender normally does not put the MAC address of the final receiver in the data packet, since numerous Ethernet routers are probably between sender and receiver and the MAC address of the final receiver might be unknown. Therefore the sender uses often the MAC address of the next router.

The command arp -e shows the MAC addresses were the computers network interfaces send their data. arp -a shows the same but also the corresponding IP addresses.

Behind arp is a protocol that finds out those things. If a MAC address is unknown a broadcast Ethernet messages containing the IP Address of interest is sent.

Routers know that they need to do more work and send back their MAC address. They receive then packages to be forwarded.

The ARP table is not static. Entries are removed from the table when a time out expires.

Private networks

Not all all IP addresses are unique, those addresses for a private network and can not directly used with the Internet. Most home networks are such private networks using addresses from 192.168.0.0 to 192.168.255.255

Since IP addresses got rare also Internet provides assign to home router such private network addresses in the range of 10.0.0.0 to 10.255.255.255

An other public network uses 172.16.0.0 to 172.31.255.255

NAT (Network Address Translation) is used by routers to pass data from a private to the public Internet.

The router has a single public IP address (and hopefully not a private address of a bigger private network) and has many private IP addresses.

To work on the Internet the router must exchange the many private addresses with its single Internet address. The responses from the Internet arrive at the router and the router mus now pass it to the correct private address. For http traffic to manage this the router makes use of different port addresses than the standard 80. Port forwarding is an other method, the router can be configured that traffic to a port are forwarded to a private address.

TCP UDP

The next problems are:

  1. The sender wants to send more data than fits into a single package.

  2. The sender wants to send the data not just to a computer, it wants to address a running program (service, process).

Therefore 16 bit wide port numbers are introduced and the additional created data including the 16 bit sender and the 16 bit receiver port number is put into the IP packet. Port numbers and services are defined /etc/services. Observing this file will show UDP and TCP after the port number. If UDP data is stuffed into the IP packet then a UDP/IP packed is on the net and when TCP data is stuffed into the IP packed then a TCP/IP packet is on the net.

UDP/IP

UDP/IP is simpler and faster than TCP/IP and is mainly used when the required data fits into a Ethernet packet (minus IP and UDP overhead). There is always a possibility that a packet gets lost on the way to the receiver. UDP does not provide detection and recovery of such lost telegrams. If it is important that all packages arrive, then the service using this UDP port has to take care. e.g. Introduction of a protocol where the receiver has to send acknowledges.

TCP/IP

TCP/IP does all the missing things, it can split larges files in small packages and send them over the web and on the other side it puts all together and takes care about packages not arrived. Since it does all the magics, it is slower than UDP.

Clients and Servers

Communication between two computers is not just there up and running. One side has to initiate the communication (client) and the other one has to react (server). The protocols on top of TCP/IP (TCP/IP is a synonym because some protocols use UDP/IP) have a client part (e.g. Firefox web browser) and a server part (e.g. Web server Apache2). For a running service a client and a server program is required. Services can use single ports (as Telnet =23) or can use more than one port (as FTP 20 for the data transmission and 21 for the control). See /etc/services.

Where clients are often started by human beings sitting in front of the computers, servers mostly have to be started during the boot process. To not start all servers and use a lot of resources for just being ready, a Internet service daemon as xined can be installed. This daemon waits and starts the servers on request.

To see whats up type

netstat -a

IPv6

The explosion of Internet users around the world has caused a shortage on available IP addresses! This is one of the reason why your Internet provider probably wants some money for the static address that he would have to give to you permanently, and this is also a reason why the 4 Byte IPv4 runs out of addresses and IPv6 will introduced. IPv6 will not have 6 bytes, it will get 8 bytes since 6 means version 6. Having 8 byte should make it nearly impossible to run out of IP addresses again, since this results in billions of IP addresses per square millimeter on the surface of our planet.

