8.2. 配置网络

基本知识必要的网络概念(以太网、IP地址、子网、广播)

Most modern local networks use the Ethernet protocol, where data is split into small blocks called frames and transmitted on the wire one frame at a time. Data speeds vary from 10 Mb/s for older Ethernet cards to 100 Gb/s in the newest cards (with the most common rate currently growing from 100 Mb/s to 10 Gb/s). The most widely used cables are called 10BASE-T, 100BASE-T, 1000BASE-T, 10GBASE-T and 40GBASE-T, depending on the throughput they can reliably provide (the T stands for “twisted pair”); those cables end in an RJ45 connector. There are other cable types, used mostly for speeds of 10 Gb/s and above.

IP地址是一串数字,用来识别本地网络或Internet上计算机的网络接口。在目前使用最广泛的IPV4版本中,这串数字由32位二进制组成,通常表示为以点分隔的4个十进制数字表示(如 192.168.0.1),每个数字介于0-255之间(包含本身,对应8位的数据)。IP的下一代版本是IPV6,采用128位二进制规定一个地址。其地址常用冒号分隔的16进制数字书写 (如., 2001:0db8:13bb:0002:0000:0000:0000:0020, 或以 2001:db8:13bb:2::20 简化表示)。

子网掩码(网络掩码)通过二进制码来定义IP地址中哪些部分对应网络,剩余部分则对应主机。在这里给出的配置静态IPv4地址的例子中,子网掩码是255.255.255.0(二进制表示是24个“1”后面跟着8个“0”)表示IP地址的前24位对应于网络地址,其他8位对应主机。在IPv6中,为了可读性,只表示数字“1”;因此,IPv6网络的掩码可以是64

网络地址是主机号全为0的IP地址。一个完整网络的IP地址范围使用该语法表示:a.b.c.d/ea.b.c.d是网络地址, e指定IP地址中网络位的长度。例如192.168.0.0/24可用于指定一个网络。IPV6的语法与之类似,示例可写作2001:db8:13bb:2::/64

路由器用来连接多个网络,所有通过路由器的流量都被引导到正确的网络。要做到这一点,路由器需要分析进入路由器的数据包,并根据目标IP地址将其重定向。路由器通常被称作网关;在这种配置下,路由器用于帮助跳出本地网络(进入外部网络,例如Internet)。

广播地址是一类特殊的地址,与网络中的所有主机相连。广播地址几乎从来不被“路由”,只在本地网络内发送信息。也就是说,发往广播地址的数据包从不经过路由器。

本章只讨论IPV4地址,因为它是目前最常用的协议。有关IPV6协议在第 10.6 节 “IPV6”中讨论,其概念是相同的。

The network is automatically configured during the initial installation. If Network Manager gets installed (which is generally the case for full desktop installations), then it might be that no configuration is actually required (for example, if you rely on DHCP on a wired connection and have no specific requirements). If a configuration is required (for example, for a WiFi interface), then it will create the appropriate file in /etc/NetworkManager/system-connections/.

If Network Manager is not installed, then the installer will configure ifupdown by creating the /etc/network/interfaces file. A line starting with auto gives a list of interfaces to be automatically configured on boot by the networking service. When there are many interfaces, it is good practice to keep the configuration in different files inside /etc/network/interfaces.d/.

In a server context, ifupdown is thus the network configuration tool that you usually get. That is why we will cover it in the next sections.

ALTERNATIVE NetworkManager

If Network Manager is particularly recommended in roaming setups (see 第 8.2.5 节 “Automatic Network Configuration for Roaming Users”), it is also perfectly usable as the default network management tool. You can create “System connections” that are used as soon as the computer boots either manually with a .ini-like file in /etc/NetworkManager/system-connections/ or through a graphical tool (nm-connection-editor). Just remember to deactivate the entries in /etc/network/interfaces that you want Network Manager to handle.

https://wiki.gnome.org/Projects/NetworkManager/SystemSettings

https://developer.gnome.org/NetworkManager/1.14/ref-settings.html

8.2.1. Ethernet Interface

If the computer has an Ethernet card, the IP network that is associated with it must be configured by choosing from one of two methods. The simplest method is dynamic configuration with DHCP, and it requires a DHCP server on the local network. It may indicate a desired hostname, corresponding to the hostname setting in the example below. The DHCP server then sends configuration settings for the appropriate network.

例 8.1. DHCP configuration

  1. auto enp0s31f6
  2. iface enp0s31f6 inet dhcp
  3.   hostname arrakis

IN PRACTICE Names of network interfaces

By default, the kernel attributes generic names such a eth0 (for wired Ethernet) or wlan0 (for WiFi) to the network interfaces. The number in those names is a simple incremental counter representing the order in which they have been detected. With modern hardware, that order might change for each reboot and thus the default names are not reliable.

