Links to other Resources
Links to Documentation
This chapter contains
some categorized links to various further reading and reference
materials on many topics in the linux and networking arenas. Also
supplied are a number of links to software as well.
Linux Networking Introduction and Overview Material
The best first place to go (if you can't find any help on this
page) is to visit the comprehensive TLDP
archive
of networking-related documentation. Here you will find a
breakdown of the available documentation, organized in a sensible
way.
The Linux
Network Administrator's Guide covers some of the
same material as this guide. It additionally covers
UUCP, SLIP, PPP, NIS, NFS, IPX, email administration, and
NNTP. It is an excellent general reference.
The
Networking
HOWTO
provides a good overview of most of the networking protocols and
link layer devices supported under linux,
though it covers primarily the 2.0 and 2.2 kernels.
Here's one
step-by-step
tutorial (among many) which shows how to configure a linux
machine as a router/firewall. A brief summary rather than a
thorough explanation, it instructs well by example.
Linux Security and Network Security
Linux has been adopted widely as a platform on which to build
network security devices as a result of its feature set. Here,
you'll find links to network security documentation.
The
Security
HOWTO introduces many of the topics that touch on
securing a linux machine, including many network security topics.
The
Security
Quickstart HOWTO is for the impatient.
FIXME
FIXME
General IP Networking Resources
There are a number of resources available to cover a large range
of IP networking topics. I have selected a few here, but there
are many other sources of this information both dead-tree versions
and Internet documentation.
One of the key reference materials for any IP networking shop is
the seminal
work by the late W.
Richard Stevens. Three volumes catalog the architecture of
IP networking and higher layer protocols.
Here is a good introduction to
Classless
Inter Domain
Routing (CIDR). CIDR is a technique employed since the
mid 1990s to reduce the load on the routing devices employed on
the Internet. A beneficial side effect is the simplicity of the
CIDR addressing notation. For a CIDR address reference,
RFC
1878
has proven invaluable to me.
Some general IP subnetting and other Internetworking questions are
answered at
SubnetOnline.
At Cisco's site, you can find a good introduction to
subnetting
an IP space. Another one-page tutorial introduction to
subnetting and CIDR networking is available
here.
And don't forget the
IP
subnetting mini-HOWTO from TLDP.
The Internet Assigned Numbers
Authority (IANA) has selected a number of IP networks which
are intended for discretionary use in private networks.
RFC
1918 outlines the address ranges which are available for
private use. Additionally, IANA has posted a summary
of the identity of the subdelegates of each of the class A sized
network address ranges. See also the update to RFC 1918 in
RFC
3330
Address Resolution Protocol is used to provide the glue between
Ethernet link layer information (hardware addresses) and the IP
layer. This
page
is instructive in ARP.
As discussed in , MSS and MTU are
key matters for IP communication.
Path MTU discovery, as discussed in
RFC
1911, is used as a way to make most efficient use of
network resources by detecting the smallest link layer between two
endpoints and setting the MTU accordingly. This breaks when ICMP
is assiduously filtered. Visit this
discussion
or
this page on
MTU and MSS, and of course
LARTC's
discussion and solution. For more on the general issue of
ICMP and what is required see also
this SANS
discussion. At a Usenix conference in late 2002, the
issue of
MTU
and MSS prompted the
MSS
Initiative. Because this is a widely misunderstood issue,
there is even a workaround in the RFCs,
RFC
2923.
Masquerading topics
The Linux Documentation Project keeps a clear and up to date
reference on
IP
masquerading which thoroughly covers the issues involved
with masquerading.
Network Address Translation
If you have a 2.4 kernel and are using iptables,
you should read Rusty Russell's documentation on
NAT
with netfilter.
The command reference for the iproute2 tools provides sparse
documentation of the NAT features, but has an
appendix
which covers the key questions with regard to iproute2 NAT.
SuSe has Michael Hasenstein's
paper
on NAT, which is an excellent technical overview of the case for
NAT.
Linas Vepstas has collected a number of
links to
projects and implementations relying heavily on NAT
techniques.
iproute2 documentation
Timur A. Bolokhov has written a good (though dated)
introduction.
to the policy routing features of iproute2 (supported by
kernels 2.1 and later).
Mark Lamb hosts a good
technical
overview of both the iproute2 and tc packages.
If your copy of &iproute2; did not get packaged
with ip-cref.ps or if you prefer online HTML,
the command reference is available
in toto as HTML at
linux-ip.net,
www.linuxgrill.com,
or
snafu.freedom.org.
Julian Anastasov has been working on many aspects of traffic
control and advanced routing with the &iproute2;
package. He has provided a large number of patches to
&iproute2; and some documentation with
for the linux virtual server (LVS) in addition to a great deal of
code for LVS. See his main
site for both patches and documentation.
The
Linux Advanced Routing and
Traffic Control site provides a wealth of expertise
for complex networking configurations.
I also recommend the LARTC
mailing
list and
archive.
A brief article distilled from Matthew Marsh's Policy Routing with
Linux book, introduces the concepts of
policy
routing under linux quite admirably. For a fifteen minute
overview of policy routing under linux, read this article.
See this brief article on describing
advanced
networking features of linux.
Netfilter Resources
Visit
Oskar
Andreasson's iptables tutorial for examples, overview,
details, and full documentation of iptables.
The
netfilter site
provides a wealth of tutorials, examples, documentation, and a
mailing list. Of particular interest is the
documentation
section.
See this
brief
introduction to packet filtering with
iptables.
Here is a brief summary of the
logging
output form from the netfilter engine.
ipchains Resources
Documentation
for ipchains is available courtesy of
the author, Rusty Russell. A mirror of the
ipchains
HOWTO is available at TLDP.
Here is a brief summary of
logging
outputfrom the kernel.
Along with a huge pile of other linux-related traffic control and
packet filtering documentation, there is a
postscript
reference card for ipchains at
snafu.freedom.org.
ipfwadm Resources
Not covered in this documentation, ipfwadm is
only supported in the linux 2.2 and 2.4 kernels via backward
compatible interfaces to the internal packet filtering
architectures. Read more on ipfwadm
here.
General Systems References
To learn how to
query
the kernel's iptables directly, you need this progamming
reference.
For a description of the
path
a frame on the wire takes through the kernel from
the Ethernet through to the upper layers, Harald Welte's
brief proves instructive.
If you are only interested in the path an IP packet takes
through the netfilter (ipchains or iptables), routing and
ingress/egress QoS code, refer to Stef Coene's excellent
ASCII representation, the
kernel
2.4 packet traveling diagram.
Oskar Andreasson (of
iptables
tutorial fame) has written an
IP sysctl
tutorial which covers the different
/proc filesystem entries. (kernel 2.4 only)
Bridging
Your linux box can function as a bridge, and two boxen connected
to the same hubs can use Spanning Tree Protocol (STP) to protect
against failure of one or the other. See the
Bridge
HOWTO.
For a brief article on using a linux bridge as a firewall see
David
Whitmarsh's introduction to the topic.
There's some fledgling documentation of the bridging code in kernel
2.4 (and 2.2) available, especially in conjunction with netfilter
here.
Consider also,
ebtables
named by analogy to iptables. If you are bridging at all, or using
ebtables at all, you'll want to know about the interaction between
bridging and iptables, so visit the
bridge
and Netfilter HOWTO.
Traffic Control
The
Linux Advanced Routing and Traffic
Control website is the first place to go for any traffic
control (and advanced routing) documentation.
I also recommend the LARTC
mailing
list and
archive.
Stef Coene has written prodigiously on
traffic control under
linux. His site contains practical guidance on traffic
control and bandwidth shaping matters.
There is an
ADSL
Bandwidth Management HOWTO on TLDP.
Michael Babcock has a page discussing
QoS
on linux. This is a good introduction, though a bit dated
(it seems to discuss only kernel 2.2).
Leonardo Balliache's has published a brief overview of the
compared QoS
offerings.
Sally Floyd is apparently one of the leading researchers in the
use of QoS on the Internet. See her work as a researcher at
icir.org.
Another major research center for QoS under linux is the
University of Kansas. For some very technical material on QoS
under linux, see their
main page. Here
you will find some documentation of the tools available to those
programming for QoS implementations under linux.
An implementation of
DiffServ,
is underway under linux. DiffServ is an intermediate step to
IntServ. There are also the
old
DiffServ archive and the
current
archive.
IPv4 Multicast
A dated
multicast
routing mini-HOWTO provides the best introduction to
multicast routing under linux.
The
smcroute
utility provides a command line interface to manipulate the
multicast routing tables via a method other than
mrouted.
Miscellaneous Linux IP Resources
The sysctl utility is a convenient tool for
manipulating kernel parameters. Combined with the
/etc/sysctl.conf this utility allows an
administrator to alter or tune kernel parameters in a convenient
fashion across a reboot. See this
brief
RedHat page on the use of sysctl. See
also
Oskar
Andreasson's IP Sysctl Tutorial for a detailed examination
of the parameters and their affect on system operation.