IPv6 will be quite different, the first 4 bytes build a prefix and is provided by the Internet provider, the second 4 Bytes form a Device_ID, this allows to address individual devices directly from the Internet, no address translation by a router is required.http://[2001:0db8:00000:0000:08d3:8a2e:0070:7344]:8080/ is an example to address a web site using IPv6 on port 8080. An alternative to write the address is possible to skip preceding zeros: http://[2001:db8:::8d3:8a2e::7344]:8080/

To introduce IPv6 smoothly, IPv4 can run in parallel. The PC will run a IPv4 and IPv6 network stack in parallel.

Gentoo Linux has the ipv6 useflag to enable support for it.

Setting up the TCP/IP connection

This is done using the /etc/conf.d/net file. This file defines interfaces but also the modules used. It can therefore map modules to interfaces.

Example are:

  1. Various implementations of DHCP servers exist. So a specific DHCP server implementation can be mapped to a specific Ethernet interface.

  2. There are to implementations for the wireless operation: iwconfig and wpa_supplicant.

For laptops and other PC's that find themselves in various locations with and without Ethernet, WLAN, the package netplug (alternative is ifplugd) can be installed.

It is enough to emerge netplug, since this is handled by the net scripts of gentoo.

For Laptops it is probably better to use NetworkManager and its GUI front end for KDE KnetworkManager.

IP addresses and DHCP

IP addresses can be assigned statically, dynamically or randomly as by Zeroconf uses.

Dynamic IP addresses

Dynamically is more flexible however there must be a DHCP server on the network always be turned on and the attached devices must have a DHCP client configured. Luckily, in the age of RJ45 connections is is common to have a Ethernet router that can act as DHCP server, WLAN access point, and firewall toward the Internet.

The DHCP client has to search for the DHCP server to ask for a valid IP address. A DHCP client daemon that runs in background is dhcpcd.

Note emerge dhcpcd is recommended by gentoo.

Maybe you are not always attached to a network, dhcpd would the try to get an IP address and would be trying for a while before it gets up with an error message. To avoid this, you could us either a static address or make a shorter timeout. Set in /etc/conf.d/net

dhcpcd_eth0="-t  5"

This set the time to 5 seconds. The file /etc/conf.d/net is read by a script but the dhcpd client can more directly be configured using /etc/dhcpd.conf

As alternative, there is an other DHCP client available (the networkmanager uses this as default, but newer versions of it, have a useflag to select dhcpcd). To get this one

emerge dhcp. The configuration files are /etc/dhcp/dhcp.conf and /etc/dhcp/dhclient.conf.

Static DHCP

Some DHCP server support static DHCP, this is as DHCP but the MAC address of your PC is known and therefore the DHCP server assigns all the time the same IP address. This makes live easier when your PC acts as a server see:DNS (Domain Name System)

Static IP addresses

If you run a server than having different IP addresses would make the clients to fail. Therefore a fix IP addresses might be the simple way out.

Add the following two lines in netmask notation to /etc/conf.d/net

config_eth0=( "192.168.1.3 netmask 255.255.255.0" )
routes_eth0=( "default via 192.168.1.1" )

or in CIDR notation

config_eth0=( "192.168.1.3/24" )
routes_eth0=( "default via 192.168.1.1" )

The first line is the static address of the server PC and the second line is the gateway the device that connects your LAN to the Internet.

The above assumes the following configuration, check that your ADSL router has this address.

192.168.1.1 ADSL router is default gateway and DNS (link to Internet)

192.168.1.2 first computer

192.168.1.3 second computer

255.255.255.0 subnet mask

Zeroconf

DHCP is widely to connect devices to the network and access the Internet. Accessing such a device is has the issue of a IP Address assigned randomly.

To find out the IP Adresses without checking it on the computer itself or at the DCHP server Avahi http://avahi.org/ a free implementation of Zeroconf can be used.

Other names are Bonjour from Apple (or earlier rendezvous).

