//TODO [ ] https://www.youtube.com/watch?v=kQYQ_3ayz8w&list=PLvadQtO-ihXt5k8XME2iv0cKpKhcYqe7i&index=5
常用的关于networking 检查的commands: ss
, lsof
, netstat
, ifconfig
, hostname
, ip
, route
, iptables
, nc
, ping
, arp
, curl
, wget
, host
, nslookup
, dig
.
这篇总结主要是来自PluralSight上的LPIC-1
课程的Network chapter,以及LFCE
Advanced Networking training. 后来加入了一些iptables的内容, from Youtube.
Environment: CentOS 7 Enterprise Linux
or RedHat
.
Frequently Asked Question: What is going on when you hit URL in browser?
About domain name: www.microsoft.com.
:
- root domain:
.
- top-level domain:
com
- second-level domain:
microsoft
- third-level domain:
www
以上是最基本的流程,如果使用了HTTPS,还可以描述一下TLS handshakes的过程, 再比如中间有proxy则会Tunnel,有load balancer则可能有TLS termination等等。
Ip vs Ifconfig
ifconfig
is obsolete, use ip
instead.
我专门有一篇写的ip command.
ipv4
: 32
bits long, dotted decimal
ipv6
: 128
bits long, quad hex
Hostname
1 | # show full hostname |
1 | # this will not be persistent |
Notice that the order we add in /etc/hosts
file is important!
把fully qualified hostname放第一个,然后aliases,否则在一些场景会出问题!
1 | # /etc/hosts |
除了local hosts file, 来看看DNS设置, 我有一篇blog讲到了这个。
dig
command (DNS lookup utility),用来check response and checking hostname from DNS server.
1 | # use default dns server |
Output:
1 | <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> www.pluralsight.com @8.8.8.8 |
Add short format +short
to return the IP address only:
1 | # only show resolved output |
How to check dns record TTL: You can set TTL for the DNS record that defines how long a resolver supposed to cache the DNS query before the query expires. TTL typically used to reduce the load on your authoritative name servers and to speed up DNS queries for clients.
1 | # A is type, check loacl dns resolver |
Network services
04/12/2020 目前我只是查看配置,没有去设置过。
Display and set IP address
1 | ip -4 addr |
没太明白这些配置的具体用法。 Network Manager tool, 这个tool也不是万能的,有的地方不适用, can be used to set persistent change so we will not lost it.
1 | # check status |
Traditional network service, more flexible and common.
1 | systemctl status network |
The network configuration is read from scripts under /etc/sysconfig/network-scripts/
.
1 | ifcfg-eth0 ifcfg-eth1 ifcfg-lo ... |
这些文件里面都写好了配置,more details see this link: https://www.computernetworkingnotes.com/rhce-study-guide/network-configuration-files-in-linux-explained.html
1 | TYPE=Ethernet |
After editing the ifcfg-xx file, bring down and up that interface:
1 | ifdown eth0 |
Routing
[ ] IP tables vs routing tables 有啥区别,使用场景? see this question and diagram in comment.
Display routing tables 路由表
1 | # see below |
Explain host routing table (因为这不是一个router), the column name explaination can see man route
,比如Flags字母的含义。
The order in the routing table does not matter, the longer prefix always takes priority.
1 | # 简而言之,路由表就是找,到哪里,出口在哪以及下一跳是谁 |
对比一下ip r
command, 显示不太一样:
1 | # proto [type]: routing protocol identifier of this route |
Adding routes, 把所有的找不到routing的traffic全部转到192.168.56.104上去,通过eth0, 比如当前的machine无法访问外网,而192.168.56.104却可以, 但之后192.168.56.104也需要配置成router。
1 | # this command is not persistent |
如果需要make it persist, need to edit /etc/sysconfig/network-scripts/
corresponding file eth0, 或者自己添加script,然后重启network systemctl restart network
.
Configuring a linux system as router:
1 | # now let's configure machine 192.168.56.104 as a router |
当时在做项目的时候需要去DataStage Ops Console查看performance, 但Openshift worker node外界无法直接访问,只能通过infra node的routing才行,于是先用nodePort expose service, 再设置infra node到对应worker node port的映射,最后对外用MASQUERADE。
1 | # this is operating on nat iptables |
Allowing access to the internet via NAT, so traffic can get back to private network.
注意routing这部分还没有涉及到firewall, firewall is inactive
1 | # -t nat: working on nat table |
then if you check iptables -t nat -nvL
will see the postrouting rule with new line added.
Firewall
其实很多linux是靠iptables去实现firewall的功能的,见下一节,firewalld service背后改动的也是iptables.
Implement packet filtering (iptables and firewalld both can do this)
firewall zone
: represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently.
配置命令类似于kubectl/oc的形式。
1 | systemctl start firewalld |
后面主要讲了firewall的配置,可以对不同的zone添加或删除services, ports等,service的默认配置文件在/usr/lib/firewalld/services
目录,但是自己创建的service文件在/etc/firewalld/services/
。
Iptables
用iptables也可以实现firewall的功能via filter table.
