Networking is the practice of connecting computers and sending data between them. That sounds simple enough, but to understand how it works, you need to ask two fundamental questions:
网络是连接计算机并在它们之间传递数据的实践。
听起来很简单,但要理解它的工作原理,你需要提出两个基本问题:
o How does the computer sending the data know where to send its data?
o When the destination computer receives the data, how does it know what it just received?
A computer answers these questions by using a series of components, with each one responsible for a certain aspect of sending, receiving, and identifying data. The components are arranged in groups that form network layers, which stack on top of each other in order to form a complete system. The Linux kernel handles networking in a similar way to the SCSI subsystem described in Chapter 3.
计算机通过使用一系列组件来回答这些问题,每个组件负责发送、接收和识别数据的某个方面。
这些组件按照层次分组,堆叠在一起形成一个完整的系统。
Linux内核处理网络的方式与第三章中描述的SCSI子系统类似。
Because each layer tends to be independent, it’s possible to build networks with many different combinations of components. This is where network configuration can become very complicated. For this reason, we’ll begin this chapter by looking at the layers in very simple networks. You’ll learn how to view your own network settings, and when you understand the basic workings of each layer, you’ll be ready to learn how to configure those layers by yourself. Finally, you’ll move on to more advanced topics like building your own networks and configuring firewalls. (Skip over that material if your eyes start to glaze over; you can always come back.)
由于每个层次往往是独立的,可以使用许多不同组合的组件构建网络。
这就是网络配置可能变得非常复杂的地方。
因此,我们将从非常简单的网络中的层次开始本章的学习。
你将学习如何查看自己的网络设置,当你理解每个层次的基本工作原理时,你将准备好自己配置这些层次。
最后,你将进一步学习如何构建自己的网络和配置防火墙等高级主题。
45(如果你对此感到困惑,可以跳过这部分内容,随时回来阅读。)
Before getting into the theory of network layers, take a look at the simple network shown in Figure 9-1.
在了解网络层理论之前,请先看一下图 9-1 所示的简单网络。
Figure 9-1. A typical local area network with a router that provides Internet access
图9-1. 具有提供互联网访问的路由器的典型局域网
This type of network is ubiquitous; most home and small office networks are configured this way. Each machine connected to the network is called a host. The hosts are connected to a router, which is a host that can move data from one network to another. These machines (here, Hosts A, B, and C) and the router form a local area network (LAN). The connections on the LAN can be wired or wireless.
这种类型的网络无处不在,大多数家庭和小型办公室网络都是这样配置的。
连接到网络的每台机器都被称为主机。
主机连接到一台路由器上,路由器是一台可以将数据从一个网络传输到另一个网络的主机。
这些机器(这里是主机A、B和C)以及路由器组成了一个局域网(LAN)。
局域网上的连接可以是有线的或无线的。
The router is also connected to the Internet—the cloud in the figure. Because the router is connected to both the LAN and the Internet, all machines on the LAN also have access to the Internet through the router. One of the goals of this chapter is to see how the router provides this access.
路由器还连接到互联网-图中的云。
由于路由器连接到局域网和互联网,局域网上的所有机器也可以通过路由器访问互联网。
本章的目标之一是了解路由器如何提供这种访问。
Your initial point of view will be from a Linux-based machine such as Host A on the LAN in Figure 9-1.
您的初始视角将来自于图9-1中局域网上的基于Linux的机器,例如主机A。
A computer transmits data over a network in small chunks called packets, which consist of two parts: a header and a payload. The header contains identifying information such as the origin/destination hosts and basic protocol. The payload, on the other hand, is the actual application data that the computer wants to send (for example, HTML or image data).
计算机通过网络以小块称为数据包的形式传输数据,数据包由两部分组成:头部和有效载荷。
头部包含识别信息,例如源/目标主机和基本协议。
而有效载荷则是计算机要发送的实际应用数据(例如HTML或图像数据)。
Packets allow a host to communicate with others “simultaneously,” because hosts can send, receive, and process packets in any order, regardless of where they came from or where they’re going. Breaking messages into smaller units also makes it easier to detect and compensate for errors in transmission
数据包使主机能够与其他主机“同时”进行通信,因为主机可以以任何顺序发送、接收和处理数据包,而不考虑它们来自哪里或要去哪里。
将消息分成较小的单元也使得更容易检测和补偿传输中的错误。
For the most part, you don’t have to worry about translating between packets and the data that your application uses, because the operating system has facilities that do this for you. However, it is helpful to know the role of packets in the network layers that you’re about to see
在大多数情况下,您不必担心在数据包和应用程序使用的数据之间进行转换,因为操作系统有相应的功能来完成这一任务。
然而,了解数据包在即将介绍的网络层中的作用是很有帮助的。
A fully functioning network includes a full set of network layers called a network stack. Any functional network has a stack. The typical Internet stack, from the top to bottom layer, looks like this:
一个完全运作的网络包括一个称为网络堆栈的完整的网络层集合。
任何功能性网络都有一个堆栈。典型的互联网堆栈,从顶层到底层,如下所示:
o Application layer. Contains the “language” that applications and servers use to communicate; usually a high-level protocol of some sort. Common application layer protocols include Hypertext Transfer Protocol (HTTP, used for the Web), Secure Socket Layer (SSL), and File Transfer Protocol (FTP). Application layer protocols can often be combined. For example, SSL is commonly used in conjunction with HTTP.
o 应用层。包含应用程序和服务器用于通信的“语言”;通常是一种高级协议。
常见的应用层协议包括超文本传输协议(HTTP,用于Web)、安全套接字层(SSL)和文件传输协议(FTP)。
应用层协议通常可以结合使用。
例如,SSL常与HTTP一起使用。
o Transport layer. Defines the data transmission characteristics of the application layer. This layer includes data integrity checking, source and destination ports, and specifications for breaking application data into packets (if the application layer has not already done so). Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are the most common transport layer protocols. The transport layer is also sometimes called the protocol layer.
o 传输层。定义应用层的数据传输特性。该层包括数据完整性检查、源端口和目标端口,以及将应用数据分解为数据包的规范(如果应用层尚未这样做)。
传输控制协议(TCP)和用户数据报协议(UDP)是最常见的传输层协议。传输层有时也称为协议层。
o Network or Internet layer. Defines how to move packets from a source host to a destination host. The particular packet transit rule set for the Internet is known as Internet Protocol (IP). Because we’ll only talk about Internet networks in this book, we’ll really only be talking about the Internet layer. However, because network layers are meant to be hardware independent, you can simultaneously configure several independent network layers (such as IP, IPv6, IPX, and AppleTalk) on a single host.
o 网络或互联网层。定义如何将数据包从源主机移动到目标主机。
互联网的特定数据包传输规则集被称为互联网协议(IP)。
因为本书只讨论互联网网络,所以我们只会讨论互联网层。
然而,由于网络层旨在与硬件无关,您可以在单个主机上同时配置几个独立的网络层(例如IP、IPv6、IPX和AppleTalk)。
o Physical layer. Defines how to send raw data across a physical medium, such as Ethernet or a modem. This is sometimes called the link layer or host-to-network layer.
o 物理层。定义如何通过物理介质发送原始数据,例如以太网或调制解调器。
有时也称为链路层或主机到网络层。
It’s important to understand the structure of a network stack because your data must travel through these layers at least twice before it reaches a program at its destination. For example, if you’re sending data from Host A to Host B, as shown in Figure 9-1, your bytes leave the application layer on Host A and travel through the transport and network layers on Host A; then they go down to the physical medium, across the medium, and up again through the various lower levels to the application layer on Host B in much the same way. If you’re sending something to a host on the Internet through the router, it will go through some (but usually not all) of the layers on the router and anything else in between.
了解网络堆栈的结构很重要,因为您的数据在到达目的地的程序之前必须经过这些层至少两次。
例如,如果您要从主机A发送数据到主机B,如图9-1所示,您的字节将离开主机A的应用层,并通过主机A的传输和网络层传输;
然后它们经过物理介质,横跨介质,再通过各个较低层次上升到主机B的应用层。
如果您通过路由器向互联网上的主机发送数据,它将通过路由器上的一些层(但通常不是全部)以及中间的其他任何设备。
The layers sometimes bleed into each other in strange ways because it can be inefficient to process all of them in order. For example, devices that historically dealt with only the physical layer now sometimes look at the transport and Internet layer data to filter and route data quickly. (Don’t worry about this when you’re learning the basics.)
由于按顺序处理所有层可能效率低下,层之间有时会相互交叉。
例如,过去只处理物理层的设备现在有时会查看传输和互联网层的数据,以便快速过滤和路由数据。(在学习基础知识时不必担心这个问题。)
We’ll begin by looking at how your Linux machine connects to the network in order to answer the where question at the beginning of the chapter. This is the lower part of the stack—the physical and network layers. Later, we’ll look at the upper two layers that answer the what question.
我们将从查看Linux机器连接到网络的方式开始,以回答本章开头的“在哪里”问题。
这是堆栈的较低部分-物理层和网络层。
稍后,我们将查看回答“是什么”问题的上两层。
NOTE You might have heard of another set of layers known as the Open Systems Interconnection (OSI) Reference Model. This is a seven-layer network model often used in teaching and designing networks, but we won’t cover the OSI model because you’ll be working directly with the four layers described here. To learn a lot more about layers (and networks in general), see Andrew S. Tanenbaum and David J. Wetherall’s Computer Networks, 5th edition (Prentice Hall, 2010).注意:你可能听说过另一组称为开放系统互连(OSI)参考模型的层次结构。这是一个通常用于教学和设计网络的七层网络模型,但我们不会涉及OSI模型,因为您将直接使用这里描述的四层。要了解更多关于层次结构(以及网络的一般知识),请参阅Andrew S. Tanenbaum和David J. Wetherall的《计算机网络》第5版(Prentice Hall,2010)。9.3 The Internet Layer(互联网层)
Rather than start at the very bottom of the network stack with the physical layer, we’ll start at the network layer because it can be easier to understand. The Internet as we currently know it is based on the Internet Protocol, version 4 (IPv4), though version 6 (IPv6) is gaining adoption. One of the most important aspects of the Internet layer is that it’s meant to be a software network that places no particular requirements on hardware or operating systems. The idea is that you can send and receive Internet packets over any kind of hardware, using any operating system.
与其从网络堆栈的物理层开始,我们将从网络层开始,因为它更容易理解。
我们目前所知的互联网是基于互联网协议第4版(IPv4)的,虽然第6版(IPv6)正在得到采用。
互联网层最重要的一个方面是它是一个软件网络,对硬件或操作系统没有特定要求。
理念是你可以使用任何类型的硬件和任何操作系统来发送和接收互联网数据包。
The Internet’s topology is decentralized; it’s made up of smaller networks called subnets. The idea is that all subnets are interconnected in some way. For example, in Figure 9-1, the LAN is normally a single subnet.
互联网的拓扑结构是分散的,由称为子网的较小网络组成。理念是所有子网以某种方式相互连接。例如,在图9-1中,局域网通常是一个单一的子网。
A host can be attached to more than one subnet. As you saw in 9.1 Network Basics, that kind of host is called a router if it can transmit data from one subnet to another (another term for router is gateway). Figure 9-2 refines Figure 9-1 by identifying the LAN as a subnet, as well as Internet addresses for each host and the router. The router in the figure has two addresses, the local subnet 10.23.2.1 and the link to the Internet (but this Internet link’s address is not important right now so it’s just marked “Uplink Address”). We’ll look first at the addresses and then the subnet notation.
一个主机可以连接到多个子网。
正如你在9.1网络基础中看到的那样,如果一个主机可以从一个子网传输数据到另一个子网,那么它被称为路由器(另一个术语是网关)。
图9-2通过为每个主机和路由器标识局域网和互联网地址,进一步完善了图9-1。
图中的路由器有两个地址,本地子网10.23.2.1和与互联网的链接(但是这个互联网链接的地址现在并不重要,所以只标记为“上行链路地址”)。
我们首先看地址,然后再看子网表示法。
Each Internet host has at least one numeric IP address in the form of a.b.c.d, such as 10.23.2.37. An address in this notation is called a dotted-quad sequence. If a host is connected to multiple subnets, it has at least one IP address per subnet. Each host’s IP address should be unique across the entire Internet, but as you’ll see later, private networks and NAT can make this a little confusing.
