Linux provides a very rich set of capabilities.
Not only does its range of native networking capability
surpass that of other operating systems,
but masquerading - one of its most distinguished features -
is native to Linux.
The Linux kernel supports several networking protocols.
TCP/IP - Transport Control Protocol / Internet Protocol
The Internet Protocol,
whose use is increasing exponentially
now that the Internet has grown from a research network
into an international economic-cultural phenomenon,
is the primary network protocol supported by Linux;
see the following section for a list of supported features.
IPX - Internetwork Packet Exchange
Linux also supports IPX, the traditional packmule of the office LAN.
The operating system can:
Act as a Novell-compliant router between multiple IPX segments.
Use filesystems and printers offered by a Novell server.
Act as a Netware-alike server
to make some of its own file systems and printers available.
Can tunnel IPX packets through an IP network, or vice versa.
This permits communication with machines and printers
on an Appletalk network.
Linux can provide both filesystem and printer support
to Appletalk clients.
Appletalk section of the
Amateur Radio AX.25 Level 2
A number of radio transmitters across the country support the AX.25 protocol
which provides digital packet relaying services between stations
that cannot communicate directly.
In addition to using AX.25 to carry TCP/IP packets,
Linux also supports the more traditional NetRom and Rose protocols.
One of the most fundamental IP operations is packet forwarding,
which is the basic task of a router.
When forwarding is activated,
a machine not only watches the network for packets addressed to itself,
but recognizes when a packet arrives on one network interface
that is addressed to a machine connected to another one of its interfaces;
when this occurs it retransmits the packet
on the interface that the addressee is connected to.
This allows the Linux box to act as a router between
two or more IP subnetworks,
or between a subnetwork and the Internet.
section of the
HOWTO, as well as the commands route(8), routed(8),
When a machine is connected to the Internet or any large public network,
security becomes a concern:
people might try to use the network to break into it
or at least degrade its performance.
It is often desirable to protect an entire subnet of machines from harassment
by configuring the subnet's router
to only let certain kinds of packets into (or out of) the subnet.
When the router performs packet filtering of this sort
it is called a ``firewall.''
Linux provides firewall capabilities.
You specify simple filters
which match packets according to properties such as their transport protocol
or source or destination address.
For each rule you can direct Linux to delete matching packets,
to keep count of how many packets match a rule,
and can even capture copies of matching packets for detailed inspection.
Firewall HOWTO and especially the ipfwadm(8) command
and the ipfw(4) manual page.
Proxy and Masquerading
Very often you want several machines to have access to the Internet
without each having their own public IP address;
instead you want all of their requests to be presented to the outside network
as if they came from a single machine
(to which you do allocate a public IP address).
Such a machine is called a ``proxy'' for the hidden machines.
This not only saves you from having to use up your public IP addresses,
but also enhances security
since the machines behind the proxy cannot be connected to directly
from the outside world.
There are two techniques to accomplish this,
both of which are supported by Linux.
you can configure the software on the clients
use a special protocol to send their Internet requests directly to the proxy;
two popular proxy packages supported by Linux are
TIS and SOCKS,
both described in the
But this approach is generally messy
since all the software on the client
has to know that it is talking to a proxy.
A much cleaner solution,
called ``IP masquerading,''
lets the clients think they are accessing the Internet normally
by having the masquerading machine
automatically map its clients' socket connections
on to its own collection of ports.
Masquerading is supported in the Linux kernel,
is exhaustively documented at the Linux
IP Masquerade Resource page,
is also described in the
and is grouped with the other firewall functions under the control of the
We have already noted that with the ipfwadm(8) command,
an administrator can create a list of pattern/action rules,
and that a packet is processed according to the rule (like "accept" or "deny")
associated with the first pattern that matches it.
You can also specify ``accounting rules,''
which are simply patterns that every packet is checked against.
There is a counter associated with each pattern,
which is incremented when a packet matches the pattern;
by checking the counters' values you can collect information
about the kind of traffic reaching your machine
without the processor expense of running a full-fledged packet sniffer
Tunneling and Intranets
``Tunneling'' is the practice of sending data packets across a network
by carrying them inside of another packet.
The act of putting one packet inside another is called ``encapsulation.''
Consider a company with two offices that each used IPX in its building,
where the offices are across the country from each other.
Each office could set up a router
that got IPX packets destined for the other office,
stuffed them into IP packets addressed for the other office's Internet server,
and sent those packets across the country on the Internet.
The receiving router could then take the IPX packet back out
and put it on its own building's network.
So to the IPX devices it would look like there was simply
an IPX router sitting between the two office LANs.
A network created by tunneling is called an ``Intranet.''
Since subscribing to Internet service is much cheaper
than buying leased lines between several locations
and paying for the staff and maintenance to keep a private network up,
businesses are very excited about creating Intranets for themselves.
When sending private data over the Internet,
privacy becomes an important issue,
and some form of encryption is usually warranted.
Details of setting up an intranet with Linux are in the Intranet
Tunneling IP packets through other IP packets is supported
in the Linux kernel and described in the
Encapsulation section of the Net-3 HOWTO.
Putting IPX through IP can be accomplished using a program
called ipxtunnel that is described in the IPX Over IP
section of the
Usually each network interface on a machine has a unique IP address
and server programs running on the machine
receive only packets that were destined for its address.
Aliasing gives you the ability to assign several IP addresses
to a network interface,
so that a single machine can act as though it were several machines.
The Apache httpd server, for example,
can tailor its response to the interface on which an HTTP query arrived,
so that each of your machine's IP addresses
will look like a separate server with different web pages.
Aliasing is briefly covered in both the IP
Aliasing section of the Net-3 HOWTO
as well as its own IP-Aliasing
(Linux can currently handle 256 addresses per interface,
which should only limit the most ambitious users of this feature.)