|
|
6. IP- and Ethernet-Related InformationThis section covers information specific to Ethernet and IP. These subsections have been grouped together because I think they are the most interesting ones in the formerly-called ``Technology Specific'' Section. Anyone with a LAN should be able to benefit from these goodies. 6.1 EthernetEthernet device names are ` By default, the Linux kernel only probes for one Ethernet device, you need to pass command line arguments to the kernel in order to force detection of furter boards. To learn how to make your ethernet card(s) working under Linux you should refer to the Ethernet-HOWTO. Once you have your kernel properly built to support your ethernet card then configuration of the card is easy. Typically you would use something like (which most distributions already do for you, if you configured them to support your ethernet):
Most of the ethernet drivers were developed by Donald Becker,
6.2 EQL - multiple line traffic equaliserThe EQL device name is ` Kernel Compile Options: To support this mechanism the machine at the other end of the lines must also support EQL. Linux, Livingstone Portmasters and newer dial-in servers support compatible facilities. To configure EQL you will need the eql tools which are available from: metalab.unc.edu. Configuration is fairly straightforward. You start by configuring the eql interface. The eql interface is just like any other network device. You configure the IP address and mtu using the ifconfig utility, so something like: Next you need to manually initiate each of the lines you will use. These may be any combination of point to point network devices. How you initiate the connections will depend on what sort of link they are, refer to the appropriate sections for further information. Lastly you need to associate the serial link with the EQL device, this is called `enslaving' and is done with the eql_enslave command as shown: The `estimated speed' parameter you supply eql_enslave doesn't do anything directly. It is used by the EQL driver to determine what share of the datagrams that device should receive, so you can fine tune the balancing of the lines by playing with this value. To disassociate a line from an EQL device you use the eql_emancipate command as shown: You add routing as you would for any other point to point link, except your
routes should refer to the The EQL driver was developed by Simon Janes, 6.3 IP Accounting (for Linux-2.0)The IP accounting features of the Linux kernel allow you to collect and analyze some network usage data. The data collected comprises the number of packets and the number of bytes accumulated since the figures were last reset. You may specify a variety of rules to categorize the figures to suit whatever purpose you may have. This option has been removed in kernel 2.1.102, because the old ipfwadm-based firewalling was replaced by ``ipfwchains''. Kernel Compile Options: After you have compiled and installed the kernel you need to use the ipfwadm command to configure IP accounting. There are many different ways of breaking down the accounting information that you might choose. I've picked a simple example of what might be useful to use, you should read the ipfwadm man page for more information. Scenario: You have a ethernet network that is linked to the internet via a PPP link. On the ethernet you have a machine that offers a number of services and that you are interested in knowing how much traffic is generated by each of ftp and world wide web traffic, as well as total tcp and udp traffic. You might use a command set that looks like the following, which is shown as a shell script: The names ``ftp-data'' and ``www'' refer to lines in
An important point to note when analyzing IP accounting is that totals for all rules that match will be incremented so that to obtain differential figures you need to perform appropriate maths. For example if I wanted to know how much data was not ftp nor www I would substract the individual totals from the rule that matches all ports. 6.4 IP Accounting (for Linux-2.2)The new accounting code is accessed via ``IP Firewall Chains''.
