8. Network Interconnection
Linux networking is rich in features. A Linux box can be configured so it can act as a router, bridge, etc... Some of the available options are described below.
8.1 Router
The Linux kernel has built-in support for routing functions. A Linux box can act either as an IP or IPX router for a fraction of the cost of a commercial router. Recent kernels include special options for machines acting primarily as routers:
- Multicasting: Allows the Linux machine to act as a router for IP packets that have several destination addresses. It is needed on the MBONE, a high bandwidth network on top of the Internet which carries audio and video broadcasts.
- IP policy routing: Normally a router decides what to do with a received packet based solely on the packet's final destination address, but routing can also take into account the originating address and the network device from which the packet reached it.
There are some related projects which include one aiming at building a complete, running Linux router on a floppy disk: Linux router project
8.2 Bridge
The Linux kernel has built-in support for acting as an Ethernet bridge, which means that the different Ethernet segments it is connected to will appear as one Ethernet to the participants. Several bridges can work together to create even larger networks of Ethernets using the IEEE802.1 spanning tree algorithm. As this is a standard, Linux bridges will interoperate properly with other third party bridge products. Additional packages allow filtering based on IP, IPX or MAC addresses.
Related HOWTOs:
8.3 IP Masquerade
IP Masquerade is a developing networking function in Linux. If a Linux host is connected to the Internet with IP Masquerade enabled, then computers connecting to it (either on the same LAN or connected with modems) can reach the Internet as well, even though they have no officially assigned IP addresses. This allows for reduction of costs, since many people may be able to access the Internet using a single modem connection as well as contributes to increased security (in some way the machine is acting as a firewall, since unofficially assigned addresses cannot be accessed outside of that network).
IP masquerade related pages and documents:
- http://ipmasq.home.ml.org/
- http://www.indyramp.com/masq/links.pfhtml
- http://metalab.unc.edu/mdw/HOWTO/IP-Masquerade-HOWTO.html
8.4 IP Accounting
This option of the Linux kernel keeps track of IP network traffic, performs packet logging and produces some statistics. A series of rules may be defined so when a packet matches a given pattern, some action is performed: a counter is increased, it is accepted/rejected, etc.
8.5 IP aliasing
This feature of the Linux kernel provides the possibility of setting multiple network addresses on the same low-level network device driver (e.g two IP addresses in one Ethernet card). It is typically used for services that act differently based on the address they listen on (e.g. "multihosting" or "virtual domains" or "virtual hosting services".
Related HOWTO:
8.6 Traffic Shaping
The traffic shaper is a virtual network device that makes it possible to limit the rate of outgoing data flow over another network device. This is especially useful in scenarios such as ISPs, where it is desirable to control and enforce policies regarding how much bandwidth is used by each client. Another alternative (for web services only) may be certain Apache modules which restrict the number of IP connections by client or the bandwidth used.
8.7 Firewall
A firewall is a device that protects a private network from the public part (the internet as a whole). It is designed to control the flow of packets based on the source, destination, port and packet type information contained in each packet.
Different firewall toolkits exist for Linux as well as built-in support in the kernel. Other firewalls are TIS and SOCKS. These firewall toolkits are very complete and combined with other tools allow blocking/redirection of all kinds of traffic and protocols. Different policies can be implemented via configuration files or GUI programs.
8.8 Port forwarding
An increasing number of web sites are becoming interactive by having cgi-bins or Java applets that access some database or other service. Since this access may pose a security problem, the machine containing the database should not be directly connected to the Internet.
Port Forwarding can provide an almost ideal solution to this access problem. On the firewall, IP packets that come in to a specific port number can be re-written and forwarded to the internal server providing the actual service. The reply packets from the internal server are re-written to make it appear that they came from the firewall.
Port forwarding information may be found here
8.9 Load Balancing
Demand for load balancing usually arises in database/web access when many clients make simultaneous requests to a server. It would be desirable to have multiple identical servers and redirect requests to the less loaded server. This can be achieved through Network Address Translation techniques (NAT) of which IP masquerading is a subset. Network administrators can replace a single server providing Web services - or any other application - with a logical pool of servers sharing a common IP address. Incoming connections are directed to a particular server using one load-balancing algorithm. The virtual server rewrites incoming and outgoing packets to give clients the appearance that only one server exists.
Linux IP-NAT information may be found here
8.10 EQL
EQL is integrated into the Linux kernel. If two serial connections exist to some other computer (this usually requires two modems and two telephone lines) and SLIP or PPP (protocols for sending Internet traffic over telephone lines) are used on them, it is possible to make them behave like one double speed connection using this driver. Naturally, this has to be supported at the other end as well.
8.11 Proxy Server
The term proxy means "to do something on behalf of someone else." In networking terms, a proxy server computer can act on the behalf of several clients. An HTTP proxy is a machine that receives requests for web pages from another machine (Machine A). The proxy gets the page requested and returns the result to Machine A. The proxy may have a cache with the requested pages, so if another machine asks for the same page the copy in the cache will be returned instead. This allows efficient use of bandwidth resources and less response time. As a side effect, as client machines are not directly connected to the outside world this is a way of securing the internal network. A well-configured proxy can be as effective as a good firewall.
Several proxy servers exist for Linux. One popular solution is the Apache proxy module. A more complete and robust implementation of an HTTP proxy is SQUID.
8.12 Diald on demand
The purpose of dial on demand is to make it transparently appear that the users have a permanent connection to a remote site. Usually, there is a daemon who monitors the traffic of packets and where an interesting packet (interesting is defined usually by a set of rules/priorities/permissions) arrives it establishes a connection with the remote end. When the channel is idle for a certain period of time, it drops the connection.
8.13 Tunnelling, mobile IP and virtual private networks
The Linux kernel allows the tunnelling (encapsulation) of protocols. It can do IPX tunnelling through IP, allowing the connection of two IPX networks through an IP only link. It can also do IP-IP tunnelling, which it is essential for mobile IP support, multicast support and amateur radio. (see http://metalab.unc.edu/mdw/HOWTO/NET3-4-HOWTO-6.html#ss6.8)
Mobile IP specifies enhancements that allow transparent routing of IP datagrams to mobile nodes in the Internet. Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet. While situated away from its home, a mobile node is also associated with a care-of address, which provides information about its current point of attachment to the Internet. The protocol provides for registering the care-of address with a home agent. The home agent sends datagrams destined for the mobile node through a tunnel to the care-of address. After arriving at the end of the tunnel, each datagram is then delivered to the mobile node.
Point-to-Point Tunneling Protocol (PPTP) is a networking technology that allows the use of the Internet as a secure virtual private network (VPN). PPTP is integrated with the Remote Access Services (RAS) server which is built into Windows NT Server. With PPTP, users can dial into a local ISP, or connect directly to the Internet, and access their network as if they were at their desks. PPTP is a closed protocol and its security has recently being compromised. It is highly recomendable to use other Linux based alternatives, since they rely on open standards which have been carefully examined and tested.
- A client implementation of the PPTP for Linux is available here
- More on Linux PPTP can be found here
- http://www.hpl.hp.com/personal/Jean_Tourrilhes/MobileIP/mip.html
- http://metalab.unc.edu/mdw/HOWTO/NET3-4-HOWTO-6.html#ss6.12
Next Previous Contents