Part II Network configuration 131 Chapter 5 Networking Linux Preliminary Words. . . In this age of communication, the number of computers connected to one another is already so large that a standalone machine that is not networked at least some of the time, is quite a rarity. Linux is in its element in the Internet, and offers you all the resources necessary to connect to multiple networks. This chapter presents an overview of the tools needed for installing and main- taining your network connections. The most important configuration files will be discussed, together with some of the more important tools. First, we will show you how a Linux machine can be integrated into an existing LAN and how you can create a network of Linux machines. Then, connecting to other hosts via modem is explained. We show you how to make an Internet connection using PPP. A longer section is dedicated to ISDN configuration. Then the configuration of mail and news systems is discussed, and the chapter ends with the description of a fax system in Linux. Almost everything to do with networks can be adjusted in YaST (see Sec- tion 3.6 page 89 and Section 17.6 page 400); since configuring a network can become very complex, however, only the basic mechanisms and the relevant files for configuring the network will be discussed. Good Neighborhoods-Connecting to a LAN Connecting a Linux machine to other UNIX machines (this can include other Linux machines as well, of course) via a LAN is not a problem. Certain pre-requirements need to be fulfilled, but these do not restrict the use of a Linux machine in a networking environment. Requirements and Preliminary Work Linux supports almost every type of network card (Ethernet, Arcnet, To- ken Ring) and is familiar with almost every known networking protocol (TCP/IP, AppleTalk, IPX). Taking every possible configuration into consid- eration would go far beyond the scope of this chapter. We will discuss the most general case (integrating Linux into a TCP/IP network via an eth- ernet card). The latest information about other networks can be found in Documentation in your kernel source directory. The kernel's help func- tion (when you configure it) supplies you with very useful additional infor- mation. 133 5. Networking Linux The following requirements have to be met: * Your machine has to have a supported network card; you can see if your card has been started correctly with the following command: earth:/ # cat /proc/net/dev There should be a line beginning with eth0:. If kernel support for network cards is by means of modules, (see Sec- tion 13.2 page 318-as is the general case for SuSE kernels) the name of the module has to be entered in /etc/modules.conf. For your first ethernet card, this might look like: alias eth0 tulip This is done automatically if you selected the network module in Linuxrc during installation. It can also be done at a later time using YaST (see Section 3.6.1 page 89). If these requirements are fulfilled, there are some things to be considered before you start configuring your machine: Host name The name of your machine on the network. Host- name should not exceed 8 characters and should not already be used on the local net. Domain name The name of the domain your machine belongs to. Domains help to structure big networks (such as the Internet). A host is addressed via its fully qualified name, which consists of a hostname, do- main name and top level domain. For exam- ple, earth.cosmos.com addresses the computer earth in the domain cosmos.com. The top level domain may contain up to 4 letters. The pat- tern for a fully qualified domain name is computer- name.domainname.top level domain. Table 5.1: continued overleaf. . . ... 134 5. Networking Linux IP address The address of your machine in the network. Ev- ery machine has at least one IP address for each network interface (e.g. a network or ISDN card), which is unique. This address consists of a sequence of 4 bytes, normally separated by full stops (e. g., 193.141.17.1). If you choose an IP address, you should consider whether you plan to connect to the Internet in the near future. If so, it is recommended that you use registered IP addresses from the very start. If you only have a private local network, there are some address ranges defined by the pseudo-standard RFC1597 which ensures that even if one of these ad- dresses "escapes" to the Internet, it won't hurt any- body or cause any damage. 10.0.0.0 10.255.255.255 (Class A) 172.16.0.0 172.31.255.255 (Class B) 192.168.0.0 192.168.255.255 (Class C) Some IP addresses are not intended for computers, but have special functions. For example, the address 192.168.0.0 represents the network itself, and 192.168.0.255 is the broadcast address which belongs to it. Gateway address If there is a gateway computer on your network (that is, a machine that is connected to more than one net- work and which transports packets from one network to the other), you can enter the appropriate address while configuring your network. Netmask By means of the netmask, it is clear which network the machine belongs to. The IP address is added to the netmask via a logical AND. Thus, the host part is cut out and leaves the network's address as a result. Address of the Name servers provide a DNS (Domain Name Ser- name server vice) which converts host names into IP addresses. Thus the computer name earthis assigned the IP address 192.168.0.20. If there is a reachable name server on the net and you want to use it by default, its IP address should be entered when you configure the network. Table 5.1: Values for network configuration 135 5. Networking Linux 5.1 Configuration Using YaST If all the preliminary requirements from Section 5 page 133, are fulfilled, you can start configuring your network via YaST. 1. Log in as `root'. 