With Zeroconf a system name as raspberrypi.local can be taken instead its numeric IP address. .local is important since it is assumed that this is and stays inside the local network.

There is a server and a client involved to find the computers.

For Gentoo Linux checkhttps://wiki.gentoo.org/wiki/Avahi

rc-update add avahi-daemon default

rc-service avahi-daemon start

ping -c 3 <hostname>.local

Zeroconf usually tests and then picks unused IP-addresses between 169.254.1.0 and 169.254.254.255.

Test the IP addresses

I your web browser type in 192.168.1.1 as address and login to the ADSL router, to check the dhcp tables and the space for static addresses.

Remember to start as root, when it does not let you select an network interface.

When the dhcp client got successfully an IP address, then it overwrites the file /etc/resolv.conf. Therefore check the date of this file!

Sometimes you see something as : 192.168.0.0/24 and you wonder what is 24?

24 is the netmask 255.255.255.0 there are 8+8+8=24 bits in the subnet mask.

To see if a DHCP server is around emerge dhcping. To test if 192.168.1.1 has a alive DHCP server by providing your IP and MAC address, type

dhcping -c 192.168.1.3 -h 00:13:d4:f6:aa:9b -s 192.168.1.1

Got answer from: 192.168.1.1

DNS

Working with IP numbers might be good for the computer but are not that what a human being remembers easily, something as https://www.gentoo.org/ can easily be remembered. Additionally IP addresses can be dynamically assigned, so when you login on the Internet you probably get not the same IP address assigned from your Internet provider than before. In fact, if you always want to get the same IP address then you probably have to pay your Internet provider to get a static address.

Since IP addresses as well as domain names have to be unique on the network there assignments has to be coordinated and who is servers as below show who has reserved them: http://www.networksolutions.com/whois/index.jsp

The reservation of those names is coordinated by http://www.icann.org/.

Now what is needed is a big table that converts all IP numbers in text addresses. The table would be far too big and the access to slow, so the Domain Name System is the solution, you basically ask a computer that has a DNS server installed for the corresponding IP number of https://www.gentoo.org/. If this computer knows it, than it returns it to you, if not it will ask an alternative computer or your computer ask an alternative DNS server. Finally and hopefully you will get from somewhere the answer. The big table is therefore slitted allover the world wide net and gets updated by remembering requests.

Fine, but nobody will know the names of your computers and devices in your local area network (LAN). You probably have a Internet router (ADSL, or whatever) that gets a single IP address of your service provider. Your router is a DHCP server and assigns IP addresses as 192.168.1.30 to your first computer. Addresses in this range are not be sent over the Internet (Wide Area Network WAN). To avoid communicating via IP numbers to your LAN devices. There are two solutions:

  1. The /etc/hosts holds a list of computer names and their IP addresses. This is a fixed table and might get in conflict if your DHCP server in your router assigns different addresses. Fortunately many routers acting as DHCP servers allow Static DHCP, so always the same IP address is assigned to each MAC address known and therefore also the computer names have always the same IP addresses.

  2. The second solution sounds cleaner. One of your computers has to have a local DNS server. Unfortunately this is not that easy:

  1. This computer would have to run all the time.

  2. DHCP and DNS are not on the same machines (unfortunately Internet routers do not support DNS "yet"?). When DHCP assigns new numbers the DNS server would have to be noticed to update its DNS table.

Due to to the simplicity I recommend the first solution.

To test if name resolving works ping to a name:

ping -c 3 www.gentoo.org

If not successful check if /etc/resolv.conf (that gets updated via dhcpd server) holds something as

nameserver 192.168.1.1

This causes the computer to ask the ADSL router to help out resolving the names.

When having DHCP then the dhcpc client writes the /etc/resolv.conf, but when having static IP adresses you might have to put

dns_servers_eth0=( “192.168.1.1” )

in /etc/resolv.conf

To resolve the IP addresses there are 3 files involved /etc/host.conf that tells how, /etc/hosts that holds the LAN devices and /etc/resolv.conf that holds the DNS server IP addresses, the latter will be updated by the DHCP client.

