slides - Department of Computing and Software

advertisement
Linux Basics
Reading:
Chap 1-2 [WFR05]
 Linux Command Manual

About Linux
 Linux is the name of the kernel
 Linux is Open Source Software (OSS)
 Linux is licensed through the General Public
License (version 2, aka GPL2)

The right to redistribute is granted only if the
distribution is licensed under the terms of the
GPL and either includes, or unconditionally offers
to include at the moment of distribution, the
source code
 The Linux kernel by itself can serve as a firewall,
router, access point, and even a static web page
server
 Typically, Linux is packaged with a great number of
applications and utilities, also OSS
Components of a Linux System
 Kernel (can be monolithic or modular)
 Modules (if modular kernel)
 Filesystem(s)
 Boot Loader
 Libraries and Dynamic Linker
 Init and rc system
 Utilities
 Applications
Components of a Linux System
 Kernel (can be monolithic or modular)
 Modules (if modular kernel)
 Filesystem(s)
 Boot Loader
 Libraries and Dynamic Linker
 Init and rc system
 Utilities
 Applications
Linux Kernel
 A kernel is the central component of
most computer operating systems
(OS). Its responsibilities include
managing the system's resources
 Monolithic architecture includes
much of OS functionality in kernel




Memory and process management
Device drivers
File systems
Network
 In contrast, microkernels (e.g.,
Mach and NT) includes minimal
functionality

Inter-process communication and memory
management
 Pros and cons
Linux Kernel
 Since V1.2, a combination of
 Base kernel
 Loadable kernel modules
Linux Kernel Configuration
●
Monolithic architecture includes much of OS
functionality in kernel
–
–
–
–
Memory and process management
Device drivers
File systems
Network
Linux Kernel Configuration
●
Configuration in a
tree structure to
decide which files
to be compiled
into the kernel
Linux Kernel Configuration
●
●
Configuration in a
tree structure to
decide which files
to be compiled
into the kernel
Options to
compile directly in
or as a module
Linux Kernel Configuration
●
●
●
Configuration in a
tree structure to
decide which files
to be compiled
into the kernel
Options to
compile directly in
or as a module
Online help to
explain choices
Components of a Linux System
 Kernel (can be monolithic or modular)
 Modules (if modular kernel)
 Filesystem(s)
 Boot Loader
 Libraries and Dynamic Linker
 Init and rc system
 Utilities
 Applications
Linux Loadable Kernel Modules
(LKM)
 Linux supports kernel modules as an option
 Modules are loaded at run time
 Reduce memory requirements
 Add functionality to Linux kernel
 Run in privileged kernel mode
 As fast as base kernel
 Doesn't require a reboot to add or remove
functionality or develop your own module
 LKMs are used for




Device drivers
Filesystem drivers
Network drivers
…
LKM utilities
 ismod – insert LKM
 rmmod – remove LKM
 lsmod – list LKM
 modinfo
 modprob – can read /etc/modules;
insert/remove a set of LKMs intelligently
Components of a Linux System
 Kernel (can be monolithic or modular)
 Modules (if modular kernel)
 File system(s)
 Boot Loader
 Libraries and Dynamic Linker
 Init and rc system
 Utilities
 Applications
Linux File System Support
 Linux uses the virtual file system (VFS)
interface to modularize file system support
 File systems may be compiled in as modules
(but watch out for catch-22)

“you need to mount the root filesystem to add the
module that lets you mount the root filesystem”
 In addition to file systems that manage disk
partitions, there are also pseudo file
systems
Pseudo File Systems
 A 'pseudo' file system provides a file style
interface to the inner workings of the
kernel.
 Most important is the /proc file system
which provides many important interfaces
to the kernel and running processes
 /proc can be used to set parameters in the
running kernel as well as to read states
 e.g. echo “1” >
/proc/sys/net/ipv4/ip_forward
Components of a Linux System
 Kernel (can be monolithic or modular)
 Modules (if modular kernel)
 Filesystem(s)
 Boot Loader
 Libraries and Dynamic Linker
 Init and rc system
 Utilities
 Applications
Boot Loader
 Takes over from BIOS after POST
 Usually on master boot record (MBR) of
hard drive

the 512-byte boot sector that is the first sector
of a partitioned disk
 Can offer choice of different OSes (dual
boot)
 Linux typically uses GRUB (LILO in the past)
GRUB
 GRand Unified Boot loader
 Two stages
The first being small with the sole purpose of loading the
second one.
 Understands several file system types

