11-20-2018, 08:26 AM
Practical Networking for Linux Admins: TCP/IP
<div style="margin: 5px 5% 10px 5%;"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2018/11/practical-networking-for-linux-admins-tcp-ip.jpg" width="1051" height="528" title="" alt="" /></div><div><div><img src="http://www.sickgaming.net/blog/wp-content/uploads/2018/11/practical-networking-for-linux-admins-tcp-ip.jpg" class="ff-og-image-inserted" /></div>
<p><strong>Get to know networking basics with this tutorial from our archives.</strong></p>
<p>Linux grew up with a networking stack as part of its core, and networking is one of its strongest features. Let’s take a practical look at some of the TCP/IP fundamentals we use every day.</p>
<h3>It’s IP Address</h3>
<p>I have a peeve. OK, more than one. But for this article just one, and that is using “IP” as a shortcut for “IP address”. They are not the same. IP = Internet Protocol. You’re not managing Internet Protocols, you’re managing Internet Protocol addresses. If you’re creating, managing, and deleting Internet Protocols, then you are an uber guru doing something entirely different.</p>
<h3>Yes, OSI Model is Relevant</h3>
<p>TCP is short for Transmission Control Protocol. TCP/IP is shorthand for describing the Internet Protocol Suite, which contains multiple networking protocols. You’re familiar with the Open Systems Interconnection (OSI) model, which categorizes networking into seven layers:</p>
<ul>
<li>7. Application layer</li>
<li>6. Presentation layer</li>
<li>5. Session layer</li>
<li>4. Transport layer</li>
<li>3. Network layer</li>
<li>2. Data link layer</li>
<li>1. Physical layer</li>
</ul>
<p>The application layer includes the network protocols you use every day: SSH, TLS/SSL, HTTP, IMAP, SMTP, DNS, DHCP, streaming media protocols, and tons more.</p>
<p>TCP operates in the transport layer, along with its friend UDP, the User Datagram Protocol. TCP is more complex; it performs error-checking, and it tries very hard to deliver your packets. There is a lot of back-and-forth communication with TCP as it transmits and verifies transmission, and when packets get lost it resends them. UDP is simpler and has less overhead. It sends out datagrams once, and UDP neither knows nor cares if they reach their destination.</p>
<p>TCP is for ensuring that data is transferred completely and in order. If a file transfers with even one byte missing it’s no good. UDP is good for lightweight stateless transfers such NTP and DNS queries, and is efficient for streaming media. If your music or video has a blip or two it doesn’t render the whole stream unusable.</p>
<p>The physical layer refers to your networking hardware: Ethernet and wi-fi interfaces, cabling, switches, whatever gadgets it takes to move your bits and the electricity to operate them.</p>
<h3>Ports and Sockets</h3>
<p>Linux admins and users have to know about ports and sockets. A network socket is the combination of an IP address and port number. Remember back in the early days of Ubuntu, when the default installation did not include a firewall? No ports were open in the default installation, so there were no entry points for an attacker. “Opening a port” means starting a service, such as an HTTP, IMAP, or SSH server. Then the service opens a listening port to wait for incoming connections. “Opening a port” isn’t quite accurate because it’s really referring to a socket. You can see these with the <code>netstat</code> command. This example displays only listening sockets and the names of their services:</p>
<pre>
$ sudo netstat -plnt Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1583/mysqld tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 13951/qemu-system-x tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2101/dnsmasq
tcp 0 0 192.168.122.1:80 0.0.0.0:* LISTEN 2001/apache2
tcp 0 0 192.168.122.1:443 0.0.0.0:* LISTEN 2013/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1200/sshd tcp6 0 0 :::80 :::* LISTEN 2057/apache2 tcp6 0 0 :::22 :::* LISTEN 1200/sshd tcp6 0 0 :::443 :::* LISTEN 2057/apache2
</pre>
<p>This shows that MariaDB (whose executable is <code>mysqld</code>) is listening only on localhost at port 3306, so it does not accept outside connections. Dnsmasq is listening on 192.168.122.1 at port 53, so it is accepting external requests. SSH is wide open for connections on any network interface. As you can see, you have control over exactly what network interfaces, ports, and addresses your services accept connections on.</p>
<p>Apache is listening on two IPv4 and two IPv6 ports, 80 and 443. Port 80 is the standard unencrypted HTTP port, and 443 is for encrypted TLS/SSL sessions. The foreign IPv6 address of :::* is the same as 0.0.0.0:* for IPv4. Those are wildcards accepting all requests from all ports and IP addresses. If there are certain addresses or address ranges you do not want to accept connections from, you can block them with firewall rules.</p>
<p>A network socket is a TCP/IP endpoint, and a TCP/IP connection needs two endpoints. A socket represents a single endpoint, and as our <code>netstat</code> example shows a single service can manage multiple endpoints at one time. A single IP address or network interface can manage multiple connections.</p>
<p>The example also shows the difference between a service and a process. <code>apache2</code> is the service name, and it is running four processes. <code>sshd</code> is one service with one process listening on two different sockets.</p>
<h3>Unix Sockets</h3>
<p>Networking is so deeply embedded in Linux that its Unix domain sockets (also called inter-process communications, or IPC) behave like TCP/IP networking. Unix domain sockets are endpoints between processes in your Linux operating system, and they operate only inside the Linux kernel. You can see these with <code>netstat</code>:</p>
<pre>
$ netstat -lx Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 988 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 29730 /run/user/1000/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 357 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 27233 /run/user/1000/keyring/control
</pre>
<p>It’s rather fascinating how they operate. The SOCK_STREAM socket type behaves like TCP with reliable delivery, and SOCK_DGRAM is similar to UDP, unordered and unreliable, but fast and low-overhead. You’ve heard how everything in Unix is a file? Instead of networking protocols and IP addresses and ports, Unix domain sockets use special files, which you can see in the above example. They have inodes, metadata, and permissions just like the regular files we use every day.</p>
<p>If you want to dig more deeply there are a lot of excellent books. Or, you might start with <code>man tcp</code> and <code>man 2 socket</code>. Next week, we’ll look at network configurations, and whatever happened to IPv6?</p>
<p><em>Learn more about Linux through the free <a href="https://training.linuxfoundation.org/linux-courses/system-administration-training/introduction-to-linux" target="_blank">“Introduction to Linux” </a>course from The Linux Foundation and edX.</em></p>
</div>
<div style="margin: 5px 5% 10px 5%;"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2018/11/practical-networking-for-linux-admins-tcp-ip.jpg" width="1051" height="528" title="" alt="" /></div><div><div><img src="http://www.sickgaming.net/blog/wp-content/uploads/2018/11/practical-networking-for-linux-admins-tcp-ip.jpg" class="ff-og-image-inserted" /></div>
<p><strong>Get to know networking basics with this tutorial from our archives.</strong></p>
<p>Linux grew up with a networking stack as part of its core, and networking is one of its strongest features. Let’s take a practical look at some of the TCP/IP fundamentals we use every day.</p>
<h3>It’s IP Address</h3>
<p>I have a peeve. OK, more than one. But for this article just one, and that is using “IP” as a shortcut for “IP address”. They are not the same. IP = Internet Protocol. You’re not managing Internet Protocols, you’re managing Internet Protocol addresses. If you’re creating, managing, and deleting Internet Protocols, then you are an uber guru doing something entirely different.</p>
<h3>Yes, OSI Model is Relevant</h3>
<p>TCP is short for Transmission Control Protocol. TCP/IP is shorthand for describing the Internet Protocol Suite, which contains multiple networking protocols. You’re familiar with the Open Systems Interconnection (OSI) model, which categorizes networking into seven layers:</p>
<ul>
<li>7. Application layer</li>
<li>6. Presentation layer</li>
<li>5. Session layer</li>
<li>4. Transport layer</li>
<li>3. Network layer</li>
<li>2. Data link layer</li>
<li>1. Physical layer</li>
</ul>
<p>The application layer includes the network protocols you use every day: SSH, TLS/SSL, HTTP, IMAP, SMTP, DNS, DHCP, streaming media protocols, and tons more.</p>
<p>TCP operates in the transport layer, along with its friend UDP, the User Datagram Protocol. TCP is more complex; it performs error-checking, and it tries very hard to deliver your packets. There is a lot of back-and-forth communication with TCP as it transmits and verifies transmission, and when packets get lost it resends them. UDP is simpler and has less overhead. It sends out datagrams once, and UDP neither knows nor cares if they reach their destination.</p>