每个互联网主机至少有一个数字IP地址,形式为a.b.c.d,例如10.23.2.37。这种表示法的地址称为点分十进制序列。
如果一个主机连接到多个子网,它每个子网至少有一个IP地址。
每个主机的IP地址在整个互联网上应该是唯一的,但是正如你稍后会看到的,私有网络和NAT可能会让这有点混乱。
Figure 9-2. Network with IP addresses
图9-2. 带有IP地址的网络
Technically, an IP address consists of 4 bytes (or 32 bits), abcd. Bytes a and d are numbers from 1 to 254, and b and c are numbers from 0 to 255. A computer processes IP addresses as raw bytes. However, it’s much easier for a human to read and write a dotted-quad address, such as 10.23.2.37, instead of something ugly like the hexadecimal 0x0A170225.
从技术上讲,IP地址由4个字节(或32位)组成,即abcd。字节a和d是从1到254的数字,而b和c是从0到255的数字。
计算机以原始字节形式处理IP地址。
然而,对于人类来说,读写点分十进制地址(如10.23.2.37)比读写十六进制地址0x0A170225要容易得多。
IP addresses are like postal addresses in some ways. To communicate with another host, your machine must know that other host’s IP address. Let’s take a look at the address on your machine.
IP地址在某些方面类似于邮政地址。
为了与另一个主机通信,您的计算机必须知道该主机的IP地址。让我们来看看您计算机上的地址。
One host can have many IP addresses. To see the addresses that are active on your Linux machine, run
一台主机可以有多个 IP 地址。要查看 Linux 机器上的活动地址,请运行
$ ifconfig
There will probably be a lot of output, but it should include something like this:
可能会有很多输出,但应该包括类似这样的内容:
eth0 Link encap:Ethernet HWaddr 10:78:d2:eb:76:97
inet addr:10.23.2.4 Bcast:10.23.2.255 Mask:255.255.255.0
inet6 addr: fe80::1278:d2ff:feeb:7697/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:85076006 errors:0 dropped:0 overruns:0 frame:0
TX packets:68347795 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:86427623613 (86.4 GB) TX bytes:23437688605 (23.4 GB)
Interrupt:20 Memory:fe500000-fe520000
The ifconfig command’s output includes many details from both the Internet layer and the physical layer. (Sometimes it doesn’t even include an Internet address at all!) We’ll discuss the output in more detail later, but for now, concentrate on the second line, which reports that the host is configured to have an IPv4 address (inet addr) of 10.23.2.4. On the same line, a Mask is reported as being 255.255.255.0. This is a subnet mask, which defines the subnet that an IP address belongs to. Let’s see how that works
ifconfig命令的输出包含了来自互联网层和物理层的许多细节。
(有时它甚至不包含任何互联网地址!)我们稍后会详细讨论输出内容,但现在请专注于第二行,该行报告了主机配置的IPv4地址(inet addr)为10.23.2.4。
在同一行上,掩码被报告为255.255.255.0。
这是一个子网掩码,用于定义IP地址所属的子网。
让我们看看它是如何工作的。
NOTE The ifconfig command, as well some of the others you’ll see later in this chapter (such as route and arp), has been technically supplanted with the newer ip command. The ip command can do more than the old commands, and it is preferable when writing scripts. However, most people still use the old commands when manually working with the network, and these commands can also be used on other versions of Unix. For this reason, we’ll use the old-style commands.注意ifconfig命令以及本章后面将要介绍的其他一些命令(如route和arp),在技术上已经被更新的ip命令所取代。ip命令可以执行比旧命令更多的功能,并且在编写脚本时更可取。然而,大多数人在手动处理网络时仍然使用旧命令,并且这些命令也可以在其他版本的Unix上使用。因此,我们将使用旧式命令。9.3.2 Subnets(子网网络)
A subnet is a connected group of hosts with IP addresses in some sort of order. Usually, the hosts are on the same physical network, as shown in Figure 9-2. For example, the hosts between 10.23.2.1 and 10.23.2.254 could comprise a subnet, as could all hosts between 10.23.1.1 and 10.23.255.254.
子网是一组具有按某种顺序排列的IP地址的主机的连接。
通常,这些主机位于同一物理网络上,如图9-2所示。
例如,位于10.23.2.1和10.23.2.254之间的主机可以构成一个子网,位于10.23.1.1和10.23.255.254之间的所有主机也可以构成一个子网。
You define a subnet with two pieces: a network prefix and a subnet mask (such as the one in the output of ifconfig in the previous section). Let’s say you want to create a subnet containing the IP addresses between 10.23.2.1 and 10.23.2.254. The network prefix is the part that is common to all addresses in the subnet; in this example, it’s 10.23.2.0, and the subnet mask is 255.255.255.0. Let’s see why those are the right numbers. It’s not immediately clear how the prefix and mask work together to give you all possible IP addresses on a subnet. Looking at the numbers in binary form helps clear it up. The mask marks the bit locations in an IP address that are common to the subnet. For example, here are the binary forms of 10.23.2.0 and 255.255.255.0:
您可以使用两个部分来定义一个子网:网络前缀和子网掩码(例如在上一节的ifconfig输出中)。
假设您想创建一个包含10.23.2.1和10.23.2.254之间IP地址的子网。
网络前缀是在子网中所有地址中都相同的部分;在这个例子中,它是10.23.2.0,子网掩码是255.255.255.0。
让我们看看为什么这些是正确的数字。如何将前缀和掩码结合在一起以获得子网上的所有可能的IP地址并不立即清楚。
以二进制形式查看数字可以帮助理解。掩码标记了在IP地址中与子网相同的位位置。
例如,这是10.23.2.0和255.255.255.0的二进制形式:
Now, let’s use boldface to mark the bit locations in 10.23.2.0 that are 1s in 255.255.255.0:
现在,让我们使用粗体来标记10.23.2.0中与255.255.255.0中的1相对应的位位置:
10.23.2.0: 00001010 00010111 00000010 00000000
Look at the bits that are not in bold. You can set any number of these bits to 1 to get a valid IP address in this subnet, with the exception of all 0s or all 1s.