2. Start YaST and change to `System administration', `Net- work configuration', `Basic network configuration'. Figure 5.1: Configure network using YaST 3. Now select a free number, e. g. 0. 4. Press F5 and select `Ethernet'. Leave this mask by pressing `Con- tinue'. 5. Now press F6 (`IP addresses') and enter the IP address of your machine (e. g. 192.168.0.20). Then you should enter the netmask. For a class C network (up to 254 machines in one subnet) this typically is 255.255.255.0. If there is no gateway on your network you should leave this entry blank. 6. Leave this entry by hitting `Continue'. 7. Activate the network with F4 . 8. Pressing F10 lets you save your network configuration, Esc leaves the mask without changes. 9. `Change hostname' lets you assign or change the host name. You also need to enter the domain the host belongs to. 10. `Configure network services' enables you to configure whether the inetd, portmapper, or the NFS server should be started. And you may enter the name that is posted to news articles on USENET. * inetd is needed to invoke certain services on demand, such as telnet, finger, ftp and more. The inetd should always be started, as otherwise some services are not available. On systems where security is an issue, please follow the guidelines in Section 18.2.2 page 421. 136 5.2. Manual Network Configuration-Where Do I Find What? * If you want to use this machine either as an NFS or NIS server you will need to start the portmapper (portmapper) at boot up. If you have decided on starting the portmapper, you are asked whether you want to start the NFS server as well. 11. `Configure nameservers' lets you assign one or more name- servers. Up to three IP addresses may be entered. 12. `Configure sendmail' allows you to install a basic configuration for sendmail. A detailed reference on sendmail configuration is located in Section 6.8 page 176. Moreover there are a couple of settings in /etc/rc.config which you might find useful in setting up your network. YaST provides an easy frontend to edit this file (see Section 17.6 page 400). The basic network configuration should now be complete. YaST then launches SuSEconfig and adds the changes to the respective files (see Sec- tion 5.2). For the changes to take effect, it is necessary to restart the daemons. This might be achieved by entering: earth: # rcnetwork restart (see Chapter 17 page 395). 5.2 Manual Network Configuration-Where Do I Find What? You should use YaST to configure your network, but since, unfortunately, it doesn't cover all parts of network configuration, there may be some work to be done by hand. Generally, all settings should be made in /etc/rc.config. If you do change this file using YaST, you don't have to bother. If you change this file manually, don't forget to launch SuSEconfig each time you've changed it, in order for the configuration changes to take effect! 5.2.1 Configuration Files This section gives you an overview of the most important configuration files for your network and roughly explains their functions and format. /etc/rc.config In this central configuration file, almost everything concerning your net- work can be set. After changing it with YaST and launching SuSEconfig, most of the necessary configuration files will be generated automatically. Even boot scripts are built via settings in this file. /etc/hosts Here, machines are assigned IP addresses (see File contents 5.2.1 on the next page). If no nameserver is used, every machine you want to be able to reach has to be set ­ one line per machine. This line consists of the IP address, the fully qualified hostname (full name), and the unofficial name (nickname). The IP address has to be at the beginning of the line, entries are separated by blanks, or tab-stops. Comments are started with a `#'. 137 5. Networking Linux ## hosts This file describes a number of hostname-to-address # mappings for the TCP/IP subsystem. It is mostly # used at boot time, when no nameservers are running. # On small systems, this file can be used instead of a # "named" nameserver. Just add the names, addresses # and any aliases to this file... #127.0.0.1 localhost 193.141.17.1 gauss.suse.de gauss 193.141.17.42 sofa.suse.de sofa # End of hosts File contents 5.2.1: /etc/hosts /etc/networks Here, network names are converted to network addresses. The format of this file resembles the hosts file. Here, however, network names are put in front of the addresses (see File contents 5.2.2). ## networks This file describes a number of netname-to-address # mappings for the TCP/IP subsystem. It is mostly # used at boot time, when no nameservers are running. #loopback 127.0.0.0 localnet 193.141.17.0 # End of networks. File contents 5.2.2: /etc/networks /etc/host.conf This file is for resolving hostnames. Hostnames (or networks) are entered here; resolving itself is done by the resolver library. Comments begin with a `#'. The following parameters can be set: order bind hosts Order in which services for resolving a host- name are called. Possible arguments are: bind: using a nameserver hosts: searching /etc/hosts multi on off Determines if a machine in /etc/hosts is allowed to have multiple IP addresses. nospoof on alert on off Just influences the spoofing of the name- server, without any other consequences. Table 5.2: continued overleaf. . . ... 