Fortunately, systemd and udev are able to rename the interfaces as soon as they appear. The default name policy is defined by /lib/systemd/network/99-default.link (see systemd.link(5) for an explanation of the NamePolicy entry in that file). In practice, the names are often based on the device’s physical location (as guessed by where they are connected) and you will see names starting with en for wired ethernet and wl for WiFi. In the example above, the rest of the name indicates, in abbreviated form, a PCI (p) bus number (0), a slot number (s31), a function number (f6).

Obviously, you are free to override this policy and/or to complement it to customize the names of some specific interfaces. You can find out the names of the network interfaces in the output of ip addr (or as filenames in /sys/class/net/).

In some corner cases it might be necessary to disable the consistent naming of network devices as described above. Besides changing the default udev rule it is also possible to boot the system using the net.ifnames=0 and biosdevname=0 kernel parameters to achieve that.

A “static” configuration must indicate network settings in a fixed manner. This includes at least the IP address and subnet mask; network and broadcast addresses are also sometimes listed. A router connecting to the exterior will be specified as a gateway.

例 8.2. Static configuration

  1. auto enp0s31f6
  2. iface enp0s31f6 inet static
  3.   address 192.168.0.3/24
  4.   broadcast 192.168.0.255
  5.   network 192.168.0.0
  6.   gateway 192.168.0.1

NOTE Multiple addresses

It is possible not only to associate several interfaces to a single, physical network card, but also several IP addresses to a single interface. Remember also that an IP address may correspond to any number of names via DNS, and that a name may also correspond to any number of numerical IP addresses.

As you can guess, the configurations can be rather complex, but these options are only used in very special cases. The examples cited here are typical of the usual configurations.

8.2.2. Wireless Interface

Getting wireless network cards to work can be a bit more challenging. First of all, they often require the installation of proprietary firmwares which are not installed by default in Debian. Then wireless networks rely on cryptography to restrict access to authorized users only, this implies storing some secret key in the network configuration. Let’s tackle those topics one by one.

8.2.2.1. Installing the required firmwares

First you have to enable the non-free repository in APT’s sources.list file: see 第 6.1 节 “写入sources.list文件” for details about this file. Many firmware are proprietary and are thus located in this repository. You can try to skip this step if you want, but if the next step doesn’t find the required firmware, retry after having enabled the non-free section.

Then you have to install the appropriate firmware-* packages. If you don’t know which package you need, you can install the isenkram package and run its isenkram-autoinstall-firmware command. The packages are often named after the hardware manufacturer or the corresponding kernel module: firmware-iwlwifi for Intel wireless cards, firmware-atheros for Qualcomm Atheros, firmware-ralink for Ralink, etc. A reboot is then recommended because the kernel driver usually looks for the firmware files when it is first loaded and no longer afterwards.

8.2.2.2. Wireless specific entries in /etc/network/interfaces

ifupdown is able to manage wireless interfaces but it needs the help of the wpasupplicant package which provides the required integration between ifupdown and the wpa_supplicant command used to configure the wireless interfaces (when using WPA/WPA2 encryption). The usual entry in /etc/network/interfaces needs to be extended with two supplementary parameters to specify the name of the wireless network (aka its SSID) and the Pre-Shared Key (PSK).

例 8.3. DHCP configuration for a wireless interface

  1. auto wlp4s0
  2. iface wlp4s0 inet dhcp
  3.   wpa-ssid Falcot
  4.   wpa-psk ccb290fd4fe6b22935cbae31449e050edd02ad44627b16ce0151668f5f53c01b

The wpa-psk parameter can contain either the plain text passphrase or its hashed version generated with wpa_passphrase *SSID* *passphrase*. If you use an unencrypted wireless connection, then you should put a wpa-key-mgmt NONE and no wpa-psk entry. For more information about the possible configuration options, have a look at /usr/share/doc/wpasupplicant/README.Debian.gz.

At this point, you should consider restricting the read permissions on /etc/network/interfaces to the root user only since the file contains a private key that not all users should have access to.

HISTORY WEP encryption

Usage of the deprecated WEP encryption protocol is possible with the wireless-tools package. See /usr/share/doc/wireless-tools/README.Debian for instructions.

8.2.3. Connecting with PPP through a PSTN Modem

A point to point (PPP) connection establishes an intermittent connection; this is the most common solution for connections made with a telephone modem (“PSTN modem”, since the connection goes over the public switched telephone network).

A connection by telephone modem requires an account with an access provider, including a telephone number, username, password, and, sometimes the authentication protocol to be used. Such a connection is configured using the pppconfig tool in the Debian package of the same name. By default, it sets up a connection named provider (as in Internet service provider). When in doubt about the authentication protocol, choose PAP: it is offered by the majority of Internet service providers.

After configuration, it is possible to connect using the pon command (giving it the name of the connection as a parameter, when the default value of provider is not appropriate). The link is disconnected with the poff command. These two commands can be executed by the root user, or by any other user, provided they are in the dip group.