Putting it all together, you can see how a host with an IP address of 10.23.2.1 and a subnet mask of 255.255.255.0 is on the same subnet as any other computers that have IP addresses beginning with 10.23.2. You can denote this entire subnet as 10.23.2.0/255.255.255.0.
看一下那些没有加粗的位。你可以将其中任意数量的位设置为1,以获得该子网中的一个有效IP地址,除非全为0或全为1。
把所有这些放在一起,你可以看到一个具有IP地址为10.23.2.1和子网掩码为255.255.255.0的主机与具有以10.23.2开头的任何其他计算机在同一个子网上。
你可以将整个子网表示为10.23.2.0/255.255.255.0。
If you’re lucky, you’ll only deal with easy subnet masks like 255.255.255.0 or 255.255.0.0, but you may be unfortunate and encounter stuff like 255.255.255.192, where it isn’t quite so simple to determine the set of addresses that belong to the subnet. Furthermore, it’s likely that you’ll also encounter a different form of subnet representation called Classless Inter-Domain Routing (CIDR) notation, where a subnet such as 10.23.2.0/255.255.255.0 is written as 10.23.2.0/24.
如果你很幸运,你可能只需处理像255.255.255.0或255.255.0.0这样简单的子网掩码,但你可能不那么幸运,会遇到像255.255.255.192这样的复杂情况,这时确定属于子网的地址集就不那么简单了。
此外,你可能也会遇到另一种子网表示形式,称为无类别域间路由(CIDR)表示法,其中一个子网如10.23.2.0/255.255.255.0会被写成10.23.2.0/24。
To understand what this means, look at the mask in binary form (as in the example you saw in the preceding section). You’ll find that nearly all subnet masks are just a bunch of 1s followed by a bunch of 0s. For example, you just saw that 255.255.255.0 in binary form is 24 1-bits followed by 8 0-bits. The CIDR notation identifies the subnet mask by the number of leading 1s in the subnet mask. Therefore, a combination such as 10.23.2.0/24 includes both the subnet prefix and its subnet mask.
要理解这意味着什么,看一下掩码的二进制形式(就像你在前面部分看到的示例)。
你会发现几乎所有的子网掩码都是一串1后面跟着一串0。
例如,你刚才看到255.255.255.0的二进制形式是24个1位后跟着8个0位。
CIDR表示法通过子网掩码中前导1的数量来标识子网掩码。
因此,一个类似于10.23.2.0/24的组合包括子网前缀及其子网掩码。
Table 9-1 shows several example subnet masks and their CIDR forms.
Table 9-1. Subnet Masks
表9-1. 子网掩码
NOTE If you aren’t familiar with conversion between decimal, binary, and hexadecimal formats, you can use a calculator utility such as bc or dc to convert between different radix representations. For example, in bc, you can run the command obase=2; 240 to print the number 240 in binary (base 2) form.注意:如果您不熟悉十进制、二进制和十六进制格式之间的转换,您可以使用诸如bc或dc之类的计算器实用程序在不同的基数表示之间进行转换。例如,在bc中,您可以运行命令obase=2; 240以打印数字240的二进制(基数2)形式。
Identifying subnets and their hosts is the first building block to understanding how the Internet works. However, you still need to connect the subnets
识别子网及其主机是理解互联网运作方式的第一步。
然而,您仍然需要连接这些子网。
Connecting Internet subnets is mostly a process of identifying the hosts connected to more than one subnet. Returning to Figure 9-2, think about Host A at IP address 10.23.2.4. This host is connected to a local network of 10.23.2.0/24 and can directly reach hosts on that network. To reach hosts on the rest of the Internet, it must communicate through the router at 10.23.2.1.
连接互联网子网主要是识别连接到多个子网的主机的过程。回顾图9-2,考虑一下IP地址为10.23.2.4的主机A。
该主机连接到一个本地网络10.23.2.0/24,并且可以直接访问该网络上的主机。
要访问互联网上的其他主机,它必须通过位于10.23.2.1的路由器进行通信。
How does the Linux kernel distinguish between these two different kinds of destinations? It uses a destination configuration called a routing table to determine its routing behavior. To show the routing table, use the route -n command. Here’s what you might see for a simple host such as 10.23.2.4:
Linux内核如何区分这两种不同的目的地?
它使用称为路由表的目标配置来确定其路由行为。
要显示路由表,请使用route -n命令。以下是一个简单主机(例如10.23.2.4)可能看到的内容:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.23.2.1 0.0.0.0 UG 0 0 0 eth0
10.23.2.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
The last two lines here contain the routing information. The Destination column tells you a network prefix, and the Genmask column is the netmask corresponding to that network. There are two networks defined in this output: 0.0.0.0/0 (which matches every address on the Internet) and 10.23.2.0/24. Each network has a U under its Flags column, indicating that the route is active (“up”).
这里的最后两行包含了路由信息。目的地列告诉您一个网络前缀,而Genmask列是与该网络对应的网络掩码。
在此输出中定义了两个网络:0.0.0.0/0(与互联网上的每个地址匹配)和10.23.2.0/24。
每个网络在其标志列下都有一个U,表示该路由是活动的(“up”)。
Where the destinations differ is in the combination of their Gateway and Flags columns. For 0.0.0.0/0, there is a G in the Flags column, meaning that communication for this network must be sent through the gateway in the Gateway column (10.23.2.1, in this case). However, for 10.23.2.0/24, there is no G in Flags, indicating that the network is directly connected in some way. Here, 0.0.0.0 is used as a stand-in under Gateway. Ignore the other columns of output for now
目的地之间的区别在于它们的网关和标志列的组合。
对于0.0.0.0/0,在标志列中有一个G,表示该网络的通信必须通过网关列中的网关发送(在本例中为10.23.2.1)。
然而,对于10.23.2.0/24,在标志中没有G,表示该网络以某种方式直接连接。
在这里,0.0.0.0被用作网关的替代。暂时忽略其他输出列。
There’s one tricky detail: Say the host wants to send something to 10.23.2.132, which matches both rules in the routing table, 0.0.0.0/0 and 10.23.2.0/24. How does the kernel know to use the second one? It chooses the longest destination prefix that matches. This is where CIDR network form comes in particularly handy: 10.23.2.0/24 matches, and its prefix is 24 bits long; 0.0.0.0/0 also matches, but its prefix is 0 bits long (that is, it has no prefix), so the rule for 10.23.2.0/24 takes priority.
