Linux networking

How linux supports networking

view on github

Linux networking overview

Table of contents

  1. Kernel networking subsystem
  2. Network utilities and commands

Kernel networking subsystem

Description

  • The networking subsystem adds connectivity to the kernel (which can be compiled without it).
  • It implements some abstraction layers of the OSI model :
    • The kernel itself implements protocols for the transport and network layers (sockets management and traffic routing).
    • The NIC driver implements protocols for the lower data link and physical layers.
    • The NIC driver runs in the kernel space and interacts directly with the hardware.

linux networking

  • On the other hand, protocols for the upper layers are implemented in dedicated programs (http server, ssh server, etc ...).
  • Those programs run in the user space and do not have direct access to the hardware.

Sockets (transport layer)

  • The abstraction used for network communication in the user space is the socket, which is associated with :
    • An IP address.
    • A transport layer protocol (TCP, UDP etc).
    • A port number.
  • The networking subsystem allows the kernel to encapsulate and transmit user space applications data over the network.
  • Packets / datagrams transmission and reception are thus transparent to user space applications, whether the protocol is stateful or stateless.

IP routing (network layer)

  • The networking subsystem is also responsible for the routing of outgoing packets / datagrams.
  • The route from the source host to the destination host usually spans across multiple different networks connected by gateways.
  • A packet that is passed from one network to another performs what is called a network hop.
  • Routing is usually done using IP forwarding : packets are directed to their respective next-hop addresses.
  • In order to enable packet routing, the kernel maintains a dedicated structure called the routing table :
# the routing table here contains next hop addresses for :
# outgoing traffic (default gateway)
# local network traffic (local subnet)
sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.234.19.1    0.0.0.0         UG    0      0        0 eth0
172.234.19.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

Note : the default gateway is used each time the routing table has no information about the destination.


Network utilities and commands

ip

  • Syntax : ip [ OPTIONS ] OBJECT { COMMAND | help }.
  • This command operates at the data link (ARP), network (IP) and transport (TCP) layers of the OSI model.
  • It is used to interact with ip addresses, network devices, routing table, etc ...
  • It comes as an all-in one modern replacement for the net-tools package utilities (ifconfig, netstat, etc).
  • sudo is required when modifying any value in the networking subsystem.
# print information, state and statistics for local interfaces in JSON format
ip -j -p -s link show

# write information and state for local IPV4 addresses
ip -family inet -br address show

# write and format tcp connections kernel cache (ip addresses, most recent first, add -r for name resolution)
ip -family inet -h -br tcp_metrics show | sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\2s \3 \1/gm' | sort -n | column -t

# write and format tcp connections kernel cache (sorted by dns names, resolution takes a lot of time on public servers ...)
ip -family inet -h -br -r tcp_metrics show | sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\3 \1 \2s/gm' | sort | column -t

# reset tcp connections kernel cache
sudo ip tcp_metrics flush all

# print kernel routing table
ip route show

# same as the above with alternative and more explicit formatting
# one of the few examples where net-tools outperforms ip ...
sudo route -n -F

# print kernel ARP cache
ip neigh show

ss

  • Syntax : sudo ss [options] [ FILTER ].
  • This command displays statistics and informations about sockets.
  • IPC sockets are included by default in the output.
  • sudo is required for displaying informations about processes accessing the socket.
# print all listening/established tcp connections + name resolution + process information
sudo ss -p -r --tcp state established
sudo ss -p -r --tcp state listening

# prints statistics on system socket usage
ss -s

# list all established ssh connections
ss -at '( dport = :22 or sport = :22 )'

mtr

  • Syntax : mtr [options] DESTINATION_HOST.
  • This command is an interesting alternative to traceroute :
    • Like traceroute, it outputs the address / hostname of each network hop between source and destination.
    • Additionally, it sends regulare ICMP ping requests to each network hop to assess route reliability at each stage.
    • It is to be noted though that the gateways that have a firewall blocking incoming ICMP traffic will not reply.
# use ipv4 only, show ip and hostname, show AS (autonomous system) country code
# print sent, received and dropped packets + average rtt for each network hop
mtr -4 -b -y 2 -o "S R D A" google.com

nmap

  • Important : unauthorized port scanning of random targets may get you into trouble.

  • Syntax : nmap [Scan Type...] [Options] {target specification}.

  • nmap (network mapper) is a powerful and versatile port scanner that can be used for a variety of purposes.

  • It operates at the network layer level by sending raw IP packets.

  • sudo is required for certain types of scanning methods so it's best to always use it.

  • When executed, nmap performs the following sequence of actions :

    1. Host discovery : finds online hosts among the specified target(s) by performing customizable probes.

    2. Port scanning : scans online hosts for open ports using the specified options.

    3. Service detection : queries open ports to determine which services they are running (using nmap-service-probes).

    4. OS detection : determine which OS the host is running with TCP/IP stack fingerprinting (using nmap-os-db).

    5. Scan results output : most noticeably the list of ports numbers, protocols, service names and states.

      port state description
      open an application is listening for connections/packets
      filtered a firewall is blocking the port (can't tell if it is open/closed)
      closed no application is listening
      unfiltered respond to probes, but can't tell if it is open/closed
  • nmap use cases samples :

# print the ip supported protocol on the local machine
sudo nmap -sO localhost

# performs host discovery and name resolution on a CIDR address range
sudo nmap -sL 192.168.1.0/24

# scan with OS detection, version detection, script scanning and traceroute
sudo nmap -A 192.168.1.10

# skip host discovery, scan the 50 most used TCP ports, list open ports only
# probe for services running behind open ports, specify probe level
# guess the OS the target is running, perform name resolution, verbose
sudo nmap \
-Pn \
-sS --top-ports 50 --open \
-sV --version-intensity 5 \
-O --osscan-guess \
-R \
-v \
192.168.1.10

# performs name resolution against the latest 50 entries in the tcp connections kernel
# cache, useful for public servers where said cache contains thousands of entries ...
ip -family inet -h -br tcp_metrics show | \
sed -r 's/^(.+)\sage\s([0-9\.]+)sec\s.*.*source\s(.+)$/\2 \1/gm' | \
sort -n | \
sed -r 's/^.+\s(.+)$/\1/gm' | \
head -n 50 | \
sudo nmap -sL -sn -iL /dev/stdin

# prints informations about nmap scripts from the 'fuzzer' category
nmap --script-help=fuzzer

# list interfaces and routes
sudo nmap --iflist

# runs all the default scripts against a target host
nmap -sC 192.168.1.10
  • nmap also implements a scripting engine in order to further customize each step of the scan.
  • Scripts are written in the lua language and classified depending on their purpose.
  • The publicly available scripts can be downloaded from a dedicated repository.