 Provides for changing of boot options at boot time (useful
for testing new kernel features)
For more information: http://www.gnu.org/software/grub/
Which partition contains the kernel
1st partition on first hard disk
root (hd0,0)
kernel /vmlinuz-i686-up-4GB root=/dev/hda9
boot
File name of the kernel
Partition containing /sbin/init,
which becomes the root partition
Boot process on Linux
 BIOS -> bootloader -> kernel
 The first process to start is a script
/etc/rc.d/rc.sysinit
 6 run-time levels
/etc/rc.d/rc?.d/
 Runtime 5 is used for boot the system into GUI
mode using XDM and X-Windows.
 Runtime 3 is used for single-user mode
 Scripts with S for startup and K for shutdown

Init and RC System
 Takes over once kernel loads
 Brings system up to ready state
 Starts different services
 Can be used after boot to start and stop
services e.g. /etc/init.d/httpd start
 boot the system into GUI mode using XDM
and X-Windows.
Components of a Linux System
 Kernel (can be monolithic or modular)
 Modules (if modular kernel)
 Filesystem(s)
 Boot Loader
 Libraries and Dynamic Linker
 Init and rc system
 Utilities
 Applications
 Unix and the toolkit approach
 /bin and /sbin (/usr/bin and /usr/sbin too)
 STDIN, STDOUT, STDERR
 Redirection and Pipes
 e.g. dmesg | head -l
Practices (cont’d)
Hints:
 If the commands are not in the default
paths, try /sbin or /usr/sbin
 A number of ways for finding out linux
distributions
dmesg | head –l
 Cat /proc/versions

 “man” is your friend!
Top Network Utilities
 ifconfig
 route
 ping
 traceroute (tcptraceroute)
 nmap
 netstat
 ssh (scp, sftp)
 telnet
 nc
 tcpdump
Components of a Linux System
 Kernel (can be monolithic or modular)
 Modules (if modular kernel)
 Filesystem(s)
 Boot Loader
 Libraries and Dynamic Linker
 Init and rc system
 Utilities
 Applications
Applications
 Anything more complex than a utility?
 System services (daemons)
 X Windowing system
 Interactive programs
Practices
ssh to linux01~04.cs.uh.edu
1. Find out the followings:



2.
Try the following command





3.
what Linux distribution is used?
Processor type, memory, CPU speed, # of CPUs
Which boot loader is used?
ifconfig
route
ping www.uh.edu
traceroute www.google.com
Netstat
Explain the results from ping, netstat
Linux Networking Tools
Top Network Utilities
 ifconfig
 ping
 iwconfig
 traceroute
 route
 host, (nslookup)
 iptables
 dig
 iwconfig
 nmap
 netstat
 telnet
 ssh (scp, sftp)
 tcpdump
ifconfig
 Configure a network interface
 Without options, ifconfig shows current
settings
 can bring interface up or down
 example:
ifconfig eth1 up
 pump -i eth1 --- dhcp client program
 ifconfig eth1

ifconfig (CS Firewall)
eth0
Link encap:Ethernet HWaddr 00:E0:81:2A:9D:C3
inet addr:129.7.240.254 Bcast:129.7.240.255 Mask:255.255.255.192
inet6 addr: fe80::2e0:81ff:fe2a:9dc3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:222210314 errors:0 dropped:0 overruns:0 frame:0
TX packets:194237844 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2468437723 (2354.0 Mb) TX bytes:1403836636 (1338.8 Mb)
Base address:0xdc00 Memory:fe9e0000-fea00000
eth1
Link encap:Ethernet HWaddr 00:04:23:A8:58:82
inet addr:129.7.254.188 Bcast:129.7.254.191 Mask:255.255.255.192
inet6 addr: fe80::204:23ff:fea8:5882/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:397766811 errors:0 dropped:0 overruns:0 frame:0
TX packets:521981776 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2719493949 (2593.5 Mb) TX bytes:217572585 (207.4 Mb)
Base address:0xc880 Memory:fe8c0000-fe8e0000
eth2
Link encap:Ethernet HWaddr 00:04:23:A8:58:83
inet addr:192.168.10.254 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::204:23ff:fea8:5883/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:334616505 errors:0 dropped:0 overruns:0 frame:0
TX packets:238180941 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2097863118 (2000.6 Mb) TX bytes:2193856536 (2092.2 Mb)
Base address:0xcc00 Memory:fe8e0000-fe900000
IP-Aliasing
 “IP-aliases are additional IP-
addresses/masks hooked up to a base
interface by adding a colon and a string
when running ifconfig.”
 example:
ifconfig eth0:0 192.168.100.1
 ifconfig eth0:1 192.168.101.1

