Download presentation
Presentation is loading. Please wait.
Published byKasey Trafford Modified over 9 years ago
1
Linux Basics Reading: Chap 1-2 [WFR05] Linux Command Manual
2
About Linux Linux is the name of the kernel Linux is Open Source Software (OSS) Linux is licensed through the General Public License (version 2, aka GPL2) The right to redistribute is granted only if the distribution is licensed under the terms of the GPL and either includes, or unconditionally offers to include at the moment of distribution, the source code The Linux kernel by itself can serve as a firewall, router, access point, and even a static web page server Typically, Linux is packaged with a great number of applications and utilities, also OSS
3
Components of a Linux System Kernel (can be monolithic or modular) Modules (if modular kernel) Filesystem(s) Boot Loader Libraries and Dynamic Linker Init and rc system Utilities Applications
4
Components of a Linux System Kernel (can be monolithic or modular) Modules (if modular kernel) Filesystem(s) Boot Loader Libraries and Dynamic Linker Init and rc system Utilities Applications
5
Linux Kernel A kernel is the central component of most computer operating systems (OS). Its responsibilities include managing the system's resources Monolithic architecture includes much of OS functionality in kernel Memory and process management Device drivers File systems Network In contrast, microkernels (e.g., Mach and NT) includes minimal functionality Inter-process communication and memory management Pros and cons
6
Linux Kernel Since V1.2, a combination of Base kernel Loadable kernel modules
7
Linux Kernel Configuration ● Monolithic architecture includes much of OS functionality in kernel – Memory and process management – Device drivers – File systems – Network
8
Linux Kernel Configuration ● Configuration in a tree structure to decide which files to be compiled into the kernel
9
Linux Kernel Configuration ● Configuration in a tree structure to decide which files to be compiled into the kernel ● Options to compile directly in or as a module
10
Linux Kernel Configuration ● Configuration in a tree structure to decide which files to be compiled into the kernel ● Options to compile directly in or as a module ● Online help to explain choices
11
Components of a Linux System Kernel (can be monolithic or modular) Modules (if modular kernel) Filesystem(s) Boot Loader Libraries and Dynamic Linker Init and rc system Utilities Applications
12
Linux Loadable Kernel Modules (LKM) Linux supports kernel modules as an option Modules are loaded at run time Reduce memory requirements Add functionality to Linux kernel Run in privileged kernel mode As fast as base kernel Doesn't require a reboot to add or remove functionality or develop your own module LKMs are used for Device drivers Filesystem drivers Network drivers …
13
LKM utilities ismod – insert LKM rmmod – remove LKM lsmod – list LKM modinfo modprob – can read /etc/modules; insert/remove a set of LKMs intelligently
14
Components of a Linux System Kernel (can be monolithic or modular) Modules (if modular kernel) File system(s) Boot Loader Libraries and Dynamic Linker Init and rc system Utilities Applications
15
Linux File System Support Linux uses the virtual file system (VFS) interface to modularize file system support File systems may be compiled in as modules (but watch out for catch-22) “you need to mount the root filesystem to add the module that lets you mount the root filesystem” In addition to file systems that manage disk partitions, there are also pseudo file systems
16
Pseudo File Systems A 'pseudo' file system provides a file style interface to the inner workings of the kernel. Most important is the /proc file system which provides many important interfaces to the kernel and running processes /proc can be used to set parameters in the running kernel as well as to read states e.g. echo “1” > /proc/sys/net/ipv4/ip_forward
17
Components of a Linux System Kernel (can be monolithic or modular) Modules (if modular kernel) Filesystem(s) Boot Loader Libraries and Dynamic Linker Init and rc system Utilities Applications
18
Boot Loader Takes over from BIOS after POST Usually on master boot record (MBR) of hard drive the 512-byte boot sector that is the first sector of a partitioned disk Can offer choice of different OSes (dual boot) Linux typically uses GRUB (LILO in the past)
19
GRUB GRand Unified Boot loader Two stages The first being small with the sole purpose of loading the second one. Understands several file system types Provides for changing of boot options at boot time (useful for testing new kernel features) For more information: http://www.gnu.org/software/grub/ http://www.gnu.org/software/grub/ root (hd0,0) kernel /vmlinuz-i686-up-4GB root=/dev/hda9 boot Which partition contains the kernel1 st partition on first hard disk File name of the kernel Partition containing /sbin/init, which becomes the root partition
20
Boot process on Linux BIOS -> bootloader -> kernel The first process to start is a script /etc/rc.d/rc.sysinit 6 run-time levels /etc/rc.d/rc?.d/ Runtime 5 is used for boot the system into GUI mode using XDM and X-Windows. Runtime 3 is used for single-user mode Scripts with S for startup and K for shutdown
21
Init and RC System Takes over once kernel loads Brings system up to ready state Starts different services Can be used after boot to start and stop services e.g. /etc/init.d/httpd start boot the system into GUI mode using XDM and X-Windows.
