This chapter contains some categorized links to various further reading and reference materials on many topics in the linux and networking arenas. Also supplied are a number of links to software as well.

The best first place to go (if you can't find any help on this page) is to visit the comprehensive TLDP archive of networking-related documentation. Here you will find a breakdown of the available documentation, organized in a sensible way. The Linux Network Administrator's Guide covers some of the same material as this guide. It additionally covers UUCP, SLIP, PPP, NIS, NFS, IPX, email administration, and NNTP. It is an excellent general reference. The Networking HOWTO provides a good overview of most of the networking protocols and link layer devices supported under linux, though it covers primarily the 2.0 and 2.2 kernels. Here's one step-by-step tutorial (among many) which shows how to configure a linux machine as a router/firewall. A brief summary rather than a thorough explanation, it instructs well by example.

Linux has been adopted widely as a platform on which to build network security devices as a result of its feature set. Here, you'll find links to network security documentation. The Security HOWTO introduces many of the topics that touch on securing a linux machine, including many network security topics. The Security Quickstart HOWTO is for the impatient. FIXME FIXME

There are a number of resources available to cover a large range of IP networking topics. I have selected a few here, but there are many other sources of this information both dead-tree versions and Internet documentation. One of the key reference materials for any IP networking shop is the seminal work by the late W. Richard Stevens. Three volumes catalog the architecture of IP networking and higher layer protocols. Here is a good introduction to Classless Inter Domain Routing (CIDR). CIDR is a technique employed since the mid 1990s to reduce the load on the routing devices employed on the Internet. A beneficial side effect is the simplicity of the CIDR addressing notation. For a CIDR address reference, RFC 1878 has proven invaluable to me. Some general IP subnetting and other Internetworking questions are answered at SubnetOnline. At Cisco's site, you can find a good introduction to subnetting an IP space. Another one-page tutorial introduction to subnetting and CIDR networking is available here. And don't forget the IP subnetting mini-HOWTO from TLDP. The Internet Assigned Numbers Authority (IANA) has selected a number of IP networks which are intended for discretionary use in private networks. RFC 1918 outlines the address ranges which are available for private use. Additionally, IANA has posted a summary of the identity of the subdelegates of each of the class A sized network address ranges. See also the update to RFC 1918 in RFC 3330 Address Resolution Protocol is used to provide the glue between Ethernet link layer information (hardware addresses) and the IP layer. This page is instructive in ARP. As discussed in , MSS and MTU are key matters for IP communication. Path MTU discovery, as discussed in RFC 1911, is used as a way to make most efficient use of network resources by detecting the smallest link layer between two endpoints and setting the MTU accordingly. This breaks when ICMP is assiduously filtered. Visit this discussion or this page on MTU and MSS, and of course LARTC's discussion and solution. For more on the general issue of ICMP and what is required see also this SANS discussion. At a Usenix conference in late 2002, the issue of MTU and MSS prompted the MSS Initiative. Because this is a widely misunderstood issue, there is even a workaround in the RFCs, RFC 2923.

The Linux Documentation Project keeps a clear and up to date reference on IP masquerading which thoroughly covers the issues involved with masquerading.

If you have a 2.4 kernel and are using iptables, you should read Rusty Russell's documentation on NAT with netfilter. The command reference for the iproute2 tools provides sparse documentation of the NAT features, but has an appendix which covers the key questions with regard to iproute2 NAT. SuSe has Michael Hasenstein's paper on NAT, which is an excellent technical overview of the case for NAT. Linas Vepstas has collected a number of links to projects and implementations relying heavily on NAT techniques.

Timur A. Bolokhov has written a good (though dated) introduction. to the policy routing features of iproute2 (supported by kernels 2.1 and later). Mark Lamb hosts a good technical overview of both the iproute2 and tc packages. If your copy of &iproute2; did not get packaged with ip-cref.ps or if you prefer online HTML, the command reference is available in toto as HTML at linux-ip.net, www.linuxgrill.com, or snafu.freedom.org. Julian Anastasov has been working on many aspects of traffic control and advanced routing with the &iproute2; package. He has provided a large number of patches to &iproute2; and some documentation with for the linux virtual server (LVS) in addition to a great deal of code for LVS. See his main site for both patches and documentation. The Linux Advanced Routing and Traffic Control site provides a wealth of expertise for complex networking configurations. I also recommend the LARTC mailing list and archive. A brief article distilled from Matthew Marsh's Policy Routing with Linux book, introduces the concepts of policy routing under linux quite admirably. For a fifteen minute overview of policy routing under linux, read this article. See this brief article on describing advanced networking features of linux.