<p>TCP is for ensuring that data is transferred completely and in order. If a file transfers with even one byte missing it’s no good. UDP is good for lightweight stateless transfers such NTP and DNS queries, and is efficient for streaming media. If your music or video has a blip or two it doesn’t render the whole stream unusable.</p>
<p>The physical layer refers to your networking hardware: Ethernet and wi-fi interfaces, cabling, switches, whatever gadgets it takes to move your bits and the electricity to operate them.</p>
<h3>Ports and Sockets</h3>
<p>Linux admins and users have to know about ports and sockets. A network socket is the combination of an IP address and port number. Remember back in the early days of Ubuntu, when the default installation did not include a firewall? No ports were open in the default installation, so there were no entry points for an attacker. “Opening a port” means starting a service, such as an HTTP, IMAP, or SSH server. Then the service opens a listening port to wait for incoming connections. “Opening a port” isn’t quite accurate because it’s really referring to a socket. You can see these with the <code>netstat</code> command. This example displays only listening sockets and the names of their services:</p>
<pre>
$ sudo netstat -plnt Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1583/mysqld tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 13951/qemu-system-x tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2101/dnsmasq
tcp 0 0 192.168.122.1:80 0.0.0.0:* LISTEN 2001/apache2
tcp 0 0 192.168.122.1:443 0.0.0.0:* LISTEN 2013/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1200/sshd tcp6 0 0 :::80 :::* LISTEN 2057/apache2 tcp6 0 0 :::22 :::* LISTEN 1200/sshd tcp6 0 0 :::443 :::* LISTEN 2057/apache2
</pre>
<p>This shows that MariaDB (whose executable is <code>mysqld</code>) is listening only on localhost at port 3306, so it does not accept outside connections. Dnsmasq is listening on 192.168.122.1 at port 53, so it is accepting external requests. SSH is wide open for connections on any network interface. As you can see, you have control over exactly what network interfaces, ports, and addresses your services accept connections on.</p>
<p>Apache is listening on two IPv4 and two IPv6 ports, 80 and 443. Port 80 is the standard unencrypted HTTP port, and 443 is for encrypted TLS/SSL sessions. The foreign IPv6 address of :::* is the same as 0.0.0.0:* for IPv4. Those are wildcards accepting all requests from all ports and IP addresses. If there are certain addresses or address ranges you do not want to accept connections from, you can block them with firewall rules.</p>
<p>A network socket is a TCP/IP endpoint, and a TCP/IP connection needs two endpoints. A socket represents a single endpoint, and as our <code>netstat</code> example shows a single service can manage multiple endpoints at one time. A single IP address or network interface can manage multiple connections.</p>
<p>The example also shows the difference between a service and a process. <code>apache2</code> is the service name, and it is running four processes. <code>sshd</code> is one service with one process listening on two different sockets.</p>
<h3>Unix Sockets</h3>
<p>Networking is so deeply embedded in Linux that its Unix domain sockets (also called inter-process communications, or IPC) behave like TCP/IP networking. Unix domain sockets are endpoints between processes in your Linux operating system, and they operate only inside the Linux kernel. You can see these with <code>netstat</code>:</p>
<pre>
$ netstat -lx Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 988 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 29730 /run/user/1000/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 357 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 27233 /run/user/1000/keyring/control
</pre>
<p>It’s rather fascinating how they operate. The SOCK_STREAM socket type behaves like TCP with reliable delivery, and SOCK_DGRAM is similar to UDP, unordered and unreliable, but fast and low-overhead. You’ve heard how everything in Unix is a file? Instead of networking protocols and IP addresses and ports, Unix domain sockets use special files, which you can see in the above example. They have inodes, metadata, and permissions just like the regular files we use every day.</p>
<p>If you want to dig more deeply there are a lot of excellent books. Or, you might start with <code>man tcp</code> and <code>man 2 socket</code>. Next week, we’ll look at network configurations, and whatever happened to IPv6?</p>
<p><em>Learn more about Linux through the free <a href="https://training.linuxfoundation.org/linux-courses/system-administration-training/introduction-to-linux" target="_blank">“Introduction to Linux” </a>course from The Linux Foundation and edX.</em></p>
</div>