22
Components of a Linux System Kernel (can be monolithic or modular) Modules (if modular kernel) Filesystem(s) Boot Loader Libraries and Dynamic Linker Init and rc system Utilities Applications
23
Unix and the toolkit approach /bin and /sbin (/usr/bin and /usr/sbin too) STDIN, STDOUT, STDERR Redirection and Pipes e.g. dmesg | head -l
24
Practices (cont’d) Hints: If the commands are not in the default paths, try /sbin or /usr/sbin A number of ways for finding out linux distributions dmesg | head –l Cat /proc/versions “man” is your friend!
25
Top Network Utilities ifconfig route ping traceroute (tcptraceroute) nmap netstat ssh (scp, sftp) telnet nc tcpdump
26
Components of a Linux System Kernel (can be monolithic or modular) Modules (if modular kernel) Filesystem(s) Boot Loader Libraries and Dynamic Linker Init and rc system Utilities Applications
27
Applications Anything more complex than a utility? System services (daemons) X Windowing system Interactive programs
28
Practices ssh to linux01~04.cs.uh.edu 1. Find out the followings: what Linux distribution is used? Processor type, memory, CPU speed, # of CPUs Which boot loader is used? 2. Try the following command ifconfig route ping www.uh.edu traceroute www.google.com Netstat 3. Explain the results from ping, netstat
29
Linux Networking Tools
30
Top Network Utilities ifconfig iwconfig route iptables iwconfig netstat ssh (scp, sftp) tcpdump ping traceroute host, (nslookup) dig nmap telnet
31
ifconfig Configure a network interface Without options, ifconfig shows current settings can bring interface up or down example: ifconfig eth1 up pump -i eth1 --- dhcp client program ifconfig eth1
32
ifconfig (CS Firewall) eth0 Link encap:Ethernet HWaddr 00:E0:81:2A:9D:C3 inet addr:129.7.240.254 Bcast:129.7.240.255 Mask:255.255.255.192 inet6 addr: fe80::2e0:81ff:fe2a:9dc3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:222210314 errors:0 dropped:0 overruns:0 frame:0 TX packets:194237844 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2468437723 (2354.0 Mb) TX bytes:1403836636 (1338.8 Mb) Base address:0xdc00 Memory:fe9e0000-fea00000 eth1 Link encap:Ethernet HWaddr 00:04:23:A8:58:82 inet addr:129.7.254.188 Bcast:129.7.254.191 Mask:255.255.255.192 inet6 addr: fe80::204:23ff:fea8:5882/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:397766811 errors:0 dropped:0 overruns:0 frame:0 TX packets:521981776 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2719493949 (2593.5 Mb) TX bytes:217572585 (207.4 Mb) Base address:0xc880 Memory:fe8c0000-fe8e0000 eth2 Link encap:Ethernet HWaddr 00:04:23:A8:58:83 inet addr:192.168.10.254 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::204:23ff:fea8:5883/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:334616505 errors:0 dropped:0 overruns:0 frame:0 TX packets:238180941 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2097863118 (2000.6 Mb) TX bytes:2193856536 (2092.2 Mb) Base address:0xcc00 Memory:fe8e0000-fe900000
33
IP-Aliasing “IP-aliases are additional IP- addresses/masks hooked up to a base interface by adding a colon and a string when running ifconfig.” example: ifconfig eth0:0 192.168.100.1 ifconfig eth0:1 192.168.101.1 Remove an aliasing Ifconfig eth0:0 down linux/Documentation/networking/alias.txt
34
route Show and/or manipulate the IP routing table Commonly used in determining or setting default routers for a machine on network example: route add default gw 129.7.243.254 route add -net 192.168.1.0 gw 10.0.0.10 netmask 255.255.0.0 route del -net 192.168.1.0 gw 10.0.0.10 netmask 255.255.0.0 To remove all routes: ifconfig eth0 down
35
Static Routes Routes can be static or dynamic Most host-based routes are static Static routes are layer 3 clues as to where to find hosts on a complicated network. They include a destination network and a next-hop IP address. The default route's destination network is a wildcard
36
route (CS Firewall) Computer Science department firewall configuration $ /sbin/route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 129.7.240.0 192.168.10.253 255.255.255.192 UG 0 0 0 eth2 129.7.240.64 192.168.10.253 255.255.255.192 UG 0 0 0 eth2 129.7.240.128 192.168.10.253 255.255.255.192 UG 0 0 0 eth2 129.7.240.192 0.0.0.0 255.255.255.192 U 0 0 0 eth0 129.7.241.0 192.168.10.253 255.255.255.192 UG 0 0 0 eth2 129.7.254.128 0.0.0.0 255.255.255.192 U 0 0 0 eth1 129.7.242.0 192.168.10.253 255.255.255.0 UG 0 0 0 eth2 129.7.243.0 192.168.10.253 255.255.255.0 UG 0 0 0 eth2 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 loopback 127.0.0.1 255.0.0.0 UG 0 0 0 lo 0.0.0.0 129.7.254.190 0.0.0.0 UG 0 0 0 eth1 Flag U. This flag indicates that the route entry is up and running or ACTIVE. Flag G. This flag indicates that the route entry specifies an indirect route. Flag H. This flag indicates that the destination field in this route entry specifies a host route.