Visit Oskar Andreasson's iptables tutorial for examples, overview, details, and full documentation of iptables. The netfilter site provides a wealth of tutorials, examples, documentation, and a mailing list. Of particular interest is the documentation section. See this brief introduction to packet filtering with iptables. Here is a brief summary of the logging output form from the netfilter engine.

Documentation for ipchains is available courtesy of the author, Rusty Russell. A mirror of the ipchains HOWTO is available at TLDP. Here is a brief summary of logging outputfrom the kernel. Along with a huge pile of other linux-related traffic control and packet filtering documentation, there is a postscript reference card for ipchains at snafu.freedom.org.

Not covered in this documentation, ipfwadm is only supported in the linux 2.2 and 2.4 kernels via backward compatible interfaces to the internal packet filtering architectures. Read more on ipfwadm here.

To learn how to query the kernel's iptables directly, you need this progamming reference. For a description of the path a frame on the wire takes through the kernel from the Ethernet through to the upper layers, Harald Welte's brief proves instructive. If you are only interested in the path an IP packet takes through the netfilter (ipchains or iptables), routing and ingress/egress QoS code, refer to Stef Coene's excellent ASCII representation, the kernel 2.4 packet traveling diagram. Oskar Andreasson (of iptables tutorial fame) has written an IP sysctl tutorial which covers the different /proc filesystem entries. (kernel 2.4 only)

Your linux box can function as a bridge, and two boxen connected to the same hubs can use Spanning Tree Protocol (STP) to protect against failure of one or the other. See the Bridge HOWTO. For a brief article on using a linux bridge as a firewall see David Whitmarsh's introduction to the topic. There's some fledgling documentation of the bridging code in kernel 2.4 (and 2.2) available, especially in conjunction with netfilter here. Consider also, ebtables named by analogy to iptables. If you are bridging at all, or using ebtables at all, you'll want to know about the interaction between bridging and iptables, so visit the bridge and Netfilter HOWTO.

The Linux Advanced Routing and Traffic Control website is the first place to go for any traffic control (and advanced routing) documentation. I also recommend the LARTC mailing list and archive. Stef Coene has written prodigiously on traffic control under linux. His site contains practical guidance on traffic control and bandwidth shaping matters. There is an ADSL Bandwidth Management HOWTO on TLDP. Michael Babcock has a page discussing QoS on linux. This is a good introduction, though a bit dated (it seems to discuss only kernel 2.2). Leonardo Balliache's has published a brief overview of the compared QoS offerings. Sally Floyd is apparently one of the leading researchers in the use of QoS on the Internet. See her work as a researcher at icir.org. Another major research center for QoS under linux is the University of Kansas. For some very technical material on QoS under linux, see their main page. Here you will find some documentation of the tools available to those programming for QoS implementations under linux. An implementation of DiffServ, is underway under linux. DiffServ is an intermediate step to IntServ. There are also the old DiffServ archive and the current archive.

A dated multicast routing mini-HOWTO provides the best introduction to multicast routing under linux. The smcroute utility provides a command line interface to manipulate the multicast routing tables via a method other than mrouted.

