Skip to main content

Network Administration and Reliability

Network Administration

This will be more focusing on configuring and managing network interfaces, routing, and basic firewall functionality. This category deals with the fundamental setup and operation of network connections. Technology that used usually is:

IP

This is the primary command-line tool for configuring network interfaces in Linux.

# Assign IP Address
ip addr add 192.168.1.100/24 dev eth0

# Brings up an interface
ip link set eth0 up

# Sets default gateway
ip route add default via 192.168.1.1

# Add IP Address:
sudo ip addr add 192.168.1.100/24 dev eth0
# Delete IP Address:
sudo ip addr del 192.168.1.100/24 dev eth0
# Bring Up/Down Interface:
sudo ip link set eth0 up / sudo ip link set eth0 down
# Show Routing Table:
ip route show or ip r
# Add Route:
sudo ip route add default via 192.168.1.1 (sets default gateway)
# Delete Route:
sudo ip route del default

Veth (Virtual Ethernet)

Virtual Interface Pair: A veth pair creates two virtual network interfaces that are linked together. Packets sent out one interface of the pair are immediately received on the other interface.

Use Cases:

  1. Connecting containers to the host network: One end of the pair is placed inside the container's network namespace, and the other end is connected to a bridge on the host.
  2. Network testing and simulation: Creating isolated network environments.

System Security

Security more like to protecting the system from unauthorized network access and malicious traffic. This category emphasizes security aspects of networking. Technology that can support this such as:

Netfilter

The underlying framework in the Linux kernel for packet filtering, network address translation (NAT), and packet mangling. It doesn't directly interact with users but provides a set of hooks where other tools like iptables and nftables can attach their rules.

# Example (conceptual)
 Think of Netfilter as a series of checkpoints within the kernel's network stack. As packets traverse the network stack, they pass through these checkpoints. At each checkpoint, rules defined by iptables or nftables are consulted to determine the fate of the packet.

iptables

A user-space utility for managing Netfilter's firewall rules. It allows you to create rules that match specific packet characteristics (source/destination IP, port, protocol) and take actions (ACCEPT, DROP, REJECT).

# List Rules
sudo iptables -L -v
# List Rules for Specific Chain:
sudo iptables -L INPUT -v
# Append Rule: (allows incoming TCP traffic to port 80)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Insert Rule: (inserts a rule at the beginning (position 1) of the INPUT chain)
sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
# Delete Rule: (deletes the specified rule, or use line numbers displayed by -L --line-numbers)
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT
# Flush Rules (Clear all rules in a chain):
sudo iptables -F INPUT
# Flush All Chains and Reset Custom Chains:
sudo iptables -X
# Save Rules: (saves current rules to a file; the specific path might vary depending on your distribution)
sudo iptables-save > /etc/iptables/rules.v4
# Restore Rules:
sudo iptables-restore < /etc/iptables/rules.v4

brctl (bridges)

A virtual network switch within the kernel. It learns MAC addresses and forwards traffic only to the necessary interfaces, effectively creating a separate network segment.

# Add Bridge:
sudo brctl addbr br0
# Delete Bridge:
sudo brctl delbr br0
# Add Interface to Bridge:
sudo brctl addif br0 eth0
# Remove Interface from Bridge:
sudo brctl delif br0 eth0
# Show Bridge Information:
brctl show

Use Cases:

  1. Connecting multiple virtual machines or containers to a network: The bridge acts as a central hub.
  2. Creating VLANs (Virtual LANs): Isolating network traffic within a physical network.

nftables

The successor to iptables, offering a more modern and flexible way to manage Netfilter rules. It uses a simpler syntax and can perform more complex operations.

# List Rules:
sudo nft list ruleset
# Add Rule:
sudo nft add rule ip filter input tcp dport 22 accept
# Delete Rule (using handle):
sudo nft delete rule ip filter input handle <handle_number>
# Flush Ruleset:
sudo nft flush ruleset


ipset

Manages sets of IP addresses or ports. These sets can be used in iptables or nftables rules

# Create a Set: (creates a set named 'myset' for IP addresses using a hash table)
sudo ipset create myset hash:ip
# Add Element to Set:
sudo ipset add myset 192.168.1.10
# Delete Element from Set:
sudo ipset del myset 192.168.1.10
# List Set Contents:
sudo ipset list myset
# Destroy Set:
 sudo ipset destroy myset


Network Performance And Reliability

Conntrack (Connection Tracking):

Known as a Netfilter module that tracks the state of network connections. This is crucial for stateful firewalls, allowing them to distinguish between legitimate packets belonging to an established connection and unsolicited incoming packets.

# Example (conceptual)
When a connection is initiated, conntrack creates a record of it. Subsequent packets related to that connection are allowed to pass based on this record, even if a general firewall rule might otherwise block them.

NAT (Network Address Translation):

Modifies the source or destination IP addresses of network packets, commonly used to share a single public IP address among multiple devices on a private network (NAT masquerading).

# (masquerades outgoing traffic on interface eth0, replacing the private source IP with the public IP of eth0).
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE