The Linux Networking Overview HOWTO: Network Interconnection
8. Network InterconnectionLinux networking is rich in features. A Linux box can be configured so it can act as a router, bridge, etc... Some of the available options are described below8.1 RouterThe Linux kernel has built-in support for routing functions. A Linux box can act either as an IP or IPX router for a fraction of the cost of a commercial router. Recent kernels include special options for machines acting primarily as routers:Multicasting : Allows the Linux machine to act as a router for IP packets that have several destination addresses. It is needed on the MBONE, a high bandwidth network on top of the Internet which carries audio and video broadcastsIP policy routing: Normally, a router decides what to do with a received packet based solely on the packet's final destination address but routing can also take into account the originating address and the network device from which the packet reached it.There are some related projects which include one aiming at building a complete running Linux router in a floppy disk: Linux router project8.2 BridgeThe Linux kernel has built-in support for acting as an ethernet bridge, which means that the different Ethernet segments it is connected to will appear as one Ethernet to the participants. Several bridges can work together to create even larger networks of Ethernets using the IEEE802.1 spanning tree algorithm. As this is a standard, Linux bridges will interwork properly with other third party bridge products. Additional packages allow filtering based on IP, IPX or MAC addresses.Related How-tos:Bridge+FirewallBridge8.3 IP-MasqueradingIP Masquerade is a developing networking function in Linux. If a Linux host is connected to the Internet with IP Masquerade enabled, then computers connecting to it (either on the same LAN or connected with modems) can reach the Internet as well, even though they have no official assigned IP addresses. This allows for reduction of costs, since many people may be able to access the Internet using a single modem connection as well as contributes to increase security (in some way the machine is acting as a firewall. since unofficial assigned addresses can not be accessed out of that network)IP masquerade related pages and documents:http://www.tor.shaw.wave.ca/~ambrose/http://www.indyramp.com/masq/links.pfhtmlhttp://sunsite.unc.edu/mdw/HOWTO/mini/IP-Masquerade.html8.4 IP-AccountingThis option of the Linux kernel keeps track of IP network traffic, packet logging and produces some statistics. A series of rules may be defined so when a certain packet match a pattern a counter is increased, it is accepted/rejected, etc..8.5 IP aliasingThis feature of the Linux kernel provides the possibility of setting multiple network addresses on the same low-level network device driver (e.g two IP addresses in one Ethernet card). Typically used for services that act differently based on the address they
listen on (e.g. "multihosting" or "virtual domains" or "virtual hosting services".Related How-to:IP Aliasing How-to8.6 Traffic ShapingThe traffic shaper is a virtual network device that makes it possible to limit the rate of outgoing data flow over another network device. This is specially useful in scenarios (as ISP's), in which it is desirable to control and enforce policies regarding how much bandwidth is used by each client. Another alternative (for web services only) may be certain Apache modules which restrict the number of IP connections by client or the bandwith used.8.7 FirewallA firewall is a device that protects a private network from the public part (the internet as a whole). It is designed to control the flow of packets based on the source, destination, port and packet type information contained in each packet.Different firewall toolkits exist for Linux as well as built-in support in the kernel. Other firewalls are TIS and SOCKS. These firewall toolkits are very complete and combined with other tools allow blocking/redirection of all kind of traffic and protocols. Different policies can be implemented via configuration files or GUI programs.TIS home pageSOCKSFirewall How-to8.8 Port forwardingAn increasing number of web sites are becoming interactive by having cgi-bins or Java applets that access some database or other service. Since this access may pose a security problem, the machine containing the database should not be directly connected to the Internet.Port Forwarding can provide an almost ideal solution to this access problem. On the firewall, IP packets that come in to a specific port number can be re-written and forwarded to the internal server providing the actual service. The reply packets from the internal server are re-written to make it appear that they came from the firewall.Port forwarding information may be found here8.9 Load BalancingDemand for load balancing arise usually in database/web access when many clients make simultaneous requests to a server. It would be desirable to have multiple identical servers and redirect requests to the less loaded server. This can be achieved through Network Address Translation techniques (NAT) from what IP-masquerading