 Remove an aliasing
 Ifconfig eth0:0 down
 linux/Documentation/networking/alias.txt
route
 Show and/or manipulate the IP routing table
 Commonly used in determining or setting
default routers for a machine on network
 example:
route add default gw 129.7.243.254
 route add -net 192.168.1.0 gw 10.0.0.10 netmask
255.255.0.0
 route del -net 192.168.1.0 gw 10.0.0.10 netmask
255.255.0.0
 To remove all routes: ifconfig eth0 down

Static Routes
 Routes can be static or dynamic
 Most host-based routes are static
 Static routes are layer 3 clues as to where
to find hosts on a complicated network.
 They include a destination network and a
next-hop IP address.
 The default route's destination network is a
wildcard
route (CS Firewall)
Computer Science department firewall configuration
$ /sbin/route
Kernel IP routing table
Destination Gateway
Genmask
Flags Metric Ref Use Iface
129.7.240.0 192.168.10.253 255.255.255.192 UG 0
0
0 eth2
129.7.240.64 192.168.10.253 255.255.255.192 UG 0
0
0 eth2
129.7.240.128 192.168.10.253 255.255.255.192 UG 0
0
0 eth2
129.7.240.192 0.0.0.0
255.255.255.192 U 0
0
0 eth0
129.7.241.0 192.168.10.253 255.255.255.192 UG 0
0
0 eth2
129.7.254.128 0.0.0.0
255.255.255.192 U 0
0
0 eth1
129.7.242.0 192.168.10.253 255.255.255.0 UG 0
0
0 eth2
129.7.243.0 192.168.10.253 255.255.255.0 UG 0
0
0 eth2
192.168.10.0 0.0.0.0
255.255.255.0 U 0
0
0 eth2
loopback
127.0.0.1
255.0.0.0
UG 0
0
0 lo
0.0.0.0
129.7.254.190 0.0.0.0
UG 0
0
0 eth1
Flag U. This flag indicates that the route entry is up and running or ACTIVE.
Flag G. This flag indicates that the route entry specifies an indirect route.
Flag H. This flag indicates that the destination field in this route entry specifies a host route.
tcpdump
 Prints out headers of packets on a network
interface
 Provides for filtering output, and can also
do some protocol analysis
 example
tcpdump -i eth0
 tcpdump -i eth0 host [hostname]

init scripts
 Scripts for starting services are in
/etc/init.d/
 Arguments are required for these scripts

(start, stop, restart, status)
 To run a service at boot time
 update-rc.d xxx defaults
 To remove a service at boot time
 update-rc.d -f xxx remove
netstat
 Prints information about various parts of
the networking subsystem
Current network connections
 Routing tables
 Interface statistics
 Masqueraded connections
 Multicast memberships

Alternatively, cat /proc/net/xxx
netstat examples
 netstat -r (provides same result as route
command)
 netstat -a (shows all connections)
 netstat -tulp (shows all services)

gives programs listening for TCP and UDP
connections
• t for TCP, u for udp, l for listening sockets, -p for
program (show the PIC and name of the program)
Try this
Run as root:
# netstat -tulp
# /etc/init.d/apache start
# netstat -tulp
Compare the results
HTTP (WWW)
 HyperText Transport Protocol
 Uses TCP connections on port 80*
 Commands are plaintext; human readable (if
you don't mind html)
 example: telnet www.uh.edu 80

