###################################################################### # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # # A "#" character in the very first column makes the rest of the line # be ignored. Blank lines are ignored. Lines may be indented freely. # A "\" character at the very end of the line indicates the next line # should be treated as a continuation of the current one. # # The "pre-up", "up", "down" and "post-down" options are valid for all # interfaces, and may be specified multiple times. All other options # may only be specified once. # # See the interfaces(5) manpage for information on what options are # available. ###################################################################### # The loopback interface isn't really required any longer, # but can be used if needed. # # auto lo # iface lo inet loopback # An example ethernet card setup: (broadcast and gateway are optional) # # auto eth0 # iface eth0 inet static # address 192.168.0.42/24 # gateway 192.168.0.1 # An example IPv6 setup: # # auto eth0 # iface eth0 inet6 static # address fec0::42/64 # gateway fec0::1 # Multiple addresses can be added by simply using multiple iface stanzas. # This also allows you to add both IPv4 and IPv6 addresses to the same # interface: # # auto eth0 # iface eth0 inet static # address 192.168.0.42/24 # gateway 192.168.0.1 # iface eth0 inet static # address 172.16.0.1/24 # iface eth0 inet6 static # address fec0::42/64 # gateway fec0::1 # For more complicated configurations, for example adding more routes, # you can use the "up" and "down" lines to have commands executed when the # interface is brought up resp. down: # # auto eth0 # iface eth0 inet static # address 192.168.1.42/25 # up ip route add 192.168.1.128/25 via 192.168.1.2 onlink dev $IFACE # down ip route del 192.168.1.128/25 via 192.168.1.2 onlink dev $IFACE # "pre-up" and "post-down" commands are also available. In addition, the # exit status of these commands are checked, and if any fail, configuration # (or deconfiguration) is aborted. So: # # auto eth0 # iface eth0 inet dhcp # pre-up [ -f /etc/network/local-network-ok ] # # will allow you to only have eth0 brought up when the file # /etc/network/local-network-ok exists. # Two ethernet interfaces, one connected to a trusted LAN, the other to # the untrusted Internet. If their MAC addresses get swapped (because an # updated kernel uses a different order when probing for network cards, # say), then they don't get brought up at all. # # auto eth0 eth1 # iface eth0 inet static # address 192.168.42.1 # netmask 255.255.255.0 # pre-up /path/to/check-mac-address.sh eth0 11:22:33:44:55:66 # pre-up /usr/local/sbin/enable-masq # iface eth1 inet dhcp # pre-up /path/to/check-mac-address.sh eth1 AA:BB:CC:DD:EE:FF # pre-up /usr/local/sbin/firewall # Two ethernet interfaces, one connected to a trusted LAN, the other to # the untrusted Internet, identified by MAC address rather than interface # name: # # auto eth0 eth1 # mapping eth0 eth1 # script /path/to/get-mac-address.sh # map 11:22:33:44:55:66 lan # map AA:BB:CC:DD:EE:FF internet # iface lan inet static # address 192.168.42.1 # netmask 255.255.255.0 # pre-up /usr/local/sbin/enable-masq $IFACE # iface internet inet dhcp # pre-up /usr/local/sbin/firewall $IFACE # A PCMCIA interface for a laptop that is used in different locations: # (note the lack of an "auto" line for any of these) # # mapping eth0 # script /path/to/pcmcia-compat.sh # map home,*,*,* home # map work,*,*,00:11:22:33:44:55 work-wireless # map work,*,*,01:12:23:34:45:50 work-static # # iface home inet dhcp # iface work-wireless bootp # iface work-static static # address 10.15.43.23 # netmask 255.255.255.0 # gateway 10.15.43.1 # # Note, this won't work unless you specifically change the file # /etc/pcmcia/network to look more like: # # PATH="$PATH:/sbin:/usr/sbin" # if [ -r ./shared ] ; then . ./shared ; else . /etc/pcmcia/shared ; fi # get_info $DEVICE # case "$ACTION" in # 'start') # ifup $DEVICE # ;; # 'stop') # ifdown $DEVICE # ;; # esac # exit 0 # An alternate way of doing the same thing: (in this case identifying # where the laptop is is done by configuring the interface as various # options, and seeing if a computer that is known to be on each particular # network will respond to pings. The various numbers here need to be chosen # with a great deal of care.) # # mapping eth0 # script /path/to/ping-places.sh # map 192.168.42.254/24 192.168.42.1 home # map 10.15.43.254/24 10.15.43.1 work-wireless # map 10.15.43.23/24 10.15.43.1 work-static # # iface home inet dhcp # iface work-wireless bootp # iface work-static static # address 10.15.43.23 # netmask 255.255.255.0 # gateway 10.15.43.1 # # Note that the ping-places script requires the iproute package installed, # and the same changes to /etc/pcmcia/network are required for this as for # the previous example. # Set up an interface to read all the traffic on the network. This # configuration can be useful to setup Network Intrusion Detection # sensors in 'stealth'-type configuration. This prevents the NIDS # system to be a direct target in a hostile network since they have # no IP address on the network. Notice, however, that there have been # known bugs over time in sensors part of NIDS (for example see # DSA-297 related to Snort) and remote buffer overflows might even be # triggered by network packet processing. # # auto eth0 # iface eth0 inet manual # up ifconfig $IFACE 0.0.0.0 up # up ip link set $IFACE promisc on # down ip link set $IFACE promisc off # down ifconfig $IFACE down # Set up an interface which will not be allocated an IP address by # ifupdown but will be configured through external programs. This # can be useful to setup interfaces configured through other programs, # like, for example, PPPOE scripts. # # auto eth0 # iface eth0 inet manual # up ifconfig $IFACE 0.0.0.0 up # up /usr/local/bin/myconfigscript # down ifconfig $IFACE down