See
the IP chains home page for more information. Among other
things, you'll now need to use ipchains instead of 6.5 IP AliasingThere are some applications where being able to configure multiple IP addresses to a single network device is useful. Internet Service Providers often use this facility to provide a `customized' to their World Wide Web and ftp offerings for their customers. You can refer to the ``IP-Alias mini-HOWTO'' for more information than you find here. Kernel Compile Options: After compiling and installing your kernel with IP_Alias support
configuration is very simple. The aliases are added to virtual network
devices associated with the actual network device. A simple naming
convention applies to these devices being For example, assume you have an ethernet network that supports two different IP subnetworks simultaneously and you wish your machine to have direct access to both, you could use something like: To delete an alias you simply add a ` All routes associated with that alias will also be deleted automatically. 6.6 IP Firewall (for Linux-2.0)IP Firewall and Firewalling issues are covered in more depth in the Firewall-HOWTO. IP Firewalling allows you to secure your machine against unauthorized network access by filtering or allowing datagrams from or to IP addresses that you nominate. There are three different classes of rules, incoming filtering, outgoing filtering and forwarding filtering. Incoming rules are applied to datagrams that are received by a network device. Outgoing rules are applied to datagrams that are to be transmitted by a network device. Forwarding rules are applied to datagrams that are received and are not for this machine, ie datagrams that would be routed. Kernel Compile Options: Configuration of the IP firewall rules is performed using the ipfwadm command. As I mentioned earlier, security is not something I am expert at, so while I will present an example you can use, you should do your own research and develop your own rules if security is important to you. Probably the most common use of IP firewall is when you are using your linux machine as a router and firewall gateway to protect your local network from unauthorized access from outside your network. The following configuration is based on a contribution from Arnt Gulbrandsen,
The example describes the configuration of the firewall rules on the Linux firewall/router machine illustrated in this diagram: The following commands would normally be placed in an Good firewall configurations are a little tricky. This example should be a reasonable starting point for you. The ipfwadm manual page offers some assistance in how to use the tool. If you intend to configure a firewall, be sure to ask around and get as much advice from sources you consider reliable and get someone to test/sanity check your configuration from the outside. 6.7 IP Firewall (for Linux-2.2)The new firewalling code is accessed via ``IP Firewall Chains''.
See
the IP chanins home page for more information. Among other
things, you'll now need to use ipchains instead of We are aware that this is a sorely out of date statement and we are currently working on getting this section more current. You can expect a newer version in August of 1999. 6.8 IPIP EncapsulationWhy would you want to encapsulate IP datagrams within IP datagrams? It must seem an odd thing to do if you've never seen an application of it before. Ok, here are a couple of common places where it is used: Mobile-IP and IP-Multicast. What is perhaps the most widely spread use of it though is also the least well known, Amateur Radio. Kernel Compile Options: IP tunnel devices are called ` "But why ?". Ok, ok. Conventional IP routing rules mandate that an IP network comprises a network address and a network mask. This produces a series of contiguous addresses that may all be routed via a single routing entry. This is very convenient, but it means that you may only use any particular IP address while you are connected to the particular piece of network to which it belongs. In most instances this is ok, but if you are a mobile netizen then you may not be able to stay connected to the one place all the time. IP/IP encapsulation (IP tunneling) allows you to overcome this restriction by allowing datagrams destined for your IP address to be wrapped up and redirected to another IP address. If you know that you're going to be operating from some other IP network for some time you can set up a machine on your home network to accept datagrams to your IP address and redirect them to the address that you will actually be using temporarily. A tunneled network configuration.
Linux router ` Linux router ` The command: 192.168.1.0/24 inside an
IPIP encap datagram with a destination address of aaa.bbb.ccc.ddd'.
Note that the configurations are reciprocated at either end. The tunnel device
uses the ` A tunneled host configuration.It doesn't have to be a whole network you route. You could for example route
just a single IP address. In that instance you might configure the
Linux router ` Linux host ` This sort of configuration is more typical of a Mobile-IP application. Where a single host wants to roam around the Internet and maintain a single usable IP address the whole time. You should refer to the Mobile-IP section for more information on how that is handled in practice. 6.9 IP MasqueradeMany people have a simple dialup account to connect to the Internet. Nearly everybody using this sort of configuration is allocated a single IP address by the Internet Service Provider. This is normally enough to allow only one host full access to the network. IP Masquerade is a clever trick that enables you to have many machines make use of that one IP address, by causing the other hosts to look like, hence the term masquerade, the machine supporting the dialup connection. There is a small caveat and that is that the masquerade function nearly always works only in one direction, that is the masqueraded hosts can make calls out, but they cannot accept or receive network connections from remote hosts. This means that some network services do not work such as talk and others such as ftp must be configured to operate in passive (PASV) mode to operate. Fortunately the most common network services such as telnet, World Wide Web and irc do work just fine. Kernel Compile Options: Normally you have your linux machine supporting a slip or PPP dialup line just as it would if it were a standalone machine. Additionally it would have another network device configured, perhaps an ethernet, configured with one of the reserved network addresses. The hosts to be masqueraded would be on this second network. Each of these hosts would have the IP address of the ethernet port of the linux machine set as their default gateway or router. A typical configuration might look something like this: The most relevant commands for this configuration are: Masquerading with IPCHAINS This is similar to using IPFWADM but the command structure has changed: You can get more information on the Linux IP Masquerade feature from the IP Masquerade Resource Page. Also, a very detailed document about masquesrading is the ``IP-Masquerade mini-HOWTO'' (which also intructs to configure other OS's to run with a Linux masquerade server).