A computer can be identified by

<computername>.<domain name>

where <domain name> can have multiple parts

<computername>.<first part>.<second part>

Dynamic DNS

Your Internet router gets an IP address assigned from your Internet provider. However you can not relay on the fact that this will be always the same (since you might have no static IP). If you want to have your computer being accessed from the outside you have to face that fact, that this IP addresses is unknown.

There is a way to have an URL (Uniform Resource Locator or URI Uniform Resource Identifier) without having a static IP address. This is called Dynamic DNS and it is highly probable that your Internet router supports it.

Using Dynamic DNS, each time your router gets a new address your router sends this new assigned IP address to a Dynamic DNS provider. A common protocol used for that. The Dynamic DNS provider updates and maintains a list containing your URL and your dynamically assigned IP address. If somebody types in your URL he will end up at your Dynamic DNS provider and will receive your newly assigned IP address. This explains why there are some restriction in the choice of URL names.

There are different Dynamic DNS provider:

  1. https://www.changeip.com/dns.php is free

  2. https://www.noip.com/remote-access has a free option that needs to be reactivated every 30 days

  3. http://dyn.com/remote-access/ that was once free, but now costs

OpenNIC

Since the assignments of names to IP addresses done by http://www.icann.org/ did not make everybody happy, alternatives have been created:

https://www.opennicproject.org/.

OpenNIC (NIC = Network Information Center) can be considered to be a parallel Internet, this makes obviously not everybody happy. Having OpenNIC installed you should find new url's as .oss, .geek, .ing, .free, .bbs, .gopher.

To test if it works, check https://www.opennicproject.org/ for some NIC DNS servers IP addresses. Then modify /etc/resolv.conf to have something as:

nameserver 85.126.4.170
nameserver 192.168.1.1

Do not restart you network, since this file would probably get rewritten, and the modification would be lost. Then try to open in a web server: http://www.opennic.glue or ping -c3 www.opennic.glue

OpenNIC and Static IP

Just add the OpenNIC nameservers to the nameservers in the /etc/conf.d/net

dns_servers_eth0=( “<ip from open nic> 192.168.1.1”) 

Now restart eth0

/etc/init.d/net.eth0 restart

OpenNIC and dhcp

Adding those name servers to /etc/resolv.conf and will not satisfy since they will be overwritten after next boot by dhcpcd.

However dhcpcd offers the feature to add the content of /etc/resolv.conf.head to /etc/resolv.conf :

echo "nameserver <ip from open nic>" >> /etc/resolv.conf.head

Then try to open in a web server:

http://www.opennic.glue/ or ping -c3 www.opennic.glue

Other but more complicated solutions would be emerge openresolve or even install a local nameserver as bind.

DNS name server

To get a DNS name server emerge bind.

https://wiki.gentoo.org/wiki/BIND

Network tools

There is a firefox plug-in HostIP.info that shows where IP addresses are.

nmap is a port and security scanner. nmap -A www.linurs.org or nmap 192.168.1.8 if ping is disabled then nmap -Pn <url>

netdiscover -r 192.168.1.0/24 to find IP and MAC addresses on the net

Networkmanager

Laptops are used in all kind of places, so networkmanager is probably the way to go https://wiki.archlinux.org/index.php/NetworkManager

Network manager uses gnome keyring to remember all the different passwords. If the keyring has an own password (not just using the login password) then this password must be entered. The keyring files might be deleted to restart collecting passwords from scratch.

When using network manager the gentoo scripts /etc/init.d/net.eth0 is no longer required and should be deactivated (otherwise too many managers create a mess):

rc-update del net.eth0 or rc-update del net.enp2s0

Network manager relies on a dhcp client. It takes per default dhcp. For Gentoo there is a useflag to get dhcpcd instead.

