Saturday, May 9, 2015

Networking in CentOS / RHEL 7 Linux


Lots of networking tools has been changed in CentOS / RHEL 7. For example you no longer can use system-config-network-tui tool to set up eth interfaces.

ethtool

To get some information on ethernet links you can now use ethtool
# ethtool enp3s0
ethtool is handy when you want to change some parameters like speed, auto negotiation, etc. If you've changed any device parameters using ethtool, it will all disappear after the next reboot, unless you edit related /etc/sysconfig/network-scripts/ file(s). Most network configuration files are at /etc/sysconfig/ with the exception of VPN, mobile broadband and PPPoE, which are stored in /etc/NetworkManager/ subdirectories.

Use -S option to display the bytes transferred, received, errors, etc, as shown below:
# ethtool -S enp3s0
If you want to easily identify the NIC card by sight i.e. blinking one or more LEDs on the specified NIC, enter:
# ethtool -p enp3s0
so you can easily find enp3s0 on the server which has more than one NIC. 

Note: If you are familiar with mii-tool from previous versions, it works as well as before.

dhclient

If you are using Windows you should be familiar with ipconfig /release and ipconfig /renew. To do the same thing in Linux you have dhclient so to release ip address enter:
# dhclient -r enp3s0
And to get a new one form the nearest DHCP server:
# dhclient enp3s0

ifconfig

You can list all your network interfaces by using ifconfig as well as ip addr show:
# ifconfig
ifup and ifdown also work fine in RHEL 7. Use them to enable and disable the interfaces.

nmcli

If a config file has been changed using an editor, NetworkManager service must be told to read the config files again.
To do that, run the following command:
# nmcli connection reload
So it seems that the simplest way is using nmcli and/or nmtui but although changes made using tools such as nmcli do not require a reload, do require the associated interface to be put down and then up again. That can be done by using commands in the following format:
# nmcli dev disconnect <interface-name>
Followed by:
# nmcli con up <interface-name>
And right now in CentOS 7 there are too many ways to list the currently available network connections:
$ nmcli con show$ nmcli connection show — active$ nmcli dev status$ nmcli device status$ ip addr show
To view detailed information about a connection:
$ nmcli -p con show <id-string>
Using nmcli in not too easy. For example you should enter such a command for assigning an ip address and gateway:
$ nmcli con add con-name <my-eth1> ifname <eth1> type ethernet ip4 192.168.100.100/24 gw4 192.168.100.1
Adding two DNS servers for an interface is easier:
# nmcli con mod <my-eth1> ipv4.dns "8.8.8.8 4.2.2.4"
And viewing the available Wi-Fi access points is much easier:
$ nmcli dev wifi list
See the nm-settings man page for more information about nmcli.


nmtui

nmtui is nothing but a successor of system-config-network-tui. Use it as an easy-to-use text UI for changing network configurations. It is my preferred way to change the settings. 


ifcfg-*** files

If you take a look at /etc/sysconfig/network-scripts/ directory you may find a dozen of files for interface configuration in the format of ifcfg-***.

This one can be an example of a config file for an interface with static IP:           
  BOOTPROTO=none 
  ONBOOT=yes 
  PREFIX=24 
  IPADDR=192.168.0.1

Example with dynamic IP:

   IP: TYPE=Ethernet 
  BOOTPROTO=dhcp 
  ONBOOT=yes 
  DHCP_HOSTNAME=behnam-pc

In the above example, interface sends a different host name, i.e behnam-pc, to the DHCP server.

If you want to configure an interface to use particular DNS servers (not the one in /etc/resolv.conf) enter: 

   PEERDNS=no 
  DNS1=4.2.2.4 
  DNS2=172.16.51.100


ss command


Do not assume that netstat still exists on CentOS 7 box. Use ss -a to show both listening and non-listening sockets instead as the package net-tools was deprecated in CentOS 7. 

ip command 


The simple syntax is:

ip addr [ add | del ] address dev ifname

Objects in ip command are: 

link | addr | addrlabel | route | rule | neigh | ntable | tunnel | tuntap maddr | mroute | mrule | monitor | xfrm | netns | l2tp | tcp_metrics

So it means that instead of addr in the above syntax you can put each of these objects.  

Bear in mind that again ip commands given on the command line will not persist after a system restart. 
    
To assign an IP address to an interface you can type on of these commands:

# ip addr add 192.168.0.1/24 dev enp3s0# ip address add 192.168.0.1/24 dev enp3s0
And to add the 2nd IP to the same interface:
# ip addr add 172.16.51.34/24 dev enp3s0
Show IP:
# ip addr show
# ip addr show dev enp3s0
Remove IP:
# ip addr del 192.168.50.5/24 dev enp3s0
Enable/Disable NIC:
# ip link set enp3s0 up
# ip link set enp3s0 down 
Or you can simply run ifconfig enp3s0 down (same as ifdown enp3s0) to disable and run ifconfig enp3s0 up (same as ifup enp3s0) to enable the interface. 

Display device attributes:
# ip link show 
Or use ifconfig for the same purpose. 

