Embedded Files
The aim of this practical tasks are to use command-line tool to configure static networking. We make persistent network settings (for static networking) by editing networking configuration files.
Background
We will setup a network initially using static addressing and will test our servers by pinging and then using ssh to each other.
Task 1: Querying network configuration
Task 1: Querying network configuration
image credit: UTS Faculty of Engineering & IT
Before we begin we make sure the network is up, i.e., use systemctl enable NetworkManager.service. And then we use the following commands to check the EXISTING configuration.
Linux
Linux
Check existing configuration on Linux using the following commands.
ifconfig
route -n
Windows
Windows
Check existing configuration on Windows using the following commands.
ipconfig
route print 4
Linux: ens33
Linux: ens33
DNS suffix:
Inet address: 192.168.156.155
Subnet mask: 255.255.255.0
Default rout: 192.168.156.2
Windows: Ethernet0
Windows: Ethernet0
DNS suffix: localadmin
Inet address: 192.168.156.154
Subnet mask: 255.255.255.0
Default rout: 192.168.156.2
Network Management Tool
Network Management Tool
On Linux
On Linux
There are also graphical user interfaces to the network management tools.
On Linux: Settings > Network
Check the status of all network interfaces on Linux is:
ifconfig -a
(location of the config file /sbin/ifconfig).
Global network configuration parameters (i.e. not interface specific) are in /etc/sysconfig/network
Interface-specific network parameters are in /etc/sysconfig/network-scripts/ifcfg-ens33 for the Ethernet 0 interface and
in /etc/sysconfig/network-scripts/ifcfg-ens37 for Ethernet 1 interface.
In older machines we may find these named ‘eth0’ and ‘eth1’, but current machines use the Consistent Network Device Naming conventions.
Windows Server
Windows Server
Check the network interface status on Windows:
Network & Internet Settings > Ethernet > Change adapter options > Double click on of the the Ehternet to view details of the connection > Details
We note that we don’t have a network connection for the second adapter – ens37 on Linux and Local Area Connection 2 on Windows Server.
Note: Windows uses Automatic Private IP Addressing (APIPA) to allocate an address in the 169.254.0.0/15 address range. We will change this in the next task.
Task 2: Designing the network
Task 2: Designing the network
We are going to set up our own private network on the 2nd network adapter via the VMnet2 virtual switch.
Try using IP skills to decide on the following setup configuration:
Our network will be in the subject 10.0.2.0/24
We will have to eventually cope with 200 machines
Our gateway will be the Linux machine
Pick an appropriate IP address/netmask/gateway for the Linux and Windows servers
Calculated the appropriate subnet and host values here:
Linux: ens37
Linux: ens37
Inet address: 10.0.2.1
Subnet mask: 255.255.255.0
Default route: 10.0.2.1
Windows: Local Area Connection 2
Windows: Local Area Connection 2
Inet address: 10.0.2.2
Subnet mask: 255.255.255.0
Default route: 10.0.2.1
Task 3: Command-line Configuration
Task 3: Command-line Configuration
3a: Configure IP address on Linux Server
3a: Configure IP address on Linux Server
Initially, your machine is configured to use DHCP networking. But for now, we want to set the IP address manually, using command-line tools.
Step 1: configure network parameters for Ethernet 1
We use the ifconfig command to manually configure the network parameters for Ethernet 1 (ens37). We use the above calculated values for the system.
e.g.
ifconfig ens37 [ip-addr] netmask [netmask]
ifconfig ens37 10.0.2.1 netmask 255.255.255.0
The netmask option may be omitted, in which case the netmask will default to the classful netmask (which is not appropriate here since we have a private class A address (recall 10.0.0.0/8 ?)
Step 2: view routing table
Step 2: view routing table
View the routing table using the route command or netstat -r.
Step 3: add a default route
Step 3: add a default route
Next, add a default route that will send traffic to the virtual network's default gateway, which is shown below. Although the default gateway is already set to the correct IP address for your topology, it is important to know and be able to use the command for setting a default gateway.
route add default gw [gateway-ip-addr]
# route add default gw 10.0.2.1
Step 4: Verify configuration
Step 4: Verify configuration
Now, we test that the statically configured network is working by trying to ping [gateway-ip-addr] (which we defined earlier).
# ping 10.0.2.1
Question
Question
Q: Can we ping the Linux server from the host workstation?
No. When pinging from local host, 100 % packet loss
Try pinging both interfaces – the original ens33 one THEN the ens37 address you allocated.
ens33 is reachable from local host
Which works? Can you guess why you mightn’t be able to ping the other?