The following line makes sense to put into /etc/conf.d/net :

dhcpcd_eth0=-t 5”

This line makes that the start script gives up after 5 seconds to wait for a wired dhcp server.

If you want to stick with dhcp as dhcp client, emerge dhcp and check the configuration files: /etc/dhcp/dhcp.conf and /etc/dhcp/dhclient.conf.

After having made the choice of the dhcp client emerge networkmanager

Then start it: /etc/init.d/NetworkManager start

and rc-update add NetworkManager default

When the PC requests a IP address via DHCP and the environmental variable HOSTNAME is not set or is localhost then the DHCP server delivers an HOSTNAME that will not be changed by the hostname in /etc/config.d/hostname. To still define at PC level the host name it can be set in the /etc/dhcp/dhcpd.conf:

hostname athlon

Or if there is none or just an empty /etc/dhcp/dhcpd.conf it is better to avoid a redundant definitions and create a link:

ln -s /etc/config.d/hostname /etc/dhcp/dhcpd.conf

This works, however networkmanager is not the standard way for gentoo and has some conflicts with the boot scripts. In fact per default the boot scripts try to get an IP address via the dhcpcd ebuild (not the dhcp ebuild). If no cabled network is present they fail and networkmanager using dhcp takes place and probably finds the WLAN and is successful.

The drawback is that NetworkManager starts a connection after you have logged in. So it is not a tool for server applications.

cnetworkmanager

For console but also for troubleshoot emerge cnetworkmanager. To see what access points are around: cnetworkmanager -a

To connect depends on how the access point is configured, the following commends might be used:

cnetworkmanager -C<SSID> --wpa-pass=<password>

cnetworkmanager -C<SSID> --wpa-psk-hex=<hex password>

cnetworkmanager -C<SSID> --unprotect

nm-applet

For Gnome and LXDE do emerge nm-applet to get a gui.

For xfce4 emerge xfce4-xfapplet-plugin, so xfce4 can use the gnome nm-applet, then do emerge nm-applet. The nm-applet is not manually selectable. You must start it in the root console nm-applet, after that it should be saved with the session and come alive at next reboot. To be sure add it to the list of Application Autostart (Settings > Session and Startup)

Wicd

wicd is an alternative to networkmanager http://wicd.sourceforge.net/ (if you use kde set the wicd useflag), emerge wicd and start it as wicd-client

nftables

nftables (the successor of iptables) allows to manipulate network package content and is going to replace iptables

https://wiki.gentoo.org/wiki/Nftables

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

https://www.linode.com/docs/guides/how-to-use-nftables/

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-getting_started_with_nftables

nftables gets configured using tables. There tables contain and limit their configuration to one of the different address types/families

  • ip for IP4

  • ip6 for IP6

  • inet for both IP4 and IP6

  • arp, bridge, netdev

The tables are usually created by the script /etc/nftables.conf that calls the interpreter nft

The script syntax allows to define variables, comments, and include files

The kernel has 5 hook points (input, output, forward, prerouting and postrouting). https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks Packets appear on those hooks and then passed forward. Prerouting feeds input or forward. Postrouting gets packages from forward or output. For arp there are no prerouting, postrouting and forward hooks.

nftables allows adding chains to those hooks so packets appear pass the chain before they passed forward. Chains with named hooks are called base chains. So if more than one chain is added to the same hook point, then the priority number defines the sequence a package flows through the chains. There are just chain types filter, route, nat

Chains hold where they are hooked into the kernel, they have rules telling what to do with the package at the hook. Rules have an match expression and one or more action expression. The rules in the chains have also a priority number the lower the number then higher the priority. There are also standard priority names that can be used instead of numbers see man 8 nft.