有一个棘手的细节:假设主机想要发送一些东西到10.23.2.132,在路由表中同时匹配两个规则,0.0.0.0/0和10.23.2.0/24。
内核如何知道要使用第二个规则?它选择最长的目标前缀进行匹配。
这就是CIDR网络格式特别方便的地方:10.23.2.0/24匹配,并且其前缀长度为24位;0.0.0.0/0也匹配,但其前缀长度为0位(即没有前缀),因此10.23.2.0/24的规则优先。
NOTE The -n option tells route to show IP addresses instead of showing hosts and networks by name. This is an important option to remember because you’ll be able to use it in other network-related commands such as netstat. 注意:-n选项告诉route显示IP地址,而不是按名称显示主机和网络。这是一个重要的选项,因为您将能够在其他与网络相关的命令(如netstat)中使用它。
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.23.2.1 0.0.0.0 UG 0 0 0 eth0
10.23.2.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
An entry for 0.0.0.0/0 in the routing table has special significance because it matches any address on the Internet. This is the default route, and the address configured under the Gateway column (in the route - n output) in the default route is the default gateway. When no other rules match, the default route always does, and the default gateway is where you send messages when there is no other choice. You can configure a host without a default gateway, but it won’t be able to reach hosts outside the destinations in the routing table
路由表中0.0.0.0/0的条目具有特殊意义,因为它匹配互联网上的任何地址。
这是默认路由,而在默认路由中,网关列(在route -n输出中)下配置的地址就是默认网关。
当没有其他规则匹配时,默认路由总是匹配,并且当没有其他选择时,消息将发送到默认网关。
您可以配置一个没有默认网关的主机,但它将无法到达路由表中目的地之外的主机。
NOTE On most networks with a netmask of 255.255.255.0, the router is usually at address 1 of the subnet (for example, 10.23.2.1 in 10.23.2.0/24). Because this is simply a convention, there can be exceptions.注意:在大多数子网掩码为255.255.255.0的网络上,路由器通常位于子网的第一个地址(例如,在10.23.2.0/24中为10.23.2.1)。由于这只是一种约定,可能会有例外情况。9.5 Basic ICMP and DNS Tools(基础 ICMP 和 DNS 工具)
Now it’s time to look at some basic practical utilities to help you interact with hosts. These tools use two protocols of particular interest: Internet Control Message Protocol (ICMP), which can help you root out problems with connectivity and routing, and the Domain Name Service (DNS) system, which maps names to IP addresses so that you don’t have to remember a bunch of numbers.
现在是时候看一些基本实用工具,帮助您与主机进行交互了。
这些工具使用两种特别重要的协议:Internet控制消息协议(ICMP),可以帮助您排除与连接和路由有关的问题;以及域名服务(DNS)系统,它将名称映射到IP地址,这样您就不必记住一堆数字了。
ping (see http://ftp.arl.mil/~mike/ping.html) is one of the most basic network debugging tools. It sends ICMP echo request packets to a host that ask a recipient host to return the packet to the sender. If the recipient host gets the packet and is configured to reply, it sends an ICMP echo response packet in return.
ping(见http://ftp.arl.mil/~mike/ping.html)是最基本的网络调试工具之一。
它向一个主机发送ICMP回显请求数据包,要求接收方主机将数据包返回给发送方。
如果接收方主机接收到数据包并配置为回复,则会返回一个ICMP回显响应数据包。
For example, say that you run ping 10.23.2.1 and get this output:
例如,假设您运行ping 10.23.2.1并获得以下输出:
$ ping 10.23.2.1
PING 10.23.2.1 (10.23.2.1) 56(84) bytes of data.
64 bytes from 10.23.2.1: icmp_req=1 ttl=64 time=1.76 ms
64 bytes from 10.23.2.1: icmp_req=2 ttl=64 time=2.35 ms
64 bytes from 10.23.2.1: icmp_req=4 ttl=64 time=1.69 ms
64 bytes from 10.23.2.1: icmp_req=5 ttl=64 time=1.61 ms
The first line says that you’re sending 56-byte packets (84 bytes, if you include the headers) to 10.23.2.1 (by default, one packet per second), and the remaining lines indicate responses from 10.23.2.1. The most important parts of the output are the sequence number (icmp_req) and the round-trip time (time). The number of bytes returned is the size of the packet sent plus 8. (The content of the packets isn’t important to you.)
第一行表示您正在向10.23.2.1发送56字节的数据包(如果包括头部,则为84字节,默认情况下,每秒发送一个数据包),其余行表示来自10.23.2.1的响应。
输出的最重要部分是序列号(icmp_req)和往返时间(time)。
返回的字节数是发送的数据包的大小加上8个字节(数据包的内容对您来说不重要)。
A gap in the sequence numbers, such as the one between 2 and 4, usually means there’s some kind of connectivity problem. It’s possible for packets to arrive out of order, and if they do, there’s some kind of problem because ping sends only one packet a second. If a response takes more than a second (1000ms) to arrive, the connection is extremely slow.
序列号之间的间隔,比如2和4之间的间隔,通常意味着存在某种连接问题。
数据包可能会无序到达,如果确实如此,则表示存在某种问题,因为ping每秒只发送一个数据包。如果响应的到达时间超过一秒(1000ms),则连接非常慢。
The round-trip time is the total elapsed time between the moment that the request packet leaves and moment that the response packet arrives. If there’s no way to reach the destination, the final router to see the packet returns an ICMP “host unreachable” packet to ping.
往返时间是请求数据包离开和响应数据包到达之间的总耗时。
如果无法到达目标地点,则最后一个路由器将返回一个ICMP“主机不可达”数据包给ping。
On a wired LAN, you should expect absolutely no packet loss and very low numbers for the round-trip time. (The preceding example output is from a wireless network.) You should also expect no packet loss from your network to and from your ISP and reasonably steady round-trip times.