is a subset. Network administrators can replace a single server providing Web services - or any other application - with a logical pool of servers sharing a common IP address. Incoming connections are directed to a particular server using one load-balancing algorithm. The virtual server rewrites incoming and outgoing packets so clients have transparent access to the server as if only one did existLinux IP-NAT information may be found here8.10 EQLEQL is integrated into the Linux kernel. If two serial connections exist to some other computer (this usually requires two modems and two telephone lines) and SLIP or PPP (protocols for sending Internet traffic over telephone lines) are used on them, it is possible to make them behave like one double speed connection using this driver. Naturally, this has to be supported at the other end as well.EQL How-to8.11 Proxy ServerThe term proxy means "to do something on behalf of someone else." In networking terms, a proxy server computer can act on the behalf of several clients. An HTTP proxy is a machine that receives requests for web pages from another machine (Machine A). The proxy gets the page requested and returns the result to Machine A. The proxy may have a cache with the requested pages, so if another machine asks for the same page the copy in the cache will be returned instead. This allows efficient use of bandwidth resources and less response time. As a side effect, as client machines are not directly connected to the outside world this is a way of securing the internal network. A well-configured proxy can be as effective as a good firewall.Several proxy servers exist for Linux. One popular solution is the Apache proxy module. A more complete and robust implementation of an HTTP proxy is SQUID.ApacheSquid8.12 Diald on demandThe purpose of dial on demand is to make it transparently appear that the users have a permanent connection to a remote site. Usually, there is a daemon who monitors the traffic of packets and where an interesting packet (interesting is defined usually by a set of rules/priorities/permissions) arrives it establishes a connection with the remote end. When the channel is idle for a certain period of time, it drops the connection.Diald How-to8.13 Tunnelling, mobile IP and virtual private networksThe Linux kernel allows the tunnelling (encapsulation) of protocols. It can do IPX tunnelling through IP, allowing the connection of two IPX networks through an IP only link. It can also do IP-IP tunnelling, which it is essential for mobile IP support, multicast support and amateur radio. (see http://sunsite.unc.edu/mdw/HOWTO/NET-3-HOWTO-6.html#ss6.13)Mobile IP specifies enhancements that allow transparent routing of IP datagrams to mobile nodes in the Internet. Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet. While situated away from its home, a mobile node is also associated with a care-of address, which provides information about its current point of attachment to the Internet. The protocol provides for registering the care-of address with a home agent. The home agent sends datagrams destined for the mobile node through a tunnel to the care-of address. After arriving at the end of the tunnel, each datagram is then delivered to the mobile node.Point-to-Point Tunneling Protocol (PPTP) is a networking technology that allows the use of the Internet as a secure virtual private network (VPN). PPTP is integrated with the Remote Access Services (RAS) server which is built into Windows NT Server. With PPTP, users can dial into a local ISP, or connect directly to the Internet, and access their network as if they were at their desks. PPTP is a closed protocol and its security has recently being compromised. It is highly recomendable to use other Linux based alternatives, since they rely on open standards which have been carefully examined and tested.A client implementation of the PPTP for Linux is available hereMobile IP:http://www-uk.hpl.hp.com/people/jt/mip.htmlhttp://anchor.cs.binghamton.edu/~mobileip/Virtual Private Networks related documents:http://sunsite.unc.edu/mdw/HOWTO/mini/VPN.htmlhttp://sites.inka.de/sites/bigred/devel/cipe.html
C
Wyszukiwarka
Podobne podstrony:
networking overview howto 9 ogqpxq72nbf7kqln4xdtyu3p2okvo6aql34xpfanetworking overview howto 11 birdddbhhxei3y75xn3dyxnxyf55mkjjwnxktuqnetworking overview howto bnx26jhbkwwpw6yzws4tkldczwdoxxugviqrtpynetworking overview howto 12 yhtznaj2byamnufwibq2dq3qmq7lar23akyornanetworking overview howto 1 mim6i7dsp32byq2fro3le5haz7d3zbl7le3imhqnetworking overview howto 2 caiprehshglxfui7peanqd752dkbefhdgn5zxjqnetworking overview howto 6 xnvzjf5vxjrzc7y54xczl5bdzeeaqvleonka6lq xnvzjf5vxjrzc7y54xczl5bdzeeaqvlenetworking overview howto 7 4jcki7zegaz5gvckfp3gprrctzflbm4xnoe4dtynetworking overview howto 5 mt4owegnyy2cmmmhnubg5zzp56a7dogr7ckvweqnetworking overview howto 10 cycszd6jqwrvh62ewzn2tsalu3vmmmoq5liowei cycszd6jqwrvh62ewzn2tsalu3vmmmohowto boot via network with gnu grub netboot diskbootdisk howto pl 8PPP HOWTO pl 6 (2)NIS HOWTO pl 1 (2)kernel howto 3 clbigwpagydoy3epnkmic3ys7wlqwsg4rlwwgvq clbigwpagydoy3epnkmic3ys7wlqwsg4rlwwgvqconsultants howto 18więcej podobnych podstron