note/linux-network-stack-config

Linux Network Stack Configurations

WIP

Interfaces

ip link show
ip link set <DEVICE> mtu 1145
ip link set <DEVICE> up | down

Virtual interfaces

Bridges

Bridges are Linux's virtual Ethernet swtiches. It forwards Ethernet frames between bridged interfaces and thus extends the broadcast area.

ip link add <NAME> type bridge
ip link set <DEVICE> master <BRIDGE_DEVICE>
ip link set <DEVICE> nomaster
bridge link

VLAN

ip link add <NAME> type vlan link <DEVICE> id <VLANID>
ip -d link show <NAME>

GRE

ip link add gre0 type gre remote 10.0.1.1 local 10.0.2.1
ip link set gre0 up mtu 1476

Wireless daemons

WiFi adapters are different with Ethernet adapters. You need to regularly scan for available APs and authenticate to them before you can access the link layer. So besides drivers, there are wireless daemons.

wpa_supplicant

ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
network={
  ssid="WiFi SSID"
  key_mgmt=WPA-PSK
  # wpa_passphrase "WiFi SSID" "w1f1p@55w0rd"
  psk=3f6e90ac90ef8000cd1898a863909060b7642c29e1d5b977ea37af1bf361427f
}

User in the specified group can access the control interface using wpa_cli. Some basic commands:

  • list_networks: List networks in configuration.
  • scan: Scan for available APs.
  • scan_results
  • disable_network <id>
  • enable_network <id>
  • select_network <id>: Disable all other networks except this one.

It's possible to add networks dynamically using add_network, identity and password, but it's not persistent.

Routing tables

ip route show
ip route add | del | show <PREFIX> via <NEXTHOP_ADDRESS> [dev <DEVICE>] [proto <RTPROTO>]
ip route get <ADDRESS>
ip route add 10.0.1.0/24 via 192.168.1.1 dev wlan0
ip route add default via 192.168.1.1 dev wlan0
ip -6 route add default via fe80::123:4567:89ab:cdef dev wlan0
ip route add 10.0.2.0/24 via inet6 fe80::123:4567:89ab:cdef dev wlan0

Routes to a longer PREFIX have higher priority. Routes with smaller METRIC have higher priority. Default metric is 0 for IPv4 routes, 1024 for IPv6 routes. Two routes to the same PREFIX with the same METRIC cannot be both added.

RTPROTO for routes added with ip route is 3 (boot) by default. RTPROTO is useful to identify from which program the route is added. Besides numbers, you can also use symbols defined in /etc/iproutes2/rt_protos.

Multiple tables

ip route add <SELECTOR> <NEXTHOP> table <TABLE>
ip route show table all

ip route shows routes in table 254 (main) by default.

Routing policy

ip rule add <PREFIX> | fwmark <FWMARK> table <TABLE>

VRF

netns

Firewall

Linux kernel has a powerful firewall called netfilter. It can not only filter the traffic, but also alter packets, at both L3 and L4. Netfilter can be controlled using either iptables or nftables.

graph LR
ingress --PREROUTING--> r1{R}
subgraph r[Routing decision]
r1 --FORWARD--> r2{R}
end
r2 --POSTROUTING --> egress
r1 --INPUT--> processes
processes --OUTPUT--> r2

This graph shows the packet flow paths in Linux. Netfilter adds hooks (UPPERCASE words on the graph) on the flow. The corresponding chain gets called when a packet pass through the hooks.

iptables

A iptables rule consists of a match pattern and what to do with packets matched (so called target).

A iptables chain is a set of rules. Built-in chains, similar to the main function in C, are directly called when a packet pass through the hooks. User-defined chains, just like custom functions in programming languages, must be called in built-in chains to function. Rules in a chain is executed in order. Some targets, like ACCEPT, REJECT, DROP

iptables -A INPUT -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.1.0/24 -j ACCEPT
iptables -D INPUT -s 10.0.1.0/24 -j ACCEPT
iptables -I 1 INPUT -s 10.0.1.0/24 -j REJECT
iptables -A INPUT -j DROP
iptables -vL --line-numbers

The graph above is over simplified for explaining tables in iptables. This picture from Wikipedia is more detailed on that. Netfilter subdivides a hook into multiple hooks with different purposes and categorizes them into tables. F. e. the default table filter has INPUT, FORWARD and OUTPUT chains. Both nat and mangle has POSTROUTING chain, but only the one in nat table can utilize MASQUERADE or SNAT targets to perform Network Address Translation.