在有线局域网上,您应该预期没有任何数据包丢失,并且往返时间非常低。
(上述示例输出来自无线网络。)您还应该预期从您的网络到ISP以及从ISP返回的往返时间没有数据包丢失并且相对稳定。
NOTE For security reasons, not all hosts on the Internet respond to ICMP echo request packets, so you might find that you can connect to a website on a host but not get a ping response.注意:出于安全原因,并非所有互联网上的主机都会响应ICMP回显请求数据包,因此您可能会发现您可以连接到主机上的网站,但无法获得ping的响应。9.5.2 traceroute
The ICMP-based program traceroute will come in handy when you reach the material on routing later in this chapter. Use traceroute host to see the path your packets take to a remote host. (traceroute -n host will disable hostname lookups.)
基于 ICMP 的程序 traceroute
将在本章后面的路由材料中派上用场。
使用 traceroute host 查看数据包到达远程主机的路径。
(traceroute -n host 将禁用主机名查询)。
One of the best things about traceroute is that it reports return trip times at each step in the route, as demonstrated in this output fragment:
traceroute
的一大优点是,它能报告路由中每一步的回程时间,如输出片段所示:
4 206.220.243.106 1.163 ms 0.997 ms 1.182 ms
5 4.24.203.65 1.312 ms 1.12 ms 1.463 ms
6 64.159.1.225 1.421 ms 1.37 ms 1.347 ms
7 64.159.1.38 55.642 ms 55.625 ms 55.663 ms
8 209.247.10.230 55.89 ms 55.617 ms 55.964 ms
9 209.244.14.226 55.851 ms 55.726 ms 55.832 ms
10 209.246.29.174 56.419 ms 56.44 ms 56.423 ms
Because this output shows a big latency jump between hops 6 and 7, that part of the route is probably some sort of long-distance link.
由于输出结果显示第 6 跳和第 7 跳之间的延迟跳跃很大,因此这部分路由可能是某种长途链路。
The output from traceroute can be inconsistent. For example, the replies may time out at a certain step, only to “reappear” in later steps. The reason is usually that the router at that step refused to return the debugging output that traceroute wants but routers in later steps were happy to return the output. In addition, a router might choose to assign a lower priority to the debugging traffic than it does to normal traffic.
traceroute 的输出可能不一致。
例如,回复可能在某一步超时,但在后面的步骤中又 "重新出现"。
原因通常是该步骤的路由器拒绝返回 traceroute 所需的调试输出,但后面步骤的路由器却乐意返回输出。
此外,路由器可能会选择为调试流量分配比正常流量更低的优先级。
IP addresses are difficult to remember and subject to change, which is why we normally use names such as www.example.com instead. The DNS library on your system normally handles this translation automatically, but sometimes you’ll want to manually translate between a name and an IP address. To find the IP address behind a domain name, use the host command:
IP地址很难记住,并且可能会发生变化,这就是为什么我们通常使用诸如www.example.com之类的名称。
您的系统上的DNS库通常会自动处理这种转换,但有时您需要手动在名称和IP地址之间进行转换。
要查找域名背后的IP地址,请使用host命令:
$ host www.example.com
www.example.com has address 93.184.216.119
www.example.com has IPv6 address 2606:2800:220:6d:26bf:1447:1097:aa7
Notice how this example has both the IPv4 address 93.184.216.119 and the much larger IPv6 address. This means that this host also has an address on the next-generation version of the Internet.
请注意,此示例中既有IPv4地址93.184.216.119,也有更大的IPv6地址。
这意味着该主机还在下一代互联网版本上有一个地址。
You can also use host in reverse: Enter an IP address instead of a hostname to try to discover the hostname behind the IP address. But don’t expect this to work reliably. Many hostnames can represent a single IP address, and DNS doesn’t know how to determine which hostname should correspond to an IP address. The domain administrator must manually set up this reverse lookup, and often the administrator does not. (There is a lot more to DNS than the host command. We’ll cover basic client configuration later in 9.12 Resolving Hostnames.)
您也可以反向使用host:输入IP地址而不是主机名,尝试发现IP地址背后的主机名。
但不要指望这能可靠地工作。
许多主机名可以表示一个IP地址,并且DNS不知道如何确定哪个主机名应对应一个IP地址。
域名管理员必须手动设置这种反向查找,而且通常管理员并不这样做。
(DNS比host命令复杂得多。我们将在9.12解析主机名中介绍基本的客户端配置。)
One of the key things to understand about the Internet is that it’s a software network. Nothing we’ve discussed so far is hardware specific, and indeed, one reason for the Internet’s success is that it works on almost any kind of computer, operating system, and physical network. However, you still have to put a network layer on top of some kind of hardware, and that interface is called the physical layer.
互联网的一个关键要点是它是一个软件网络。到目前为止,我们讨论的内容都与硬件无关,事实上,互联网之所以成功,其中一个原因就是它可以在几乎任何类型的计算机、操作系统和物理网络上运行。
然而,你仍然需要在某种硬件上放置一个网络层,这个接口被称为物理层。
In this book, we’ll look at the most common kind of physical layer: an Ethernet network. The IEEE 802 family of standards documents defines many different kinds of Ethernet networks, from wired to wireless, but they all have a few things in common, in particular, the following:
在本书中,我们将介绍最常见的物理层类型:以太网。
IEEE 802系列标准文件定义了许多不同类型的以太网,从有线到无线都有,但它们都有一些共同点,尤其是以下几点:
o All devices on an Ethernet network have a Media Access Control (MAC) address, sometimes called a hardware address. This address is independent of a host’s IP address, and it is unique to the host’s Ethernet network (but not necessarily a larger software network such as the Internet). A sample MAC address is 10:78:d2:eb:76:97.
o Devices on an Ethernet network send messages in frames, which are wrappers around the data sent. A frame contains the origin and destination MAC addresses.
Ethernet doesn’t really attempt to go beyond hardware on a single network. For example, if you have two different Ethernet networks with one host attached to both networks (and two different network interface devices), you can’t directly transmit a frame from one Ethernet network to the other unless you set up a special Ethernet bridge. And this is where higher network layers (such as the Internet layer) come in. By convention, each Ethernet network is also usually an Internet subnet. Even though a frame can’t leave one physical network, a router can take the data out of a frame, repackage it, and send it to a host on a different physical network, which is exactly what happens on the Internet.