8.2.4. Connecting through an ADSL Modem

The generic term “ADSL modem” covers a multitude of devices with very different functions. The modems that are simplest to use with Linux are those that have an Ethernet interface (and not only a USB interface). These tend to be popular; most ADSL Internet service providers lend (or lease) a “box” with Ethernet interfaces. Depending on the type of modem, the configuration required can vary widely.

8.2.4.1. Modems Supporting PPPOE

Some Ethernet modems work with the PPPOE protocol (Point to Point Protocol over Ethernet). The pppoeconf tool (from the package with the same name) will configure the connection. To do so, it modifies the /etc/ppp/peers/dsl-provider file with the settings provided and records the login information in the /etc/ppp/pap-secrets and /etc/ppp/chap-secrets files. It is recommended to accept all modifications that it proposes.

Once this configuration is complete, you can open the ADSL connection with the command, pon dsl-provider and disconnect with poff dsl-provider.

TIP Starting ppp at boot

PPP connections over ADSL are, by definition, intermittent. Since they are usually not billed according to time, there are few downsides to the temptation of keeping them always open. The standard means to do so is to use the init system.

With systemd, adding an automatically restarting task for the ADSL connection is a simple matter of creating a “unit file” such as /etc/systemd/system/adsl-connection.service, with contents such as the following:

  1. [Unit]
  2. Description=ADSL connection
  3.  
  4. [Service]
  5. Type=forking
  6. ExecStart=/usr/sbin/pppd call dsl-provider
  7. Restart=always
  8.  
  9. [Install]
  10. WantedBy=multi-user.target

Once this unit file has been defined, it needs to be enabled with systemctl enable adsl-connection. Then the loop can be started manually with systemctl start adsl-connection; it will also be started automatically on boot.

On systems not using systemd (including Wheezy and earlier versions of Debian), the standard SystemV init works differently. On such systems, all that is needed is to add a line such as the following at the end of the /etc/inittab file; then, any time the connection is disconnected, init will reconnect it.

  1. adsl:2345:respawn:/usr/sbin/pppd call dsl-provider

For ADSL connections that auto-disconnect on a daily basis, this method reduces the duration of the interruption.

8.2.4.2. Modems Supporting PPTP

The PPTP (Point-to-Point Tunneling Protocol) protocol was created by Microsoft. Deployed at the beginning of ADSL, it was quickly replaced by PPPOE. If this protocol is forced on you, see 第 10.3.4 节 “PPTP”.

8.2.4.3. Modems Supporting DHCP

When a modem is connected to the computer by an Ethernet cable (crossover cable) you typically configure a network connection by DHCP on the computer; the modem automatically acts as a gateway by default and takes care of routing (meaning that it manages the network traffic between the computer and the Internet).

BACK TO BASICS Crossover cable for a direct Ethernet connection

Computer network cards expect to receive data on specific wires in the cable, and send their data on others. When you connect a computer to a local network, you usually connect a cable (straight or crossover) between the network card and a repeater or switch. However, if you want to connect two computers directly (without an intermediary switch or repeater), you must route the signal sent by one card to the receiving side of the other card, and vice-versa. This is the purpose of a crossover cable, and the reason it is used.

Note that this distinction has become almost irrelevant over time, as modern network cards are able to detect the type of cable present and adapt accordingly, so it won’t be unusual that both kinds of cable will work in a given location.

Most “ADSL routers” on the market can be used like this, as do most of the ADSL modems provided by Internet services providers.

8.2.5. Automatic Network Configuration for Roaming Users

Many Falcot engineers have a laptop computer that, for professional purposes, they also use at home. The network configuration to use differs according to location. At home, it may be a wifi network (protected by a WPA key), while the workplace uses a wired network for greater security and more bandwidth.

To avoid having to manually connect or disconnect the corresponding network interfaces, administrators installed the network-manager package on these roaming machines. This software enables a user to easily switch from one network to another using a small icon displayed in the notification area of their graphical desktop. Clicking on this icon displays a list of available networks (both wired and wireless), so they can simply choose the network they wish to use. The program saves the configuration for the networks to which the user has already connected, and automatically switches to the best available network when the current connection drops.

In order to do this, the program is structured in two parts: a daemon running as root handles activation and configuration of network interfaces and a user interface controls this daemon. PolicyKit handles the required authorizations to control this program and Debian configured PolicyKit in such a way so that members of the netdev group can add or change Network Manager connections.

Network Manager knows how to handle various types of connections (DHCP, manual configuration, local network), but only if the configuration is set with the program itself. This is why it will systematically ignore all network interfaces in /etc/network/interfaces and /etc/network/interfaces.d/ for which it is not suited. Since Network Manager doesn’t give details when no network connections are shown, the easy way is to delete from /etc/network/interfaces any configuration for all interfaces that must be managed by Network Manager.

Note that this program is installed by default when the “Desktop Environment” task is chosen during initial installation.