Ens33 is pingable.
3b: Windows Server config IP address
3b: Windows Server config IP address
Step 1: Locate Ethernet1
Step 1: Locate Ethernet1
On Windows Server, we will use the GUI to configure our 2nd network card.
Server manager → Local Server → then click on the interface (Ethernet1) to bring up the Network Connections control panel.
Step 2: Ethernet1 Properties
Step 2: Ethernet1 Properties
Right-click on the interface (Ethernet1) → Properties
Step 3: Add IP
Step 3: Add IP
Choose “Internet Protocol Version 4 (TCP/IPv4)” → Properties
Then choose the “Use the following IP Address” & enter the values you calculated
Inet address: 10.0.2.2
Subnet mask: 255.255.255.0
Default route: 10.0.2.1
Step 4: Verify IP Configuration
Step 4: Verify IP Configuration
Confirm that the configuration is correct (# ipconfig command )
# ipconfig
Now you should be able to ping the Linux server
Verify that this is two way by pinging from the Linux server to your Windows server.
If you can’t, you may need to set up your firewalls to enable the ping command. See the next optional task to set up the firewall on both Linux and Windows.
Windows server pings Linux server
Windows server pings Linux server
Verifying network connection from Windows server
Linux server pings Windows server
Linux server pings Windows server
Verifying network connection from Linux server.
Task 4: Setting up the firewall
Task 4: Setting up the firewall
When we could ping from Windows to Linux but not from Linux to Windows. This is because by default, Windows Server disables the ping (ICMP Echo) response.
4a: Windows server firewall setup
4a: Windows server firewall setup
First, be aware that Windows runs all network adapters in various “profiles” for each network location. These profiles are usually: Private, Domain, and Public (with increasing levels of paranoia).
There are 2 ways to modify Windows firewall:
Easy (method)
Advanced (method)
- Modify Windows firewall (easiest way)
> Click Start
> Control Panel
>Network and Internet
>System and Security
>Windows Defender Firewall
>Allow an app through firewall
>File and Print sharing → enable checkbox(es) (private and public)
>Press OK button.
Note that if we choose option 1 (Control Panel → Windows Firewall), then look at the Server Manager, this will enable all the File and Print sharing options.
BE VERY CAREFUL WITH THIS OPTION – we are also opening up the file sharing ports on your windows firewall (Printing, SMB, RPC) not just the ICMP (ping) functionality.
2. Modify Firewall on Window (Advanced)
2. Modify Firewall on Window (Advanced)
Server manager → Tools → Windows Defender Firewall with Advanced Security → Inbound rules → File and Printer sharing (Echo request ICMPv4 IN, domain….) → enable for each profile
As we can see, we can do fine grain firewall management through this management console.
4b: Linux Firewall setup
4b: Linux Firewall setup
Different versions of Linux can use different firewall packages. The package used by Centos is ‘firewa lld’.
Step 1: verify firewalld status
Step 1: verify firewalld status
Verify that firewalld is active (currently running) and enabled (will start at boot) with
systemctl status firewalld
Step 2: Install firewall-config
Step 2: Install firewall-config
Linux is considerably harder to set up, so we will install the firewall-config package to manage the firewall. Let's Do this now!
Run the command with:
yum install firewall-config
Step 2: firewall-config install Error (if encountered)
Step 2: firewall-config install Error (if encountered)
For the yum install firewall-config error e.g.,
Error: Failed to download metadata for repo 'appstream': cannot prepare internal mirrorlist: No URLs in mirrorlist
Solution: upgrade the CentOS.
As we are running CentOS 8 that is already an obsolete OS, it is recommended to upgrading to CentOS Stream. To fix the firewall-config yum install error just upgrade
To upgrade, just execute the following command lines in Terminal:
#cd /etc/yum.repos.d/
#sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
#sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
#yum update -y
#dnf --disablerepo '*' --enablerepo=extras swap centos-linux-repos centos-stream-repos
#dnf distro-sync
Step 3: Setup REJECT incoming pings
Step 3: Setup REJECT incoming pings
After installing firewall management tool - "firewall-config" from the terminal run the following command to open firewall configuration window -
#firewall-config
Summary of disable echo-reply & echo-request on Linux
Summary of disable echo-reply & echo-request on Linux
Firewall configuration > Connections > ens37 > public > ICMP Filter > echo-reply (check - to disable)
Firewall configuration > Connections > ens37 > public > ICMP Filter > echo-request (check - to disable)
In the connections list on the left, check the zone that is ens37 interface is in (usually “public”).
Then in the main part of the window, we make sure we are in the ‘Zones’ tab and the public zone is selected. There is a set of sub-tabs, e.g. Services, Ports, Protocols, etc.
If we scroll across we should find a tab called “ICMP Filter”. By default the boxes are unchecked. Unlike Windows, Linux by default allows all ping (ICMP Echo) requests.
If we turn on the checkbox for echo-reply, Linux should REJECT the incoming Pings.
Apply this, and then check that we now can’t ping from Windows.
Step 4: re-enable ICMP reply
Step 4: re-enable ICMP reply
Finishing off this task by re-enabling ping (ICMP reply).
The command-line equivalents of this are:
• firewall-cmd --add-icmp-block=echo-reply
• firewall-cmd --add icmp-block=echo-reply
• firewall-cmd --query-icmp-block=echo-reply
Task 5: Modifying Linux network configuration files
Task 5: Modifying Linux network configuration files
The statically configured Linux network setup described above will, of course, vanish on reboot and be replaced by whatever is specified in the startup network configuration files. This task involves modifying the network configuration files.
Unfortunately this is quite different for different varieties of Linux. Here we will work with the Fedora/Redhat/Centos approach (of course), but unlike the steps described in Task 1, most of this knowledge is not transferable to other varieties of UNIX/Linux.
Static networking configuration files
There are two main configuration files to configure static networking on CentOS:
/etc/sysconfig/network (global parameters that apply to all interfaces)
/etc/sysconfig/network-scripts/ifcfg-ensXX (interface-specific parameters for Ethernet interfaces).
Step 1: edit ifcfg-ens33
Step 1: edit ifcfg-ens33
To make the ens33 autoconnect working when the system boot.
#vim /etc/sysconfig/network-scripts/ifcfg-ens33
> ONBOOT=yes
> :wq (//save & quit the config file)
Detail:
First, edit/view ifcfg-ens33 (Ethernet 0).
BOOTPROTO should say BOOTPROTO=dhcp, meaning that this interface will be dynamically assigned an IP address by a DHCP server. Because of this there shouldn’t be an IPADDR or NETMASK entry in this file.
Also note/check that DEFROUTE=yes. This means that this interface should be the default route/gateway.
Finally, look for ONBOOT. If it shows ONBOOT=no then change it to ONBOOT=yes.
Step 2: edit ifcfg-ens37
Step 2: edit ifcfg-ens37
Then edit ifcfg-ens37 (or create it if it doesn’t exist by copying ifcfg-ens33):
# cp /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-ens37
Edit the ifcfg-ens37 file
> BOOTPROTO=none
>Delete the "DEFAULTROUTE"
>NAME=ens37
>Delete the "UUID...."
>DEVICE=ens37
>ONBOOT=yes
Add:
>IPADDR=10.0.2.1
>NETMASK=255.255.255.0
>:wq
Change the line that starts with DEVICE= to say DEVICE=ens37
Change the line that starts with NAME= to say NAME=ens37
If there is a UUID line, delete it
Because our ens37 interface should have a static IP address, next change the BOOTPROTO line to say BOOTPROTO=none
Then set the variables IPADDR and NETMASK to the same values as you used for Task 1 (e.g. Add the line IPADDR=10.0.2.x where x was your host TCP/IP address)
IPADDR=10.0.2.1
NETMASK=255.255.255.0
Make sure it says DEFROUTE=no (this is not the default route)
Also make sure this interface will start up automatically when the machine boots (ONBOOT=yes)
Step 3: Test interface configuration
Step 3: Test interface configuration
3a. Test the configuration, use the ifdown and ifup scripts in the network-scripts directory. Bring the interface down first, and then up:
ifdown ens37
ifup ens37
Error: If encountered an error when running ifdown ens37 the error message says which include:
"Error: no active connection provided"
Solution:
Run the following command -
# nmcli con up ens37
3b. Alternatively to restart/reload all networking, we can run:
systemctl restart NetworkManager.service
3c. A third way is to use the NetworkManager command nmcli. Increasingly this is the preferred way to manage network connections rather than ifconfig/ifdown/ifup. Try the following commands and compare them with ifconfig/ifdown/ifup.
We note similarities/differences in this journal.
nmcli con show ens37
nmcli con down ens37
nmcli con up ens37
nmcli con show ens37
nmcli con down ens37
nmcli con up ens37
A fourth way is to use the command nmtui. Try it.
After making changes and bringing the interfaces down/up, use the ifconfig and route commands to check that the configuration looks correct. Test by using ping to and from the two servers.
Reboot the main VM and test that all of the changes you made are persistent.
Page updated
Google Sites
Report abuse