138 5.2. Manual Network Configuration-Where Do I Find What? trim The given domain name is cut off from its hostname before being resolved (provided this machine name contains the given do- main name). This might come in handy if in /etc/hosts there are only local domains which should be recognized even with the full domain name attached. Table 5.2: Parameters for /etc/host.conf An example for /etc/host.conf can be seen in file contents 5.2.3Con- figuration Filestable.5.2, page 139. ## /etc/host.conf ## We have named running order hosts bind # Allow multiple addrs multi on # End of host.conf File contents 5.2.3: /etc/host.conf /etc/nsswitch.conf With the GNU C library 2.0, SuSE Linux now makes use of the "Name Service Switch" (NSS) (see manpage for nsswitch.conf (man 5 nsswitch.conf). More detailed information can be found in The GNU C Library Reference Manual, in the chapter "System Databases and Name Service Switch" 1). The file /etc/nsswitch.conf lets you set the order in which certain information is requested. There is an example for nsswitch.conf in File contents 5.2.4 on the next page. Comments are marked with a `#'. An entry in the so called "database" hosts means that after /etc/ hosts (files) is run, a DNS request (see package named) is sent. The "databases" that are available under NSS are listed in Table 5.3 on the following page. For future releases the parameters automount, bootparams, netmasks and publickey should be available. 1 package libcinfo, series doc. 139 5. Networking Linux ## /etc/nsswitch.conf #passwd: compat group: compat hosts: files dns networks: files dns services: db files protocols: db files netgroup: files File contents 5.2.4: /etc/nsswitch.conf aliases Mail aliases, used by sendmail(8); see manpage for aliases (man 5 aliases). ethers Ethernet addresses. group For user groups, used by getgrent(3) see man- page for group (man 5 group). hosts Hostnames and IP addresses, used by gethostbyname(3) and similar functions. netgroup Valid list of hosts and users in the current net- work for setting user permissions; see manpage for netgroup (man 5 netgroup). networks Network names and addresses, used by getnetent(3). passwd User passwords used by getpwent(3); see man- page for passwd (man 5 passwd). protocols Network protocols, used by getprotoent(3) see manpage for protocols (man 5 protocols). rpc "Remote Procedure Call" names and addresses, used by getrpcbyname(3) and similar functions. services Network services, used by getservent(3). shadow "Shadow" passwords of the users, used by getspnam(3); see manpage for shadow (man 5 shadow). Table 5.3: Via /etc/nsswitch.conf available "data bases" 140 5.2. Manual Network Configuration-Where Do I Find What? All configuration possibilities of NSS "databases" are listed in Table 5.4. files directly access files, e. g. /etc/aliases. db access via a database. nis see Section 5.4 page 144. nisplus dns Only available with hosts and networks as ex- tension. compat Only available with passwd, shadow and group as extension. additionally it is possible to trigger different reactions on dif- ferent lookup results. Details in manpage for nsswitch.conf (man 5 nsswitch.conf) Table 5.4: Possible settings of the NSS-"data base" /etc/resolv.conf As with /etc/host.conf, this file plays a vital role in resolving ma- chine names by means of the resolver library. The domain for a given machine is specified here (keyword search), together with the address of the nameserver. There can be several entries for domain names in here.2 If a not fully-qualified name is resolved, entries in search are appended one after the other, to create a fully qualified name. Several nameservers can be given here, each on a line of its own; these entries have to start with nameserver. Comments are entered as usual using `#'. # /etc/resolv.conf ## Our domain search suse.de ## We use Gauss (193.141.17.1) as nameserver nameserver 193.141.17.1 # End of resolv.conf File contents 5.2.5: /etc/resolv.conf YaST (see Section 5.1 page 136) enters the specified nameserver here automatically! /etc/HOSTNAME The complete name of the machine is entered here, along with its domain name (this is called the fully qualified domain name). This file is read by a couple of scripts at startup. It should only contain one line with the 2 The more entries there are the longer it will take to resolve a name! 141 5. Networking Linux machine's name! The file is also automatically generated via settings in /etc/rc.config. 