LibCat » Книги » Компьютеры и интернет » ОС и Сети » Olaf Kirch - Linux Network Administrator Guide, Second Edition

Olaf Kirch - Linux Network Administrator Guide, Second Edition

Здесь есть возможность читать онлайн «Olaf Kirch - Linux Network Administrator Guide, Second Edition» весь текст электронной книги совершенно бесплатно (целиком полную версию без сокращений). В некоторых случаях можно слушать аудио, скачать через торрент в формате fb2 и присутствует краткое содержание. Год выпуска: 2000, ISBN: 2000, Жанр: ОС и Сети, на английском языке. Описание произведения, (предисловие) а так же отзывы посетителей доступны на портале библиотеки ЛибКат.

Читать книгу

Название:
Linux Network Administrator Guide, Second Edition
Автор:
Olaf Kirch
Жанр:
ОС и Сети / на английском языке
Год:
2000
ISBN:
1-56592-400-2
Рейтинг книги:
3 / 5. Голосов: 1
Избранное:

Добавить в избранное
Отзывы:
Написать комментарий
Ваша оценка:
- 60
- 1
- 2
- 3
- 4
- 5

Linux Network Administrator Guide, Second Edition: краткое содержание, описание и аннотация

Предлагаем к чтению аннотацию, описание, краткое содержание или предисловие (зависит от того, что написал сам автор книги «Linux Network Administrator Guide, Second Edition»). Если вы не нашли необходимую информацию о книге — напишите в комментариях, мы постараемся отыскать её.

This book was written to provide a single reference for network administration in a Linux environment. Beginners and experienced users alike should find the information they need to cover nearly all important administration activities required to manage a Linux network configuration. The possible range of topics to cover is nearly limitless, so of course it has been impossible to include everything there is to say on all subjects. We've tried to cover the most important and common ones. We've found that beginners to Linux networking, even those with no prior exposure to Unix-like operating systems, have found this book good enough to help them successfully get their Linux network configurations up and running and get them ready to learn more.
There are many books and other sources of information from which you can learn any of the topics covered in this book (with the possible exception of some of the truly Linux-specific features, such as the new Linux firewall interface, which is not well documented elsewhere) in greater depth. We've provided a bibliography for you to use when you are ready to explore more.

Linux Network Administrator Guide, Second Edition — читать онлайн бесплатно полную книгу (весь текст) целиком

Ниже представлен текст книги, разбитый по страницам. Система сохранения места последней прочитанной страницы, позволяет с удобством читать онлайн бесплатно книгу «Linux Network Administrator Guide, Second Edition», без необходимости каждый раз заново искать на чём Вы остановились. Поставьте закладку, и сможете в любой момент перейти на страницу, на которой закончили чтение.

Тёмная тема

Шрифт:

↓

↑

Сбросить

Интервал:

↓

↑

Закладка:

Сделать

# This should catch more than 95 % of all valid TCP packets.

$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN /

! --tcp-flags SYN,ACK ACK -j ACCEPT

$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN /

! --tcp-flags SYN,ACK ACK -j ACCEPT

# TCP - INCOMING CONNECTIONS

# We will accept connection requests from the outside only on the

# allowed TCP ports.

$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET $TCPIN /

--syn -j ACCEPT

# TCP - OUTGOING CONNECTIONS

# We will accept all outgoing tcp connection requests on the allowed / TCP ports.

$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR /

--dports $TCPOUT --syn -j ACCEPT

# UDP - INCOMING

# We will allow UDP datagrams in on the allowed ports and back.

$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET /

--dports $UDPIN -j ACCEPT

$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET /

--sports $UDPIN -j ACCEPT

# UDP - OUTGOING

# We will allow UDP datagrams out to the allowed ports and back.

$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR /

--dports $UDPOUT -j ACCEPT

$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR /

--sports $UDPOUT -j ACCEPT# ICMP - INCOMING

# We will allow ICMP datagrams in of the allowed types.

$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET /

--dports $ICMPIN -j ACCEPT

# ICMP - OUTGOING

# We will allow ICMP datagrams out of the allowed types.

$IPTABLES -A FORWARD -m multiport -p icmp -i $OURDEV -d $ANYADDR /

--dports $ICMPOUT -j ACCEPT

# DEFAULT and LOGGING

# All remaining datagrams fall through to the default

# rule and are dropped. They will be logged if you've

# configured the LOGGING variable above.

#

if [ "$LOGGING" ]

then

# Log barred TCP

$IPTABLES -A FORWARD -m tcp -p tcp -j LOG

# Log barred UDP

$IPTABLES -A FORWARD -m udp -p udp -j LOG

# Log barred ICMP

$IPTABLES -A FORWARD -m udp -p icmp -j LOG

fi

#

# end.

In many simple situations, to use the sample all you have to do is edit the top section of the file labeled "USER CONFIGURABLE section" to specify which protocols and datagrams type you wish to allow in and out. For more complex configurations, you will need to edit the section at the bottom, as well. Remember, this is a simple example, so scrutinize it very carefully to ensure it does what you want while implementing it.

Chapter 10. IP Accounting

In today's world of commercial Internet service, it is becoming increasingly important to know how much data you are transmitting and receiving on your network connections. If you are an Internet Service Provider and you charge your customers by volume, this will be essential to your business. If you are a customer of an Internet Service Provider that charges by data volume, you will find it useful to collect your own data to ensure the accuracy of your Internet charges.

There are other uses for network accounting that have nothing to do with dollars and bills. If you manage a server that offers a number of different types of network services, it might be useful to you to know exactly how much data is being generated by each one. This sort of information could assist you in making decisions, such as what hardware to buy or how many servers to run.

The Linux kernel provides a facility that allows you to collect all sorts of useful information about the network traffic it sees. This facility is called IP accounting .

Configuring the Kernel for IP Accounting

The Linux IP accounting feature is very closely related to the Linux firewall software. The places you want to collect accounting data are the same places that you would be interested in performing firewall filtering: into and out of a network host, and in the software that does the routing of datagrams. If you haven't read the section on firewalls, now is probably a good time to do so, as we will be using some of the concepts described in Chapter 9, TCP/IP Firewall.

To activate the Linux IP accounting feature, you should first see if your Linux kernel is configured for it. Check to see if the /proc/net/ip_acct file exists. If it does, your kernel already supports IP accounting. If it doesn't, you must build a new kernel, ensuring that you answer "Y" to the options in 2.0 and 2.2 series kernels:

Networking options --->

[*] Network firewalls

[*] TCP/IP networking

...

[*] IP: accounting

or in 2.4 series kernels:

Networking options --›

[*] Network packet filtering (replaces ipchains)

Configuring IP Accounting

Because IP accounting is closely related to IP firewall, the same tool was designated to configure it, so ipfwadm, ipchains or iptables are used to configure IP accounting. The command syntax is very similar to that of the firewall rules, so we won't focus on it, but we will discuss what you can discover about the nature of your network traffic using this feature.

The general syntax for IP accounting with ipfwadm is:

# ipfwadm -A [ direction ] [ command ] [ parameters ]

The direction argument is new. This is simply coded as in, out, or both. These directions are from the perspective of the linux machine itself, so in means data coming into the machine from a network connection and out means data that is being transmitted by this host on a network connection. The both direction is the sum of both the incoming and outgoing directions.

The general command syntax for ipchains and iptables is:

# ipchains -A chain rule-specification

# iptables -A chain rule-specification

The ipchains and iptables commands allow you to specify direction in a manner more consistent with the firewall rules. IP Firewall Chains doesn't allow you to configure a rule that aggregates both directions, but it does allow you to configure rules in the forward chain that the older implementation did not. We'll see the difference that makes in some examples a little later.

The commands are much the same as firewall rules, except that the policy rules do not apply here. We can add, insert, delete, and list accounting rules. In the case of ipchains and iptables, all valid rules are accounting rules, and any command that doesn't specify the -j option performs accounting only.

The rule specification parameters for IP accounting are the same as those used for IP firewall. These are what we use to define precisely what network traffic we wish to count and total.

Accounting by Address

Let's work with an example to illustrate how we'd use IP accounting.

Imagine we have a Linux-based router that serves two departments at the Virtual Brewery. The router has two Ethernet devices, eth0 and eth1 , each of which services a department; and a PPP device, ppp0 , that connects us via a high-speed serial link to the main campus of the Groucho Marx University.