To check the kernel route table you can run one of the following commands:
# ip route show
# ip route show dev enp3s0
# ip route list
# route -n
Show he route cache (also the forwarding information base):
# ip route show cache
Adding default gateway:
# ip route add default via 172.16.51.1 dev enp3s0
Manipulating the IP route table (Add static route):
# ip route add 10.10.10.0/24 via 172.16.51.100 dev enp3s0
or
# ip route add 192.168.1.0/16 dev enp3s0
or 
# route add -net 192.168.1.0/16 dev enp3s0
Remove static route:
# ip route del 10.10.10.0/24
Again ip commands given on the command line will not persist after a system restart so too add persistence static routes, edit /etc/sysconfig/network-scripts/route-enp3s0 (need to be created) and put the following line:

10.10.10.0/24 via 172.16.51.1 dev enp3s0

Any question? Run ip route help or consult ip and ip-address man pages. 

Route


Syntax: 

ip route [ add | del | change | append | replace ] destination-address
$ ip route add 192.0.2.1 via 10.0.0.1 [dev <ifname>]
Use the ip route command without options to display the IP routing table:
$ ip route
route command also works for the same purpose. 

As you know, man pages are the best sources so for more information consult ip-route man page.

Static route configuration can be stored per interface in /etc/sysconfig/network-scripts/route-<interface> files. 

Such a config file is required only if the gateway is not set via DHCP server and is not set globally in /etc/sysconfig/network file.

For example, static routes for the enp3s0 interface is stored in /etc/sysconfig/network-scripts/route-enp3s0.  

We have to define a route to a default gateway on the first line:

  default via 192.168.100.1 dev <interface>

Note: This setting takes precedence over a setting in the /etc/sysconfig/network file.

If a route to a remote network is required, a static route can be written as follows:

  100.100.100.0/24 via 172.16.51.34 [dev interface]


Note: The address 172.16.51.34 in the above example is the IP address leading packages to the remote network.

So an example of route-enp3s0 file could be:

  default via 192.168.100.1 dev enp3s0

  100.100.100.0/24 via 172.16.51.34 dev enp3s0
  10.10.10.0/24 via 172.16.1.1 dev enp3s0

You can also use the following format for the route-enp3s0 file to make the route permanent:

  ADRESS0=100.100.100.0
  NETMASK0=255.255.255.0
  GATEWAY0=172.16.51.34
  ADDRESS1=10.10.10.0
  NETMASK1=255.255.255.0
  GATEWAY1=172.16.1.1

As you see subsequent static routes must be numbered sequentially starting at 0. It also must not skip any values. 


More about configuring The Default Gateway


The default gateway is determined by the network scripts which parse the /etc/sysconfig/network file first (by default it is empty in CentOS 7). Then it reads the network interface ifcfg-*** files for interfaces that are up.

The ifcfg-*** files are parsed in numerically ascending order and finally the last GATEWAY directive to be read is used to compose a default route in the kernel routing table.

Note: As I mentioned before, /etc/sysconfig/network file specifies gateway and host information for all network interfaces. 


Understanding the Network Interface Device Names

As you may face, the name of an ethernet interface is changed from eth0 and eth1 to something like enp3s0 so if you want to know the source of these name take a look at this list: 

  1. en for Ethernet
  2. wl for wireless LAN (WLAN)
  3. ww for wireless wide area network (WWAN)
  • o on-board device index number
  • s hotplug slot index number
  • x MAC address
  • p PCI geographical location, USB port number chain

Arp

Run the following commands and compare the outputs:
# ip neighbor show 192.168.1.0/24
# ip n show 192.168.1.0/24
# ip neighbor show dev enp3s0
# ip neighbor show
# ip monitor all
Note: arp is depreciated in CentOS 7 so instead of arp -a you should use ip n show. Read more about deprecated Linux networking commands and their replacements here

To add a new neighbor/arp entry permanently:
# ip neighbor add 192.168.1.1 lladdr 00:c0:7b:7d:00:c8 dev enp3s0 nud permanent
Removing from ARP
# ip neighbor del 192.168.1.1 dev enp3s0

DNAT by ip command (one address to one address)

Although the best way to do the NAT is using iptables, it is possible to use powerful ip command: 
# ip route add nat 205.254.211.18 via 192.168.1.17# ip rule add nat 205.254.211.18 from 192.168.1.17# ip route flush cache# ip route show table all | grep ^nat# ip rule show

  • The 1st line tells the kernel to perform NAT on any packet bound for 205.254.211.18. 
  • The 2nd line enters a rule for the outbound traffic into the RPDB. This command rewrites the source address of outbound packets so that they appear to originate from the NAT IP.
  • The kernel maintains a routing cache to handle routing decisions. After making any changes to the routing table, you'd better empty the routing cache by using ip route flush cache
  • 4th and 5th lines allow you to inspect the routing table to check whether or not the NAT rules were added correctly.

Network Manager

Network Manager is a dynamic network control and configuration service to keep up an running network interfaces and connections. In CentOS/RHEL 7 Network Manager is the primary way to manage networking but you can still use legacy network service which is available through /etc/init.d/network script file. 

In order to check whether or not a particular network interface is managed by NetworkManager service:

# nmcli dev status
The output should be something like this:



If it shows connected for an interface (like enp3s0 in the above picture) the interface is managed by NetworkManager. In the above example enp4s0 is not connected to an Ethernet switch so it showed up as unavailable and the loop back adapter is unmanaged which means NetworkManager does not manage this particular interface.