5.2.2 Startup Scripts Besides the configuration files described above, there are a couple of scripts that start networking programs at startup. These scripts are run as soon as the machine switches to one of the multiuser runlevels. /sbin/init.d/network This script is responsible for config- uring your (network) hard- and soft- ware at boot time; it also evaluates the IP address, network address, net- mask, and gateway given in /etc/ rc.config (created by YaST; see Section 5.1 page 136). /sbin/init.d/inetd Starts inetd if defined in /etc/rc. config. This is necessary if you want to login to this machine via a net- work. /sbin/init.d/rpc Starts the various RPC servers which are needed if filesystems are exported to other machines via NFS (NFS server). /sbin/init.d/sendmail Controls sendmail process according to settings in /etc/rc.config. Table 5.5: The network startup scripts 5.3 Routing Under SuSE Linux Preliminaries Setting the routing table on SuSE Linux is not done by means of variables in the central configuration file /etc/rc.config, but through a special script in /sbin/init.d. and another configuration file in /etc. After the network has been initialized by the boot scripts in /sbin/init. d/network, i4l_hardware and possible additional boot scripts, /etc/ route.conf is searched by /sbin/init.d/route to build a routing table. This table is then configured for the system. Any static routes that are needed may be added to /etc/route.conf: routes to a host, routes to a host via a gateway and routes to a network. Another possibility is to use the program routed, but configuring this is more complicated. For more information, please see the routed manpage. 142 5.3. Routing Under SuSE Linux How to Use /etc/route.conf The rules that apply to /etc/route.conf are adapted from the output of route. If route is called without parameters, the routing table in use is displayed. Apart from Flags, Metric, Ref and Use, the entries in /etc/route.conf are identical. These are the rules that apply to /etc/route.conf: * Lines beginning with # or blank lines are ignored. An entry consists of one line and from 2 to 4 columns. * The first column gives the target of a route. Here, the IP address of a host, a network, or a reachable nameserver may be given. Even the full name is allowed (Fully Qualified Domain Name). * The keyword default is reserved for the default gateway. Please do not use 0.0.0.0 as the target for routing entries. * The second column either contains a separator (0.0.0.0) or the IP ad- dress (or the FQDN) of a host. This host may be the default gateway or a gateway behind a host or network. * The third column is for entering the netmask of networks or hosts behind a gateway. For hosts behind a gateway this is 255.255.255.255. * The last column is only important for networks (loopback, Ethernet, ISDN, PPP, dummy device, etc.) connected to the local machine. Here, the device has to be specified. A simple example of /etc/route.conf is shown in figure 5.3.1. If new entries are added to /etc/route.conf, just enter: root@earth:/ > /sbin/init.d/route stop root@earth:/ > /sbin/init.d/route start to run the routing table with the new entries. # Destination Dummy/Gateway Netmask Device ## Net devices #127.0.0.0 0.0.0.0 255.255.255.0 lo 204.127.235.0 0.0.0.0 255.255.255.0 eth0 ## Gateway #default 204.127.235.41 ## Host behind Gateway #207.68.156.51 207.68.145.45 255.255.255.255 ## Net behind a Gateway #192.168.0.0 207.68.156.51 255.255.0.0 File contents 5.3.1: Simple example of /etc/route.conf 143 5. Networking Linux 5.4 NIS, Yellow Pages on a LAN 5.4.1 What is NIS? As soon as multiple UNIX systems in a network want to access common re- sources, you have to make sure, for example, that all user and group identities are the same for all machines in that network. The network should be trans- parent to the user: whatever machine a user is working on, he will always find himself in exactly the same environment. This is made possible by means of NIS and NFS services. NFS distributes filesystems over a network, and is discussed in Section 5.5 on the next page. NIS (Network Information Service)3 is a database service which enables ac- cess to /etc/passwd, /etc/shadow and /etc/group across a net- work. NIS can be used for other, more specialized tasks (such as for /etc/ hosts or /etc/services), but we will spare you the details here. 5.4.2 Installing an NIS Client SuSE Linux contains all the packages needed to install a NIS client. These tools are bundled in package ypclient, series n. To install an NIS client, proceed as follows: * Adjust the NIS domain at startup by setting YP DOMAINNAME in /etc/rc.config. When switching to a (networking) runlevel, /sbin/init.d/network evaluates these settings and assigns the domain name accordingly. The NIS domain name should not be confused with the DNS domain name ; they have nothing to do with one another, even though they might have the same name! * Assign the NIS server. The NIS server is set via /etc/rc.config in the variable YP SERVER . SuSEconfig then writes the correct values to /etc/yp.conf (see file contents 5.4.1). If you have set up this variable using YaST, this step is performed automatically. This file must contain a line starting with ypserver, followed by the name of the NIS server. ## yp.conf ## Legal entries are: ## ypserver Define which host to contact # for YP service. #ypserver galois.suse.de # End of yp.conf File contents 5.4.1: /etc/yp.conf 3 NIS is commonly referred to as YP. This comes from "yellow pages", the "yellow pages" on the net. 144 5.5. NFS-Distributed Filesystems * Ensure that the RPC portmapper is started. NIS utilizes RPC (Remote Procedure Calls). Therefore the RPC portmapper needs to be running. This server is started by /sbin/init.d/rpc and is performed auto- matically if you have configured it in /etc/rc.config. * Complete the entries in /etc/passwd and /etc/group. In order for a request to be sent to the NIS server, after the local files have been searched, a line containing only a `+' has to be added to the relevant files. NIS allows you to set a multitude of other options, such as netgroups or local overwriting of NIS entries. The corresponding README files have more information on these settings.4 * Start ypbind. The final step in activating the NIS server is to launch ypbind. This is what actually starts the NIS client.5 This program is launched automatically if you have configured your network with YaST. * To activate your changes, either restart your system or enter: earth: # rcnetwork restart earth: # rcypclient restart 5.4.3 NIS Master and Slave Server For this feature you need to install package ypserver, series n. The proce- dure is explained in /usr/doc/packages/yp/HOWTO. 5.5 NFS-Distributed Filesystems As mentioned above in Section 5.4 on the facing page, NFS (together with NIS) makes a network transparent to the user. By means of NFS it is possible to distribute filesystems over the network. It doesn't matter at which terminal a user is logged in. He will always find himself in the same environment. As with NIS, NFS is an asymmetric service. There are NFS servers and NFS clients. A machine can be both-it can supply filesystems over the network (export) and mount filesystems from other hosts (import). Generally, these are servers with a very large hard drive capacity, whose filesystems are mounted by other clients. 5.5.1 Importing Filesystems To import filesystems from an NFS server, the only requirement is that the RPC portmapper is already running. How to start this server has already been covered in connection with NIS (see page Section 5.4.2). If this is the case, other filesystems can be mounted (as long as they are exported by the server) just as easily as local filesystems, using the program mount with the following syntax: mount -t nfs : If user directories from the machine Gauss.suse.de, for example, are to be imported, the following command can be used: earth:/ # mount -t nfs helios:/home /home 4 /usr/doc/packages/ypclient/yp-clients-2.2. 5 Strictly speaking, this is no longer necessary, but it guarantees a reconnection if, for example, the NIS server has been booted. 145 5. Networking Linux 5.5.2 Exporting Filesystems A machine that exports filesystems is called a NFS server. On a NFS server, there are a couple of tools that need to be started: * RPC portmapper (rpc.portmap) * RPC mount-daemon (rpc.mountd) * RPC NFS-daemon (rpc.nfsd) These are started by /sbin/init.d/rpc at startup. (see above) The configuration file /etc/exports decides which directories should be exported to which machines. For each directory to be exported, one line is needed to specify which machines may access that directory, and with what permissions; all sub-directories of this directory will automatically be exported as well. All authorized machines are usually denoted with their full name (including domain name), but it is possible to use wildcards like `*' or `?' as well. If no machine is specified here, any machine is allowed to import this filesystem with the given permissions. Permissions of the filesystem to be exported are denoted in brackets after the machine name. The most important options are: ro Filesystem is exported with read-only permission (de- fault). rw Filesystem is exported with read-write permission. root squash This makes sure that the user `root' of the given machine doesn't have `root' specific permissions on this filesystem. This is achieved by assigning user-ID 65534 to users with user-ID 0 (root). This user-ID should be set to `nobody' no root squash Doesn't assign user-ID 0 to user-ID 65534 (default). link relative Converts absolute links (those beginning with `/') to a sequence of `../'. This is only useful if the whole filesystem of a machine is mounted (default). link absolute Symbolic links remain untouched. map identity User-ID's are exactly the same on both client and server (default). map-daemon Client and server don't have matching user-IDs. This tells nfsd to create a conversion table for user-IDs. ugidd is required for this to work. Table 5.6: Permissions for exported filesystems Your exports file might look like File contents 5.5.1 on the facing page. File /etc/exports is read by mountd. So if you have changed anything in this file, make sure you restart mountd and nfsd for your changes to take 146 5.5. NFS-Distributed Filesystems ## /etc/exports #/home helios(rw) venus(rw) /usr/X11 helios(ro) venus(ro) /usr/lib/texmf helios(ro) venus(rw) / earth(ro,root_squash) /home/ftp (ro) # End of exports File contents 5.5.1: /etc/exports effect. This can easily be done by: earth: # rcnfsserver restart 147 5. Networking Linux 148