For users who need to provide a standards compliant VPN solution
FreeS/WAN can be
part of a good interoperable solution. Additionally, there are
issues with using FreeS/WAN on linux as a VPN solution. John
Denker (appropriate last name) has grappled with the issue of
IPSec
and routing and has suggested the following
work
around. Here's a
summary
of one network admin's perspective
on some of the issues related to FreeS/WAN, roving users and
network administration for VPN users. Note! The 2.5.x
development kernel contains an IPSec implementation natively.
This means that by the release of 2.6.x, linux may support IPSec
out of the box.
Explicit
Congestion Notification is supported under linux kernel
2.4 with a sysctl entry.
The 2.2 and 2.4 series support bonding of interfaces which allows
both link aggregation (IEEE 802.3ad) and failover use of Ethernet
interfaces. The canonical source for documentation about bonding
is Documentation/networking/bonding.txt in
the kernel source distribution.
If you are looking for virtual router redundancy protocol
(VRRP) support under linux, there are several fledgling options.
The
reference
implementation is (according to LARTC scuttlebut) mostly a
proof of concpt endeavor. At least one other implementation is
available for linux--and this one has the reputation of being
more practical:
keepalived.
If you want your linux box to support 802.1q VLAN tagging,
you should read up on
Ben
Greear's site.
Don't forget the value of looking for the answer to your question
in the linux-net
mailing
list archive.
Linux Journal has published a two part article on by Gianluca
Insolvibile describing the path a packet takes through the kernel.
Part I covers
the
input of the packet until just before layer 4 processing.
Part II covers
higher
layer packet handling, including
simple
diagram of the kernel's decisions for each IP packet.
This
PDF
from the linux-kongress introduces some plans for MPLS and
RSVP support under linux. (There are also
many other
interesting papers available here.) Another (the same?)
MPLS
implementation is available from SourceForge.
A clearly written but probably quite dated
introduction
in English to the kernel networking code was written by David
Rusling. (An update/replacement to this is under development by
David Rusling, although no URL is available.)
Links to Software
Basic Utilities
The net-tools
package is a collection of basic utilities for managing the
Ethernet and IP layer under linux.
The &iproute2; package provides command-line
support for the full functionality of the linux IP stack. This
package, written by Alexey Kuznetsov, is available
here and is
mirrored
here.
A tool more convenient than traceroute for
tracing routes, mtr
can be obtained
here.
The network swiss army knife of nc
(NetCat) is available from @stake.
For a far more flexible tool in the same vein as nc,
socat
connects all manner of files, sockets, and file descriptors under
most types of unix.
Virtual Private Networking software
CIPE
is a lightweight nonstandard VPN technology which can use
shared secrets or RSA keys. CIPE is developed primarily for linux
but includes a Windows port.
For a standards based VPN technology,
FreeS/WAN
provides IPSec functionality for the linux kernel. If you need an
SRPM of the FreeSWAN IPSec software, get it
here.
Note that development kernel 2.5.47+ contains kernel-native
support for IPSec. Refer to the
LARTC IPSec
documentation for more on this.
Traffic Control queueing disciplines and command line tools
Martin Devera has written a
queueing
discipline called HTB which has been incorporated into the
2.4.20 kernel series. As of this writing, HTBv3 is included in
kernel 2.4.20+, but tc doesn't support htb
without the patch available
here.
Weighted Round Robin is a queueing discipline which distributes
bandwidth among the multiple open connections. Although the wrr
qdisc is not included in the kernel, it is available
here.
Patrick McHardy has written a device which can be used independent
of interface to perform traffic shaping. The
Intermediate
Queueing Device (IMQ) is supported under kernel 2.4 and
provides support for ingress shaping and traffic shaping over
multiple physical devices. (Site was available
here.)
Werner Almesberger is working on a more user friendly traffic
control front end called
tcng. This
package includes a userspace simulator tcsim.
DiffServ
Interfaces to lower layer tools
A collection of various scripts and other interfaces for netfilter
is available
here.
A curses-based tool
ipmenu
provides a single uniform interface to many of the IP layer
features of linux.
Packet sniffing and diagnostic tools
The tcpdump utility
is a well known cross-platform utility for sniffing traffic on
the wire.
To watch plaintext protocol conversations, the
tcpflow
tool can be invaluable.
To gather data on the nature and quality of the network path
between two points, the
bing
program provides a running set of statistics by calculating
the delta between ICMP echo replies from different hosts.
To help diagnose problems between network points, the
pathchar
tool can be handy. Unfortunately, it only comes in a binary
release, apparently because Van Jacobsen did not feel it was
ready for full release.
Among the sniffing and spoofing tools,
dsniff
has received good press. It is a collection of tools for
network auditing and penetration testing.
If you need to capture and reinject packets into the network,
libnet
is a library you can use for these purposes. This is a diagnostic
and security tool.
To reproduce traffic from a captured file, use
tcpreplay.