以太网并不试图超越单个网络上的硬件。
例如,如果你有两个不同的以太网,一个主机连接在这两个网络上(并且有两个不同的网络接口设备),你不能直接将一个帧从一个以太网传输到另一个以太网,除非你设置一个特殊的以太网桥接器。
这就是更高级的网络层(如互联网层)的作用所在。
按照惯例,每个以太网通常也是一个互联网子网。
即使一个帧不能离开一个物理网络,路由器可以将数据从帧中取出,重新封装,并发送到不同物理网络上的主机,这正是在互联网上发生的情况。
The physical and the Internet layers must be connected in a way that allows the Internet layer to retain its hardware-independent flexibility. The Linux kernel maintains its own division between the two layers and provides communication standards for linking them called a (kernel) network interface. When you configure a network interface, you link the IP address settings from the Internet side with the hardware identification on the physical device side. Network interfaces have names that usually indicate the kind of hardware underneath, such as eth0 (the first Ethernet card in the computer) and wlan0 (a wireless interface).
物理层和互联网层必须以一种方式连接在一起,以使互联网层保持其硬件无关的灵活性。
Linux内核在这两个层之间保持了自己的划分,并提供了用于连接它们的通信标准,称为(内核)网络接口。
当您配置网络接口时,将互联网端的IP地址设置与物理设备端的硬件标识进行链接。
网络接口有一般指示底层硬件类型的名称,例如eth0(计算机中的第一个以太网卡)和wlan0(无线接口)。
In 9.3.1 Viewing Your Computer’s IP Addresses, you learned the most important command for viewing or manually configuring the network interface settings: ifconfig. Recall this output:
在9.3.1查看计算机的IP地址中,您学习了用于查看或手动配置网络接口设置的最重要的命令:ifconfig。回想一下这个输出:
eth0 Link encap:Ethernet HWaddr 10:78:d2:eb:76:97
inet addr:10.23.2.4 Bcast:10.23.2.255 Mask:255.255.255.0
inet6 addr: fe80::1278:d2ff:feeb:7697/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:85076006 errors:0 dropped:0 overruns:0 frame:0
TX packets:68347795 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:86427623613 (86.4 GB) TX bytes:23437688605 (23.4 GB)
Interrupt:20 Memory:fe500000-fe520000
For each network interface, the left side of the output shows the interface name, and the right side contains settings and statistics for the interface. In addition to the Internet layer pieces that we’ve already covered, you also see the MAC address on the physical layer (HWaddr). The lines containing UP and RUNNING tell you that the interface is working.
对于每个网络接口,输出的左侧显示接口名称,右侧包含接口的设置和统计信息。
除了我们已经介绍过的互联网层部分,您还可以看到物理层上的MAC地址(HWaddr)。
包含UP和RUNNING的行告诉您接口正在工作。
Although ifconfig shows some hardware information (in this case, even some low-level device settings such as the interrupt and memory used), it’s designed primarily for viewing and configuring the software layers attached to the interfaces. To dig deeper into the hardware and physical layer behind a network interface, use something like the ethtool command to display or change the settings on Ethernet cards. (We’ll look briefly at wireless networks in 9.23 Wireless Ethernet.)
尽管ifconfig显示了一些硬件信息(在这种情况下,甚至包括一些低级设备设置,如中断和内存使用),但它主要设计用于查看和配置与接口连接的软件层。
要更深入地了解网络接口背后的硬件和物理层,请使用类似ethtool命令来显示或更改以太网卡上的设置。
(我们将在9.23无线以太网中简要介绍无线网络。)
You’ve now seen all of the basic elements that go into the lower levels of a network stack: the physical layer, the network (Internet) layer, and the Linux kernel’s network interfaces. In order to combine these pieces to connect a Linux machine to the Internet, you or a piece of software must do the following:
你现在已经看到了构成网络协议栈较低层的所有基本元素:物理层、网络(互联网)层以及Linux内核的网络接口。
为了将这些部分组合起来将Linux机器连接到互联网,您或者一款软件必须执行以下操作:
When all machines were big stationary boxes wired together, this was relatively straightforward: The kernel did step 1, you didn’t need step 2, and you’d do step 3 with the ifconfig command and step 4 with the route command.
当所有机器都是大型固定箱子通过有线连接在一起时,这相对简单:内核完成第1步,您不需要第2步,您可以使用ifconfig命令执行第3步,使用route命令执行第4步。
To manually set the IP address and netmask for a kernel network interface, you’d do this:
要手动设置内核网络接口的IP地址和子网掩码,您可以执行以下操作:
# ifconfig interface address netmask mask
# ifconfig 接口名称 地址 子网掩码
Here, interface is the name of the interface, such as eth0. When the interface was up, you’d be ready to add routes, which was typically just a matter of setting the default gateway, like this:
这里,接口是接口的名称,例如eth0。
当接口启动时,您将准备好添加路由,通常只需设置默认网关,例如:
# route add default gw gw-address
# route add default gw 网关地址
The gw-address parameter is the IP address of your default gateway; it must be an address in a locally connected subnet defined by the address and mask settings of one of your network interfaces.
网关地址参数是默认网关的IP地址;它必须是由其中一个网络接口的地址和子网掩码设置定义的本地连接子网中的地址。
To remove a default gateway, run
要删除默认网关,请运行
# route del -net default
You can easily override the default gateway with other routes. For example, say your machine is on subnet 10.23.2.0/24, you want to reach a subnet at 192.168.45.0/24, and you know that 10.23.2.44 can act as a router for that subnet. Run this command to send traffic bound for 192.168.45.0 to that router:
你可以轻松地通过其他路由来覆盖默认网关。例如,假设你的机器位于子网10.23.2.0/24上,你想要访问一个位于子网192.168.45.0/24上的目标,并且你知道10.23.2.44可以作为该子网的路由器。
运行以下命令将流量发送到该路由器以前往192.168.45.0子网:
# route add -net 192.168.45.0/24 gw 10.23.2.44
You don’t need to specify the router in order to delete a route:
删除路由时无需指定路由器:
# route del -net 192.168.45.0/24
Now, before you go crazy with routes, you should know that messing with routes is often more complicated than it appears. For this particular example, you also have to make sure that the routing for all hosts on 192.163.45.0/24 can lead back to 10.23.2.0/24, or the first route you add is basically useless.