6.10 IP Transparent ProxyIP transparent proxy is a feature that enables you to redirect servers or services destined for another machine to those services on this machine. Typically this would be useful where you have a linux machine as a router and also provides a proxy server. You would redirect all connections destined for that service remotely to the local proxy server. Kernel Compile Options: Configuration of the transparent proxy feature is performed using the ipfwadm command An example that might be useful is as follows: This example will cause any connection attempts to port A more interesting example is redirecting all To filter an transproxy program, then, will receive all connections meant
to reach external servers and will pass them to the local proxy
after fixing protocol differences.
6.11 IPv6Just when you thought you were beginning to understand IP networking the rules get changed! IPv6 is the shorthand notation for version 6 of the Internet Protocol. IPv6 was developed primarily to overcome the concerns in the Internet community that there would soon be a shortage of IP addresses to allocate. IPv6 addresses are 16 bytes long (128 bits). IPv6 incorporates a number of other changes, mostly simplifications, that will make IPv6 networks more managable than IPv4 networks. Linux already has a working, but not complete, IPv6 implementation in
the If you wish to experiment with this next generation Internet technology, or have a requirement for it, then you should read the IPv6-FAQ which is available from www.terra.net. 6.12 Mobile IPThe term "IP mobility" describes the ability of a host that is able to move its network connection from one point on the Internet to another without changing its IP address or losing connectivity. Usually when an IP host changes its point of connectivity it must also change its IP address. IP Mobility overcomes this problem by allocating a fixed IP address to the mobile host and using IP encapsulation (tunneling) with automatic routing to ensure that datagrams destined for it are routed to the actual IP address it is currently using. A project is underway to provide a complete set of IP mobility tools for Linux. The Status of the project and tools may be obtained from the: Linux Mobile IP Home Page. 6.13 MulticastIP Multicast allows an arbitrary number of IP hosts on disparate IP networks to have IP datagrams simultaneously routed to them. This mechanism is exploited to provide Internet wide "broadcast" material such as audio and video transmissions and other novel applications. Kernel Compile Options: A suite of tools and some minor network configuration is required. Please check the Multicast-HOWTO for more information on Multicast support in Linux. 6.14 NAT - Network Address TranslationThe IP Network Address Translation facility is pretty much the standardized big brother of the Linux IP Masquerade facility. It is specified in some detail in RFC-1631 at your nearest RFC archive. NAT provides features that IP-Masquerade does not that make it eminently more suitable for use in corporate firewall router designs and larger scale installations. An alpha implementation of NAT for Linux 2.0.29 kernel has been developed by
Michael.Hasenstein, Newer Linux 2.2.x kernels also include some NAT functionality in the routing algorithm. 6.15 Traffic Shaper - Changing allowed bandwidthThe traffic shaper is a driver that creates new interface devices, those devices are traffic-limited in a user-defined way, they rely on physical network devices for actual transmission and can be used as outgoing routed for network traffic. The shaper was introduced in Linux-2.1.15 and was backported to
Linux-2.0.36 (it appeared in The traffic shaper can only be compiled as a module and is configured by the shapecfg program with commands like the following: The shaper device can only control the bandwidth of outgoing traffic, as packets are transmitted via the shaper only according to the routing tables; therefore, a ``route by source address'' functionality could help in limiting the overall bandwidth of specific hosts using a Linux router. Linux-2.2 already has support for such routing, if you need it for
Linux-2.0 please check the patch by Mike McLagan, at
If you want to try out a (tentative) shaping for incoming packets,
try out 6.16 Routing in Linux-2.2The latest versions of Linux, 2.2 offer a lot of flexibility in routing policy. Unfortunately, you have to wait for the next version of this howto, or go read the kernel sources.
Next Previous Contents |