The kernel must be configured to support nftables. nftables must be started. For systemd

sudo systemctl enable nftables

sudo systemctl start nftables

Working with nftables

sudo nft list ruleset to see all

To see what tables are there sudo nft list tables

sudo nft list table inet filter to see one (the default table)

inside the tables there are:

policy what to do as default with the package drop or accept

Working manually with nft

sudo nft add table inet <table name> to create a table

sudo nft add chain inet output-table output-filter-chain '{ type filter hook output priority 0; }' to create a chain

sudo nft add rule inet output-table output-filter-chain ip daddr 8.8.8.8 counter to create a rule that counts packages for the destination 8.8.8.8

sudo nft delete table inet <table name> to delete a table

nft using scripts

Instead of adding individual comments, edit the /etc/nftables.conf script or crate an other similar script.

Important

/etc/nftables.conf contains the line

flush ruleset

that wipes out all tables.

The common steps are

  • Edit the script

  • In case the work is in /etc/nftables.conf do sudo systemctl restart nftables

  • In case the work is in an other script start the script (and consider to crate a second script that deletes the tables previously created) sudo nft delete table inet <table name>

Counting packages

Counting packages should not do a lot of harm and is useful to see if the desired packages appear.

Create the following tables either manually using nft or via the nftables.conf script

There is also https://opensource.com/article/22/7/nftwatch-linux-firewall a python script that shows the counters

Counting packages sent to a destination

Create a script and start it

#!/usr/sbin/nft -f

add table output-table

table inet output-table {
        chain output-filter-chain {
                type filter hook output priority filter; policy accept;
                ip daddr 8.8.8.8 counter 
        }
}

Verify sudo nft list table inet output-table and observe the output

From the system running this nftable type ping -c3 8.8.8.8

redo sudo nft list table inet output-table and observe the output table inet output-table { chain output-filter-chain { type filter hook output priority filter; policy accept; ip daddr 8.8.8.8 counter packets 3 bytes 252 } }

sudo nft delete table inet output-table to remove the table

Counting incoming packages

The following assumes that the system running nftables has a web server listening to port 80

#!/usr/sbin/nft -f

add table input-table

table inet input-table {
        chain input-filter-chain {
                type filter hook input priority filter; policy accept;
                tcp dport 80 counter
        }
}

sudo nft list table inet input-table to verify

From an other computer open in a web browser the website of the system running nftables.

sudo nft list table inet input-table to verify that the package has arrived

sudo nft delete table inet input-table to remove the table

Count package from a source address

The following rule got used to count packages coming through a wireguard tunnel

#!/usr/sbin/nft -f

add table input-table

table ip input-table {
        chain input-filter-chain {
                type filter hook input priority filter; policy accept;
                ip saddr 192.168.10.26 counter
        }
}

sudo nft list table ip input-table

Logging

A rule can be added to a chain in a table to create logs in /var/log/messages use a filter (as ip destination address) to not bloat the log.

ip daddr 192.168.30.10 log prefix "nft.log " 

Routing

The kernel must know where to send packages and what interface to use.

route, ip route or netstat -rn show the kernels routing table and can manipulate it.

route -n show the numeric representation where 0.0.0.0 destination address of the default gateway. For most computers the output will simply have two lines

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    2      0        0 enp4s0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp4s0

If the packages destination address is for the local network 192.168.1.x then send it out via Iface

If the packages destination address is not for the local network (covered by 0.0.0.0 and Genmask 0.0.0.0) then send it to the Gareway 192.168.1.1

Flags U means it is up and running and G means it is a gateway

Server configuration

It is recommended to have a static IP address for the server, so all others can add it to its /etc/hosts and can access the server using its name. The command hostname should pop up the name of the host that is defined in /etc/conf.d/hostname. Optionally a domainname giving your network a name might be desired that can be seen by typing domainname. To get a domain name add lines as follows to /etc/conf.d/net:

dns_domain_lo="<mynet>"
nis_domain_lo="<mynet>"

The network interface lo gets the domain assigned.


Linurs startpage