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT

Iptables has built with many extensions (man:iptables-extensions). We have already met the conntrack match extension, MASQURADE and SNAT target extension.

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A INPUT -s 10.0.3.0/24 -j LOG --log-prefix "Logged packet: "
iptables -t mangle -A OUTPUT -m owner --uid-owner user1 -j MARK --set-mark 0x1111

iptables is for configuring IPv4 firewall. For IPv6 firewall, use ip6tables. Netfilter state is in memory and losses after reboot. Use iptables-persistent to save and restore it.

DHCP

Dhclient is the reference DHCP client implementation made by ISC. Dhcpcd is the most used one. Dhcpcd has a lot of features, but the defaults just work for most use cases.

dhcpcd --allowinterfaces eth0 wlan0

Dhcpcd allows user to run shell script hooks on events. See man:dhcpcd-run-hooks(8).

The two most used DHCP server implementations are the reference implementation from ISC, dhcpd, and despite the name, dnsmasq. This is an example dhcpd config:

subnet 192.168.1.0 netmask 255.255.255.0 {
  option domain-name-servers 192.168.1.1;
  option routers 192.168.1.1;
  option broadcast-address 192.168.1.255;
  range 192.168.1.100 192.168.1.200;
  option interface-mtu 1492;
}

DHCPv6

Though there is SLAAC in IPv6, DHCPv6 is still useful in IPv6 Prefix Delegations.

# /etc/dhcpcd.conf
ipv6only
interface ppp0
  ia_na 1  # Request an IPv6 address
  ia_pd 2 eth1/0  # Request a PD and assign it to eth1

SLAAC

Linux kernel itself can accept Router Advertisement and perform SLAAC. When net.ipv6.conf.<INTERFACE>.accept_ra = 1 (default) and net.ipv6.conf.<INTERFACE>.forwarding = 0 (default), kernel accepts RA on this INTERFACE. When net.ipv6.conf.<INTERFACE>.accept_ra = 2, kernel accepts RA on the INTERFACE regardless of the forwarding setting.

Dhcpcd, despite its name, can also handle SLAAC by default. You can turn it off using the ipv6ra_noautoconf option.

The most used Router Advertisement server on Linux is radvd.

# /etc/radvd.conf
interface enp4s0 {
  AdvSendAdvert on;
  AdvLinkMTU 1492;
  prefix ::/64 {
    AdvOnLink on;
    AdvAutonomous on;
    AdvRouterAddr on;
  };
};

DNS

DNS isn't handled by system (Or you can say there is no clear definition of "system" on Linux distros). It's instead handled by libc. Libc gets DNS settings from /etc/resolv.conf. The most important setting in this file is nameserver, which specifies where to send DNS queries.

# /etc/resolv.conf
nameserver 114.114.114.114

Routers may announce DNS resolvers through DHCP. So DHCP clients need a way to dynamically update /etc/resolv.conf. Dhcpcd utilizes resolvconf to do that. If you find your /etc/resolv.conf settings constantly get overrided (with comment # Generated by resolvconf), you may want to change /etc/resolvconf.conf instead of /etc/resolv.conf.

# /etc/resolvconf.conf
name_server='114.114.114.114'

A common practice for more complex DNS configurations is to run a local DNS recursive server, aka. resolver, and set /etc/resolv.conf to use the local resolver. Dnsmasq may be the easiest among them, its configuration looks like this:

server=114.114.114.114  # Default server, note that dnsmasq also reads /etc/resolv.conf
server=/example.org/1.1.1.1  # Zone specific server

BIND is a general DNS server, but it can also be used as a resolver. Check man:named.conf(5) for more. Systemd-resolved is the resolver ships with systemd, with many advanced features, such as DNS-over-TLS. See man:resolvd.conf(5) for more about it.

Network managers

Network managers utilizes tools above and provide a UI so users can manage their configurations in one place. There are lightweight network managers that many distros ship and use by default, such as ifupdown (Debian), ifcfg (Fedora), netctl (Arch Linux). Feature rich network manager, for example systemd-networkd, NetworkManager and ConnMan, can handle more functions, e.g. VPN, wireless daemons. Many GNU/Linux Desktop Environments has support for interacting with NetworkManager and ConnMan.

ifupdown

/etc/network/interfaces

ifcfg

netctl

systemd-networkd

networkctl

NetworkManager

nmcli, nmtui

ConnMan

connmanctl

About Me