Try the following:
telnet localhost 80
Trying 127.0.0.1...
Connected to Cougar.
Escape character is '^]'.
GET /apache2-default/ HTTP/1.1
* Typically. Other ports such as 8080, 443
for SSL, etc. can also be used.
Configuring Apache
 Typically, Apache configuration files can be
found under /etc/apache/conf
 Knoppix and Debian create a symbolic link so
everything is under /etc/apache
 Most of the configuration is in httpd.conf
 Additional configurations can be included
from other files with the “Include”
directive
 Most distributions break this up into
multiple files to provide for ease of
management
Common Apache Directives
 Apache.conf contains two basic types of
options
 Directives are one-liner Attribute Value
pairs
DocumentRoot /var/www
 ServerName www.example.com

 Blocks (also considered directives in apache
documentation) define sections where
directives have a limited scope
<Directory /var/www/> ... </Directory>
 <IfModule SSL> ... </IfModule>

Name Services
 Provides a map from human readable
address space (hostnames) to machine
readable address space (IP)
 Hierarchical system checks local resources
before querying remote ones
/etc/hosts
 optional local network naming systems
 DNS

 DNS works off a hierarchy as well.
DNS and BIND
 The internet's most common DNS server is
BIND.
 BIND consists of a set of configuration
under /etc/bind and a daemon called named
 For further information, O'Reilly has a
great book, DNS and BIND (4th ed.)
 The default install creates a caching
nameserver
Querying DNS
 Several utilities provide the ability to
perform name resolution using DNS
 The most simple is the host command.
 example
host www.uh.edu
 host 129.7.1.1

 For more power and flexibility in
interrogating DNS servers, use the dig
command.
dig
$ dig @129.7.240.1 www.cs.uh.edu
; <<>> DiG 9.2.5 <<>> @129.7.240.1 www.cs.uh.edu
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35927
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.cs.uh.edu.
IN
;; ANSWER SECTION:
www.cs.uh.edu.
3600
IN
;; AUTHORITY SECTION:
cs.uh.edu.
3600 IN
cs.uh.edu.
3600 IN
;; ADDITIONAL SECTION:
dns.cs.uh.edu.
3600 IN
ns2.uh.edu.
34494 IN
;;
;;
;;
;;
A
A
NS
NS
A
A
Query time: 0 msec
SERVER: 129.7.240.1#53(129.7.240.1)
WHEN: Wed Feb 8 12:25:20 2006
MSG SIZE rcvd: 115
129.7.228.92
dns.cs.uh.edu.
ns2.uh.edu.
129.7.240.1
129.7.1.6
DHCP server
 Set up the configuration file
 Edit /etc/dhcp3/dhcpd.conf
 /etc/init.d/dhcp3-server start
 Set route to broadcast address
• route add 255.255.255.255 dev eth0
Formation of an Ad Hoc Network
 Plug in the wireless card.
 Bring your wireless card online using
ifconfig eth1 up, but do not set it up with
an IP address. (Don't use pump)
 Set the card in ad-hoc mode using
 iwconfig eth1 mode "ad-hoc"
 iwconfig eth1 essid COSC6397sp07
channel 6
 ifconfig eth1 192.168.0.x
 route add default gw 192.168.0.1
Firewalls
firewall
isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
two types of firewalls:
application-level
packet-filtering

public
Internet
administered
network
firewall
Basic functionalities
 IP Filter


Used to filter packets
Full matching on IP, TCP, UDP and ICMP packet headers
 Stateful firewalls, NAT


Certain protocols are "complex“ and require extra modules
called "conntrack helpers"
Ex: ftp connection, NAT
Port 1050
Port 1051
client
 Packet mangling

PORT 1051
Comm Port 21
Data Port 20
Modify IP header fields of a packet
server
Linux Implementation
 The iptables command to enter a rule
 Use iptables-save and iptables restore script to
save them
 The framework inside the kernel is called
netfilter

Five hooks defined in IPv4:
• PRE_ROUTING, LOCAL_IN, FORWARD,
LOCAL_OUT, POST_ROUTING.
The Hooks (cont.)
PRE_ROUTING
POST_ROUTING
FORWARD
LOCAL_IN
LOCAL_OUT
Netfilter Hooks
 PRE_ROUTING
 Incoming packets pass this hook in ip_rcv() before routing
 LOCAL_IN
 All incoming packets addressed to the local host pass this hook in
ip_local_deliver()
 FORWARD
 All incoming packets not addressed to the local host pass this hook
in ip_forward()
 LOCAL_OUT
 All outgoing packets created by this local computer pass this hook
in ip_build_and_send_pkt()
 POST_ROUTING
 All outgoing packets (forwarded or locally created) will pass this
hook in ip_finish_output()
Basic iptables syntax
iptables -A INPUT -p tcp --dport 80:1024 -j DROP
 iptables [-t table] [commands] [options] <matches> -j <target>
 Table: filter (default), nat, mangle
 Commands:

append, insert, replace, delete, list, policy, etc

Built-in chains: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
 Options:

verbose, line numbers, exact, etc.
 Matches:

-p for dport, dst, sport, src, states, TCP options

-m for matching module name

! to invert the sense of the match.
 Targets:

Immediate actions: ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.

User defined chain

Extentions: -p
Iptables syntax
 Listing the rules
 -L, --list [chain]
 -F, --flush [chain]
 Flushes (erases) all rules in a chain
 Or a table
 -N, --new chain
 Creates a user-specified chain
 There must be no target with that name previously
 -X, --delete-chain [chain]
 Deletes a user-created chain
 No rules may reference the chain
 Can delete all user-created chains in a table
Iptables syntax - Creating &
Deleting user-created chains
Creating...

iptables -t filter -N badtcppackets
and Deleting a chain

iptables -t filter -X badtcppackets
and Deleting all user-created chains

iptables -t filter -X
Iptables syntax - A few matches
Protocol
-p, --protocol [!] [protocol]



tcp, udp, icmp or all
Numeric value
/etc/protocols
Destination IP & Port
-d, --destination [!] address[/mask]


Destination address
Resolvable (/etc/resolve.conf)
--dport, --destination-port [!] port[:port]



Destination port
Numeric or resolvable (/etc/services)
Port range
Iptables syntax - A few matches
(cont.)
Source IP & Port
-s, --source [!] address[/mask]
 Source
address
 Resolvable (/etc/resolve.conf)
--sport, --source-port [!] port[:port]
 Source
port
 Numeric or resolvable (/etc/services)
 Port range
Iptables syntax - A few matches
(cont.)
Incoming and Outgoing interface
 -i, --in-interface [!] interface
 -o, --out-interface [!] interface
State module
 --state state
 INVALID: the packet is associated with no known
connection
 ESTABLISHED: the packet is associated with a
connection which has seen packets in both directions
 NEW: the packet has started a new connection, or
otherwise associated with a connection which has not
seen packets in both directions
 RELATED: the packet is starting a new
connection, but is associated with an
existing connection, such as an FTP data transfer, or
an ICMP error
iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcpreset
Iptables syntax - Some targets
 ACCEPT
 Accepts the packet
 Ends further processing of the specific chain
 Ends processing of all previous chains
 Except other main chains and tables
 DROP
 Drops the packet
 No reply
 Ends all further processing
Iptables syntax - Some targets
(cont.)
 REJECT
 Drops packet
 Returns a reply
• User specified reply
• Calculated reply
• TCP-RST or ICMP errors

Ends all further processing
 RETURN
 Returns from a chain to the calling chain
Iptables syntax - ... and a few
simple rules






iptables
iptables
iptables
iptables
iptables
iptables
-A INPUT -p tcp --dport 80:1024 -j DROP
-A FORWARD -p tcp --dport 22:113 -j DROP
-A FORWARD -p tcp --dport ftp-data:ftp -j DROP
-A OUTPUT -p tcp -o eth0 -j ACCEPT
-A OUTPUT -p tcp -o lo -j ACCEPT
-P OUTPUT DROP
Iptables syntax - Some targets
(cont.)
 SNAT
 only valid in the nat table, in the
POSTROUTING chain.
 specifies that the source address of the packet
should be modified
 --to-source ipaddr[-ipaddr][:port-port]
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --tosource 194.236.50.155-194.236.50.160:1024-32000
Iptables syntax - Some targets
(cont.)
 DNAT
 only valid in the nat table, in the PREROUTING
and OUTPUT chain.
 specifies that the destination address of the
packet should be modified
 --to-destination ipaddr[-ipaddr][:port-port]
iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --todestination 10.10.14.2
iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 j DNAT --to-destination 10.10.14.2
A simple example ruleset – The
Goals
 See handout
Download