This guide provides an overview of many of the tools available for IP network management of the Linux operating system, 2.2 and 2.4 series kernels. This guide is like an overview of the IP networking capabilities in linux kernels 2.2 and 2.4.
Concepts
Basic IP Connectivity
➎ And finally, tristan will add its IP to the option field in the header of the IP packet just before the packet reaches the calling ping program. An incorrect broadcast address often highlights a mismatch of the configured IP address and netmask on an interface.
Ethernet
The ARP reply from masq-gw includes its link layer address and a statement of ownership of the requested IP address. An ARP response is a single-byte response that contains the desired information and is sent to the supplicant's link layer address.
Bridging
IP Routing
The kernel first looks for a matching entry for the destination in the routing cache and then the main routing table. Maintenance of the broadcast and local routes in the local routing table can only be done by the kernel.
Network Address Translation (NAT)
Now in the forward chain, the source IP address of the packet is the public IP address of the service. In the simplest call, you just want to see the current state of the arp table. Refer to the section titled ARP Filtering in Chapter 2 for a discussion of the consequences of disabling ARP.
In the vast majority of installations (most workstations, servers, and even routers) there is no need to take advantage of the RPDB. Each of the iproute2 object names can be shortened to the shortest unique set of characters. Sally Floyd is apparently one of the leading researchers in the use of QoS on the Internet.
Make the same adjustment to the section headings in the Invariant Sections list in the license notice for the combined work.
Masquerading and Source Network Address Translation
Packet Filtering
For networks and machines directly connected to the Internet, packet filtering is no longer an option, but a necessity. This chapter begins with an introduction and history of packet filtering with Linux. The network layer portion of a firewall solution, packet filtering, is part of a good security posture.
Using packet filtering to enforce these traffic flows is not limited to just routers and firewalls. Packet filtering under Linux has a long history, interrupted by major changes to the packet filtering systems incorporated into the kernel. Linux 2.4's netfilter architecture represented a major advance in Linux's packet filtering capabilities with support for stateful packet filtering.
The use of linux packet filtering features is mature and well documented in many places throughout the internet.
Statefulness and Statelessness
Cookbook
Advanced IP Management
Hosts on one segment can only reach hosts on the other segment through the router performing proxy ARP. Once the router can reach all locally connected destinations via the correct interfaces, you can start configuring the proxy ARP functionality. With the 2.4 kernel it is possible to use the sysctl net/ipv4/conf/all/proxy_arp to perform proxy ARP.
A key part of proxy ARP working correctly on a network is that the host that splits the network into two halves has the correct routes for all destinations on both halves of the network. Also see the section titled arp in Appendix B for examples and command lines to create an ARP proxy configuration. The firewall must of course have the routes set up correctly, and the routers will need proxy ARP entries.
For another explanation of the same concepts, read the Proxy ARP Subnet mini-HOWTO. http://www.linuxpowered.com/HOWTO/mini/Proxy-ARP-Subnet/).
Advanced IP Routing
Let's look at a similar description of the paths bound packets take for local destinations through the kernel. This routing code is (sometimes?) responsible for choosing the source IP of the outgoing packet. We will describe here some of the most common configurations involving multiple Internet connections and how to manage them with iptables, ipchains, and iproute2.
We will assume that this is for outgoing connectivity only and that the IP is active on the eth4 of the masq-gw device. Here is the packet flow through masq-gw to the server and back to the client. Using two IP addresses on the internal computer, we can use the ip rule on masq-gw to select a routing table with a different default route based on the source IP of the response packets to the client.
Free Software Foundation; either version 2 of the license, or (at your . # option) any later version.
Troubleshooting
Appendices and Reference
See the section titled ARP Cache in Chapter 2 for a more detailed discussion of the arp table. For specifics and common features of the iproute2 tools, see Some General Notes About the iproute2 Tools in Appendix H. The second column contains the IP address of the gateway to the destination if the destination is not a locally connected network.
The final field in the route output contains the name of the interface through which the destination is reachable. The example of a routing table on a tristan is a classic example of the need for a static route. For a more detailed discussion of RPDB, see the section titled Using a Routing Policy Database and Multiple Routing Tables in Chapter 10.