The sysctl utility is a convenient tool for manipulating kernel parameters. Combined with the /etc/sysctl.conf this utility allows an administrator to alter or tune kernel parameters in a convenient fashion across a reboot. See this brief RedHat page on the use of sysctl. See also Oskar Andreasson's IP Sysctl Tutorial for a detailed examination of the parameters and their affect on system operation. For users who need to provide a standards compliant VPN solution FreeS/WAN can be part of a good interoperable solution. Additionally, there are issues with using FreeS/WAN on linux as a VPN solution. John Denker (appropriate last name) has grappled with the issue of IPSec and routing and has suggested the following work around. Here's a summary of one network admin's perspective on some of the issues related to FreeS/WAN, roving users and network administration for VPN users. Note! The 2.5.x development kernel contains an IPSec implementation natively. This means that by the release of 2.6.x, linux may support IPSec out of the box. Explicit Congestion Notification is supported under linux kernel 2.4 with a sysctl entry. The 2.2 and 2.4 series support bonding of interfaces which allows both link aggregation (IEEE 802.3ad) and failover use of Ethernet interfaces. The canonical source for documentation about bonding is Documentation/networking/bonding.txt in the kernel source distribution. If you are looking for virtual router redundancy protocol (VRRP) support under linux, there are several fledgling options. The reference implementation is (according to LARTC scuttlebut) mostly a proof of concpt endeavor. At least one other implementation is available for linux--and this one has the reputation of being more practical: keepalived. If you want your linux box to support 802.1q VLAN tagging, you should read up on Ben Greear's site. Don't forget the value of looking for the answer to your question in the linux-net mailing list archive. Linux Journal has published a two part article on by Gianluca Insolvibile describing the path a packet takes through the kernel. Part I covers the input of the packet until just before layer 4 processing. Part II covers higher layer packet handling, including simple diagram of the kernel's decisions for each IP packet. This PDF from the linux-kongress introduces some plans for MPLS and RSVP support under linux. (There are also many other interesting papers available here.) Another (the same?) MPLS implementation is available from SourceForge. A clearly written but probably quite dated introduction in English to the kernel networking code was written by David Rusling. (An update/replacement to this is under development by David Rusling, although no URL is available.)

The net-tools package is a collection of basic utilities for managing the Ethernet and IP layer under linux. The &iproute2; package provides command-line support for the full functionality of the linux IP stack. This package, written by Alexey Kuznetsov, is available here and is mirrored here. A tool more convenient than traceroute for tracing routes, mtr can be obtained here. The network swiss army knife of nc (NetCat) is available from @stake. For a far more flexible tool in the same vein as nc, socat connects all manner of files, sockets, and file descriptors under most types of unix.

CIPE is a lightweight nonstandard VPN technology which can use shared secrets or RSA keys. CIPE is developed primarily for linux but includes a Windows port. For a standards based VPN technology, FreeS/WAN provides IPSec functionality for the linux kernel. If you need an SRPM of the FreeSWAN IPSec software, get it here. Note that development kernel 2.5.47+ contains kernel-native support for IPSec. Refer to the LARTC IPSec documentation for more on this.

Martin Devera has written a queueing discipline called HTB which has been incorporated into the 2.4.20 kernel series. As of this writing, HTBv3 is included in kernel 2.4.20+, but tc doesn't support htb without the patch available here. Weighted Round Robin is a queueing discipline which distributes bandwidth among the multiple open connections. Although the wrr qdisc is not included in the kernel, it is available here. Patrick McHardy has written a device which can be used independent of interface to perform traffic shaping. The Intermediate Queueing Device (IMQ) is supported under kernel 2.4 and provides support for ingress shaping and traffic shaping over multiple physical devices. (Site was available here.) Werner Almesberger is working on a more user friendly traffic control front end called tcng. This package includes a userspace simulator tcsim. DiffServ

A collection of various scripts and other interfaces for netfilter is available here. A curses-based tool ipmenu provides a single uniform interface to many of the IP layer features of linux.

The tcpdump utility is a well known cross-platform utility for sniffing traffic on the wire. To watch plaintext protocol conversations, the tcpflow tool can be invaluable. To gather data on the nature and quality of the network path between two points, the bing program provides a running set of statistics by calculating the delta between ICMP echo replies from different hosts. To help diagnose problems between network points, the pathchar tool can be handy. Unfortunately, it only comes in a binary release, apparently because Van Jacobsen did not feel it was ready for full release. Among the sniffing and spoofing tools, dsniff has received good press. It is a collection of tools for network auditing and penetration testing. If you need to capture and reinject packets into the network, libnet is a library you can use for these purposes. This is a diagnostic and security tool. To reproduce traffic from a captured file, use tcpreplay.