There are currently five independent tables:
filter
: This is the default table (if no-t
option is passed),It contains the built-in chainsINPUT
(for packets destined to local sockets),FORWARD
(for packets being routed through the box), andOUTPUT
(for locally-generated packets).nat
: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins:PREROUTING
(forltering packets as soon as they come in),OUTPUT
(for altering locally-generated packets before routing), andPOSTROUTING
(foraltering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.mangle
: This table is used for specialized packet alteration.raw
: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.security
: This table is used for Mandatory Access Control (MAC) networking rules
1 | # list 3 basic chain in filter table: INPUT, FORWARD, OUTPUT |
Change default policies。 注意, 可以自己添加rules去加功能,但不要轻易去更改default policy ACCEPT。否则出了意外都不能连接上了。
1 | # set default policy to DROP |
1 | # save current config |
来看看iptables service的使用,变成systemctl service的形式了,使用上更正规一些。
1 | yum install -y iptables-services |
在/etc/sysconfig
目录下,有iptables
and iptables-config
files, If set these two values as yes
, then iptables will save the config automatically in iptables
file, easy to maintain.
1 | # Save current firewall rules on stop. |
Monitoring Network
Measure network performance, bottleneck
1 | # 可以查看途径的IP,比如VPN看路径是不是正确的 |
traceroute
vs tracepath
:
https://askubuntu.com/questions/114264/what-are-the-significant-differences-between-tracepath-and-traceroute
some option of traceroute
need root privilege, and has more features then tracepath
.
Display network status
1 | # 显示有多少error, drop packets来看是不是网络有问题 |
netstat
command can also do the same thing.
1 | netstat -i |
还介绍了一下sysstat
command,需要yum安装,安装之后它会收集每日的系统历史数据供查看。这也是一个很重要的系统监控工具。
还有一个command nmap
, 用来scan ports:
1 | yum install -y nmap |
Can use ss
command (similar to netstat
) to show listening tcp ports:
1 | # show listening ipv4 tcp sockets in numeric format |
Network Basic
这里主要是通过做实验,把基本概念过了一遍。用Vitual Box 设置实验环境,在虚拟机中安装使用wireshark, tcpdump很清晰,没有其他干扰信息。设置实验环境时,可以有1主2从,主机可以访问外界(Adapter1 设置NAT, Adapter2/3 设置Internal Network),从机可以访问主机,间接实现外部访问(各自的Adapter1 设置Internal Network连接主机的Internal Network). 然后可以进行各种ip, route, iptables的实验了。
Network topology
: LAN, WAN (bus, star, ring, full mesh)
Network devices
: adapter, switch, router, firewall
OSI
model
subnetting: a logically grouped collection of devices on the same network subnet mask: network portion / host portion special address: network address (all 0 in host portion) broadcast (all 1 in host portion) loopback 127.0.0.1 classful subnet: class A/B/C, they are inefficient
VLSM
: variable length subet mask, for example x.x.x/25
NAT
: one to one, many to one map
ARP
: address resolution protocol (IP -> MAC), broadcast on bus to see who has MAC for a particular IP
DNS
: map hostname to IP, UDP protocol
IP packet
: can be fragmented and reassembled by router and host. fragments其实很影响throughput,因为每个IP packet都有header。还要注意有的IP加密 (VPN)会额外增加IP packet的长度,造成fragments.
TTL
: time to live in IP header, this is how traceroute
works
Routing Table
:
static: path defined by admin
dynamic: path programmatically defined, routing protocol software Quagga on Linux
TCP
:
connection oriented: three way handshake
connection establishment/termination
data transfer
ports: system can have more than one IP, ports are only unique per IP
well know port: 0-1024
flow control: maintained by receiver
congestion control: the sender slow down
error detection and retransmission
UDP
:
send it and forget it
DNS (dig, host commands)
VoIP
- setup http service on server host
1 | yum install -y httpd |
- get the web page from other host
1 | wget http://<ip or hostname>/index.html |
- install tcpdump wireshark on other host
1 | yum install -y tcpdump wireshark wireshark-gnome |
Check the arp cache
1 | # '?' means stale |
specify size of the data and ping total number:
1 | # -c 1: ping once |
Create a large file to transfer:
1 | # fast allocate file |
Traffic control setting 用来模拟网络不好的情况, 如用scp在传输文件,设置tc bad performance,然后恢复,会发现transmission rate提高了。可以查看wireshark window scaling graph 和 IO graph. Linux 下 TC 命令原理及详解
1 | tc qdisc add dev eth1 root netem delay 3000m loss 5% |
let’s see the statistic: After performance recover, TCP congestion window size enlarge quickly:
This is IO graph, shows TCP window size and update points:
Network Troubleshooting
Network is not reachable
. For example, cannot ping through.
1 | # check subnet and gateway, then |
No route to host
,比如在scp的时候,这时去host server上看一下port是不是打开的
1 | ss -lnt4 |
wireshark看一下client端的情况,发现可能是firewall issue! 端口被屏蔽了。