The output of the command is a list of rules in the RPDB sorted by priority order. Documentation for ipchains (http://www.netfilter.org/ipchains/) is available from the author, Rusty Russell. A mirror of ipchain's HOWTO. http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html) is available on TLDP.
An Example Network and Description
Ethernet Layer Tools
The ip link tool provides the following two verbs: ip link show and ip link set. To display link layer information, ip link show will retrieve attributes from the currently available link layer devices. Use ip link to change device flags [root@tristan]# ip link set dev eth0 promisc on [root@tristan]# ip link show dev eth0.
Disabling a link-layer device with link-group ip [root@tristan]# link ip show dev eth0. Enabling a link-layer device with link-group ip [root@tristan]# link ip show dev eth0. Using set ip link to change device flags [root@tristan]# ip link show dev eth0.
Spreminjanje imena naprave z ip link set [root@tristan]# ip link set dev eth0 mtu 1500 [root@tristan]# ip link set dev eth0 name inside [root@tristan]# ip link show dev inside.
IP Address Management
See also the section called ip-link in Appendix B and the section called ip-address. Now to retrieve the interface we need the IP address and netmask information. The IP Address tool will display the IP (and brief encapsulation information) when invoked with the show verb.
Now, let's explore IP addressing with the ip address utility by adding and removing IP addresses from active interfaces. You can use add ip address even if the link layer on the device is broken. Let's see the output of the IP address display just before and just after removing all IPs.
Flushing all IPs on an interface with address ip flush [root@tristan]# ip address show dev eth0.
IP Route Management
If you need to flush the routing cache entirely, you'll want to familiarize yourself with flush ip route cache. If you are used to the route output format, the ip route output may seem concise. View the local routing table with ip route show table local [root@tristan]# ip route show table local.
Displaying a routing table with ip route-display-table [root@tristan]# ip-route-display-table special. The flush option, when used with ip-route, clears a routing table or removes the route for a particular destination. Removing a specific route and flushing a routing table with ip route flush [root@masq-gw]# ip route flush.
Emptying the route cache with ip route flush cache [root@tristan]# ip route show cache.
Tunnels and VPNs
Sockets; Servers and Clients
Diagnostics
Again, in all the examples below you will see the use of the -nswitch to suppress DNS lookups. Each subsequent line of output before the summary is a record of receiving a response from the. At the end of the run, sum up the number of ping responses, and do some calculations on the round trip times.
It can be combined with some of the other options for a variety of diagnostic purposes. In Example G-9, we will use ping to check the reachability of the inside interface of the CIPE peer of masq-gw. Each of the first three packets sent in the example above receives ICMP time exceeded replies from the upstream router (masq-gw).
A potentially misleading aspect of the latter output is visible in the connections to and from localhost and the final line.
Miscellany
Links to other Resources
The Linux Network Administrator's Guide (http://www.tldp.org/LDP/nag2/index.html) covers some of the same material as this guide. Here is a good introduction to Classless Inter Domain Routing (CIDR). http://www.ralphb.net/IPSubnet/). The netfilter site (http://www.netfilter.org/) offers a wealth of tutorials, examples, documentation, and a mailing list.
There is an ADSL Bandwidth Management HOWTO. http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/) on TLDP. Michael Babcock has a page discussing QoS on linux. http://www.fibrespeed.net/~mbabcock/linux/qos_tc/). Explicit congestion notification (http://www.icir.org/floyd/ecn.html) is supported under Linux kernel 2.4 with a sysctl entry.
A collection of various scripts and other interfaces for netfilter is available here (http://www.linuxguruz.org/iptables/).
GNU Free Documentation License
On the title page, state the name of the publisher of the revised version, as the publisher. If there is no section titled "History" in the document, create one indicating the title, year, authors, and publisher of the document as given on its title page, and then add an item describing the modified version such as stated in the previous sentence. You may omit a network location for a work published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.
Keep all the invariant sections of the document unchanged in their text and in their titles. You can add a passage of up to five words as a cover text and a passage of up to 25 words as a back text to the end of the list of cover texts in the modified version. The author(s) and publisher(s) of the document do not grant permission under this license to use their names in advertising or to claim or imply approval of any modified version.
When the Document is an aggregate, this License does not apply to the other works in the aggregate that are not themselves derivative works of the Document.
