Networking with Linux can be simple and secure — if you know a few tricks. Here are a few more pointers to help admins knock out various Linux networking tasks with a minimum of effort.
If you either work on a Linux desktop, or administer a Linux server, there might be times when frustration sets in over networking issues. Although Linux has made significant advances over the years, there are still instances where the standard troubleshooting or optimizations won't work. To that end, you need to have some tricks and tips up your sleeve to make your life easier.
As an update to my original 10 quick tips to make Linux networking easier, I happen to have a few different tricks that I wanted to share with you. Hopefully one or more of these will assist you in either configuring, optimizing, or troubleshooting you Linux network woes.
1. Use static addresses
If this is an option, I highly recommend it. Why? Control. With a static IP address you can configure multiple DNS addresses (more on this in a bit), hardware addresses, and set the network device to start at boot. More importantly, should your particular machine host a service that other computers or devices need to reach (which is often the case with Linux), you don't want to have to constantly be instructing those devices to use a different IP address. Static IP address configuration is set in /etc/network/interfaces.
2. Disable dnsmasq
Once upon a time, you could open up /etc/resolv.conf and add specific DNS addresses and you were done. Your machine would use those configured DNS addresses for name resolution and everything would work swimmingly. Unfortunately, that is not always the case now. With Ubuntu (and its derivatives) there's a tool called dnsmasq which will always overwrite /etc/resolv.conf every time you boot or restart networking. To get around this, you have to comment out the dns=dnsmasq line in /etc/NetworkManager/NetworkManager.conf. Once you've taken care of that, restart the network manager (with the command sudo /etc/init.d/networking restart) and you should be good to go.
3. Use third-party DNS servers
I know many will throw shade at this tip, but I've always been fond of using Google's DNS servers (especially over my ISP's). The two addresses to use are 184.108.40.206 and 220.127.116.11. Once you've disabled dnsmasq, enter those in your /etc/resolv.conf file and DNS will resolve like a champ. There are other third-party DNS server that can be used (such as OpenDNS). Which you choose is up to you.
4. hosts is not a DNS replacement
Open up your /etc/hosts file. Do you have a long list of entries? If so, consider moving those to a separate DNS zone. This can avoid address resolution errors and make mapping local addresses significantly easier. Using /etc/hosts as a cheap imitation of DNS can cause issues when you start reusing addresses and forget to clean up that hosts file. If you do use /etc/hosts as a quick fix (or for testing purposes), make sure to remove those entries as soon as you're done. If you do have to retain a few entries in the hosts file, keep it to a minimum.
5. Get to know UFW
Iptables is an incredibly complex system for the configuration of the tables provided by the Linux kernel firewall. For the average user (or even the average admin), iptables can be a bit overwhelming. To that end, there is Uncomplicated Firewall (UFW). UFW is a front end for iptables that strips away the complexity, such that anyone can configure the security of their system. Even better, there are a number of GUI tools that can assist you in working with UFW (such as GUFW and gui-ufw). The combination of UFW and a good GUI will have you securing your system(s) with ease.
6. Learn the ip command
Although ifconfig has been deprecated, I still automatically turn to it when I need things like the IP address of a server. This is a habit I need to break. In place of ifconfig is the ip command and you would be well served to get to know its ins and outs. The ip command can be used to view information about an interface or configure an interface. It's pretty flexible and is only slightly more complicated than the command it replaced. For more information about ip issue the command man ip and read all about it.
7. Enable your disabled wireless
I have run into this on a few occasions. Out of nowhere, wireless networking ceases to function. Turns out, for whatever reason, the wireless adapter has been disabled. There is a solution for this to be found in the rfkill command. Issue the command sudo rfkill list all; if your wireless adapter shows up as either soft or hard blocked, issue the command sudo rfkill unblock all and then issue the command sudo /etc/init.d/networking restart will bring the connection back up.
8. Skip NFS and use Samba
You might be inclined to set up NFS to local file sharing. Don't. The NFS system requires you to have far too many ports open on your desktop or server. Instead, go with the considerably more powerful Samba. With Samba, you only are required to have a bare minimum of ports open, so security isn't nearly as big an issue. In fact, Samba runs on TCP ports 139 and 445 and UDP ports 137 and 138. For NFS you'll need UDP ports 111, 1039, 1047, 1048 and 2049 and TCP ports 111, 1039, 1047, 1048 and 2049. Why open up the security holes when Samba does an exponentially better job of sharing files across a network (plus it works great with other platforms and can connect to Active Directory).
9. Get to know sshfs
Speaking of remote folder sharing, there's a tool that should be considered a must-know for Linux administrators. That tool is sshfs, which stands for Secure Shell File System. With this command you are able to mount remote filesystems and interact with the directories and files found on that remote system as if they were on a local machine. By default sshfs isn't installed on most systems, but can be added with a command like sudo apt-get install sshfs. You first must create a mount directory on the local system and then connect to the remote filesystem (with a command like sshfs USER@IPADDRESS:/REMOTE/PATH/ /LOCAL/PATH). Once the remote filesystem is mounted, you can work with the remote path as if it were local.
10. Make use of encryption
We live in a world where security is not something to be taken lightly. If you share sensitive information via email, find out what encryption options are available for your particular email client. For example, if you use Mozilla Thunderbird, install and learn Enigmail. If you use Evolution, take advantage of the built-in support for OpenPGP. Beyond email, you can also encrypt files and directories using a number of command line or GUI tools (check out "Protect your data with these five Linux encryption tools" for more information).
Your network, your tools
Getting the most out of your network on a Linux machine doesn't require a degree in computer science or any given certification. With these tips (as well as the tips from the original piece), you should be able to have networking functioning like a champ.
- How to mount an encrypted Linux home directory to salvage data (TechRepublic)
- Linux desktop operating system: A beginner's guide (TechRepublic)
- How to upgrade the Linux kernel with a handy GUI (TechRepublic)
- How to check your Linux servers for rootkits and malware (TechRepublic)
- Docker LinuxKit: Secure Linux containers for Windows, macOS, and clouds (ZDNet)