在你开始疯狂地调整路由之前,你应该知道,处理路由问题通常比看起来复杂得多。
对于这个特定的例子,你还必须确保192.163.45.0/24上所有主机的路由能够返回到10.23.2.0/24,否则你添加的第一条路由基本上是无用的。
Normally, you should keep things as simple as possible for your clients, setting up networks so that their hosts need only a default route. If you need multiple subnets and the ability to route between them, it’s usually best to configure the routers acting as the default gateways to do all of the work of routing between different local subnets. (You’ll see an example in 9.17 Configuring Linux as a Router.)
通常情况下,你应该尽量简化客户端的设置,设置网络使其主机只需要一个默认路由。
如果你需要多个子网并且能够在它们之间进行路由,通常最好配置充当默认网关的路由器来处理不同本地子网之间的路由工作。
(你将在9.17 配置Linux作为路由器中看到一个例子。)
We’ve discussed ways to manually configure a network, and the traditional way to ensure the correctness of a machine’s network configuration was to have init run a script to run the manual configuration at boot time. This boils down to running tools like ifconfig and route somewhere in the chain of boot events. Many servers still do it this way.
我们已经讨论了手动配置网络的方法,确保机器的网络配置正确的传统方式是在启动时通过init运行脚本来运行手动配置。
这归结为在引导事件链中的某个位置运行ifconfig和route等工具。
许多服务器仍然以这种方式进行配置。
There have been many attempts in Linux to standardize configuration files for boot-time networking. The tools ifup and ifdown do so—for example, a boot script can (in theory) run ifup eth0 to run the correct ifconfig and route commands for the eth0 interface. Unfortunately, different distributions have completely different implementations of ifup and ifdown, and as a result, their configuration files are also completely different. Ubuntu, for example, uses the ifupdown suite with configuration files in /etc/network, and Fedora uses its own set of scripts with configuration in /etc/sysconfig/network-scripts.
Linux中已经有许多尝试标准化引导时网络配置文件的工具。
ifup和ifdown就是这样的工具,例如,引导脚本可以(理论上)运行ifup eth0来运行适用于eth0接口的正确ifconfig和route命令。
不幸的是,不同的发行版对ifup和ifdown有完全不同的实现,因此它们的配置文件也完全不同。
例如,Ubuntu使用ifupdown套件,配置文件位于/etc/network目录中,而Fedora使用其自己的一套脚本,配置文件位于/etc/sysconfig/network-scripts目录中。
You don’t need to know the details of these configuration files, and if you insist on doing it all by hand and bypass your distribution’s configuration tools, you can just look up the formats in manual pages such as ifup(8) and interfaces(5). But it is important to know that this type of boot-activated configuration is often not even used. You’ll most often see it for the local-host (or lo; see 9.13 Localhost) network interface but nothing else because it’s too inflexible to meet the needs of modern systems.
您不需要了解这些配置文件的详细信息,如果您坚持手动操作并绕过发行版的配置工具,您可以在手册页(如ifup(8)和interfaces(5))中查找格式。
但重要的是要知道,这种引导激活的配置通常甚至不被使用。
您最常见的只会看到它用于本地主机(或lo;参见9.13 本地主机)网络接口,而不会用于其他任何接口,因为它过于不灵活,无法满足现代系统的需求。
Although most systems used to configure the network in their boot mechanisms—and many servers still do— the dynamic nature of modern networks means that most machines don’t have static (unchanging) IP addresses. Rather than storing the IP address and other network information on your machine, your machine gets this information from somewhere on the local physical network when it first attaches to that network. Most normal network client applications don’t particularly care what IP address your machine uses, as long as it works. Dynamic Host Configuration Protocol (DHCP, described in 9.16 Understanding DHCP) tools do the basic network layer configuration on typical clients.
尽管大多数系统在引导机制中使用的方式来配置网络(许多服务器仍然如此),但现代网络的动态性意味着大多数计算机没有静态(不变的)IP地址。
您的计算机在首次连接到本地物理网络时,会从该网络的某个地方获取IP地址和其他网络信息,而不是将其存储在您的计算机上。
大多数普通网络客户端应用程序并不特别关心您的计算机使用的IP地址是什么,只要它能正常工作即可。
动态主机配置协议(DHCP,在9.16节“理解DHCP”中有描述)工具对典型客户端的基本网络层配置进行处理。
There’s more to the story, though. For example, wireless networks add additional dimensions to interface configuration, such as network names, authentication, and encryption techniques. When you step back to look at the bigger picture, you see that your system needs a way to answer the following questions:
然而,故事还有更多内容。
例如,无线网络为接口配置增加了其他维度,如网络名称、认证和加密技术。
当您回过头来看整个大局时,您会发现您的系统需要一种方式来回答以下问题:
o If the machine has multiple physical network interfaces (such as a notebook with wired and wireless Ethernet), how do you choose which one(s) to use?
o How should the machine set up the physical interface? For wireless networks, this includes scanning for network names, choosing a name, and negotiating authentication.
o Once the physical network interface is connected, how should the machine set up the software network layers, such as the Internet layer?
o How can you let a user choose connectivity options? For example, how do you let a user choose a wireless network?
o What should the machine do if it loses connectivity on a network interface?
Answering these questions is usually more than simple boot scripts can handle, and it’s a real hassle to do it all by hand. The answer is to use a system service that can monitor physical networks and choose (and automatically configure) the kernel network interfaces based on a set of rules that makes sense to the user. The service should also be able to respond to requests from users, who should be able to change the wireless network they’re on without having to become root just to fiddle around with network settings every time something changes.
回答这些问题通常超出了简单的引导脚本的能力范围,而且手工完成这一切真的很麻烦。
答案是使用一个系统服务,该服务可以监视物理网络并根据一组对用户有意义的规则选择(并自动配置)内核网络接口。
该服务还应能够响应用户的请求,用户应能够在不必每次发生变化时都成为root用户来调整网络设置的情况下更改他们所在的无线网络。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。