37
tcpdump Prints out headers of packets on a network interface Provides for filtering output, and can also do some protocol analysis example tcpdump -i eth0 tcpdump -i eth0 host [hostname]
38
init scripts Scripts for starting services are in /etc/init.d/ Arguments are required for these scripts (start, stop, restart, status) To run a service at boot time update-rc.d xxx defaults To remove a service at boot time update-rc.d -f xxx remove
39
netstat Prints information about various parts of the networking subsystem Current network connections Routing tables Interface statistics Masqueraded connections Multicast memberships Alternatively, cat /proc/net/xxx
40
netstat examples netstat -r (provides same result as route command) netstat -a (shows all connections) netstat -tulp (shows all services) gives programs listening for TCP and UDP connections t for TCP, u for udp, l for listening sockets, -p for program (show the PIC and name of the program)
41
Try this Run as root: # netstat -tulp # /etc/init.d/apache start # netstat -tulp Compare the results
42
HTTP (WWW) HyperText Transport Protocol Uses TCP connections on port 80* Commands are plaintext; human readable (if you don't mind html) example: telnet www.uh.edu 80 Try the following: telnet localhost 80 Trying 127.0.0.1... Connected to Cougar. Escape character is '^]'. GET /apache2-default/ HTTP/1.1 * Typically. Other ports such as 8080, 443 for SSL, etc. can also be used.
43
Configuring Apache Typically, Apache configuration files can be found under /etc/apache/conf Knoppix and Debian create a symbolic link so everything is under /etc/apache Most of the configuration is in httpd.conf Additional configurations can be included from other files with the “Include” directive Most distributions break this up into multiple files to provide for ease of management
44
Common Apache Directives Apache.conf contains two basic types of options Directives are one-liner Attribute Value pairs DocumentRoot /var/www ServerName www.example.comwww.example.com Blocks (also considered directives in apache documentation) define sections where directives have a limited scope ...
45
Name Services Provides a map from human readable address space (hostnames) to machine readable address space (IP) Hierarchical system checks local resources before querying remote ones /etc/hosts optional local network naming systems DNS DNS works off a hierarchy as well.
46
DNS and BIND The internet's most common DNS server is BIND. BIND consists of a set of configuration under /etc/bind and a daemon called named For further information, O'Reilly has a great book, DNS and BIND (4 th ed.) The default install creates a caching nameserver
47
Querying DNS Several utilities provide the ability to perform name resolution using DNS The most simple is the host command. example host www.uh.edu host 129.7.1.1 For more power and flexibility in interrogating DNS servers, use the dig command.
48
dig $ dig @129.7.240.1 www.cs.uh.edu ; > DiG 9.2.5 > @129.7.240.1 www.cs.uh.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35927 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.cs.uh.edu. IN A ;; ANSWER SECTION: www.cs.uh.edu. 3600 IN A 129.7.228.92 ;; AUTHORITY SECTION: cs.uh.edu. 3600 IN NS dns.cs.uh.edu. cs.uh.edu. 3600 IN NS ns2.uh.edu. ;; ADDITIONAL SECTION: dns.cs.uh.edu. 3600 IN A 129.7.240.1 ns2.uh.edu. 34494 IN A 129.7.1.6 ;; Query time: 0 msec ;; SERVER: 129.7.240.1#53(129.7.240.1) ;; WHEN: Wed Feb 8 12:25:20 2006 ;; MSG SIZE rcvd: 115
49
DHCP server Set up the configuration file Edit /etc/dhcp3/dhcpd.conf /etc/init.d/dhcp3-server start Set route to broadcast address route add 255.255.255.255 dev eth0
50
Formation of an Ad Hoc Network Plug in the wireless card. Bring your wireless card online using ifconfig eth1 up, but do not set it up with an IP address. (Don't use pump) Set the card in ad-hoc mode using iwconfig eth1 mode "ad-hoc" iwconfig eth1 essid COSC6397sp07 channel 6 ifconfig eth1 192.168.0.x route add default gw 192.168.0.1
51
Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall administered network public Internet firewall two types of firewalls: application-level packet-filtering
52
Basic functionalities IP Filter Used to filter packets Full matching on IP, TCP, UDP and ICMP packet headers Stateful firewalls, NAT Certain protocols are "complex“ and require extra modules called "conntrack helpers" Ex: ftp connection, NAT Packet mangling Modify IP header fields of a packet client server Comm Port 21 PORT 1051Port 1050 Data Port 20 Port 1051
53
Linux Implementation The iptables command to enter a rule Use iptables-save and iptables restore script to save them The framework inside the kernel is called netfilter Five hooks defined in IPv4: PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING.
54
The Hooks (cont.) PRE_ROUTING LOCAL_INLOCAL_OUT FORWARD POST_ROUTING
55
Netfilter Hooks PRE_ROUTING Incoming packets pass this hook in ip_rcv() before routing LOCAL_IN All incoming packets addressed to the local host pass this hook in ip_local_deliver() FORWARD All incoming packets not addressed to the local host pass this hook in ip_forward() LOCAL_OUT All outgoing packets created by this local computer pass this hook in ip_build_and_send_pkt() POST_ROUTING All outgoing packets (forwarded or locally created) will pass this hook in ip_finish_output()
56
Basic iptables syntax iptables -A INPUT -p tcp --dport 80:1024 -j DROP iptables [-t table] [commands] [options] -j Table: filter (default), nat, mangle Commands: append, insert, replace, delete, list, policy, etc Built-in chains: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING Options: verbose, line numbers, exact, etc. Matches: -p for dport, dst, sport, src, states, TCP options -m for matching module name ! to invert the sense of the match. Targets: Immediate actions: ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc. User defined chain Extentions: -p
57
Iptables syntax Listing the rules -L, --list [chain] -F, --flush [chain] Flushes (erases) all rules in a chain Or a table -N, --new chain Creates a user-specified chain There must be no target with that name previously -X, --delete-chain [chain] Deletes a user-created chain No rules may reference the chain Can delete all user-created chains in a table
58
Iptables syntax - Creating & Deleting user-created chains Creating... iptables -t filter -N badtcppackets and Deleting a chain iptables -t filter -X badtcppackets and Deleting all user-created chains iptables -t filter -X
59
Iptables syntax - A few matches Protocol -p, --protocol [!] [protocol] tcp, udp, icmp or all Numeric value /etc/protocols Destination IP & Port -d, --destination [!] address[/mask] Destination address Resolvable (/etc/resolve.conf) --dport, --destination-port [!] port[:port] Destination port Numeric or resolvable (/etc/services) Port range
60
Iptables syntax - A few matches (cont.) Source IP & Port -s, --source [!] address[/mask] Source address Resolvable (/etc/resolve.conf) --sport, --source-port [!] port[:port] Source port Numeric or resolvable (/etc/services) Port range
61
Iptables syntax - A few matches (cont.) Incoming and Outgoing interface -i, --in-interface [!] interface -o, --out-interface [!] interface
62
State module --state state INVALID: the packet is associated with no known connection ESTABLISHED: the packet is associated with a connection which has seen packets in both directions NEW: the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions RELATED: the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcp- reset
63
Iptables syntax - Some targets ACCEPT Accepts the packet Ends further processing of the specific chain Ends processing of all previous chains Except other main chains and tables DROP Drops the packet No reply Ends all further processing
64
Iptables syntax - Some targets (cont.) REJECT Drops packet Returns a reply User specified reply Calculated reply TCP-RST or ICMP errors Ends all further processing RETURN Returns from a chain to the calling chain
65
Iptables syntax -... and a few simple rules iptables -A INPUT -p tcp --dport 80:1024 -j DROP iptables -A FORWARD -p tcp --dport 22:113 -j DROP iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp -o lo -j ACCEPT iptables -P OUTPUT DROP
66
Iptables syntax - Some targets (cont.) SNAT only valid in the nat table, in the POSTROUTING chain. specifies that the source address of the packet should be modified --to-source ipaddr[-ipaddr][:port-port] iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to- source 194.236.50.155-194.236.50.160:1024-32000
67
Iptables syntax - Some targets (cont.) DNAT only valid in the nat table, in the PREROUTING and OUTPUT chain. specifies that the destination address of the packet should be modified --to-destination ipaddr[-ipaddr][:port-port] iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --to- destination 10.10.14.2 iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 - j DNAT --to-destination 10.10.14.2
68
A simple example ruleset – The Goals See handout
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.