Полезная информация

LogoBasic Network Capabilities of Linux

This page is a resource of the Networking Group of the BTC, affiliated with the College of Computing of Georgia Tech.

Linux provides a very rich set of capabilities. Not only does its range of native networking capability surpass that of other operating systems, but masquerading - one of its most distinguished features - is native to Linux.

For each of these protocols and features I refer to documentation where you can find more information. Descriptions of specific Linux network commands are provided on the Linux Networking Commands page which accompanies this one. You will also want to review the Linux Network Administrator's Guide from the Linux Documentation Project.

Supported Protocols

The Linux kernel supports several networking protocols.
TCP/IP - Transport Control Protocol / Internet Protocol
The Internet Protocol, whose use is increasing exponentially now that the Internet has grown from a research network into an international economic-cultural phenomenon, is the primary network protocol supported by Linux; see the following section for a list of supported features.

IPX - Internetwork Packet Exchange
Linux also supports IPX, the traditional packmule of the office LAN. The operating system can: For more information see the IPX HOWTO.

Appletalk DDP
This permits communication with machines and printers on an Appletalk network. Linux can provide both filesystem and printer support to Appletalk clients. See the Appletalk section of the Net-3 HOWTO.

Amateur Radio AX.25 Level 2
A number of radio transmitters across the country support the AX.25 protocol which provides digital packet relaying services between stations that cannot communicate directly. In addition to using AX.25 to carry TCP/IP packets, Linux also supports the more traditional NetRom and Rose protocols. See the AX.25 HOWTO.

Supported Features

One of the most fundamental IP operations is packet forwarding, which is the basic task of a router. When forwarding is activated, a machine not only watches the network for packets addressed to itself, but recognizes when a packet arrives on one network interface that is addressed to a machine connected to another one of its interfaces; when this occurs it retransmits the packet on the interface that the addressee is connected to. This allows the Linux box to act as a router between two or more IP subnetworks, or between a subnetwork and the Internet. See the Routing section of the Linux NET-3 HOWTO, as well as the commands route(8), routed(8), and ifconfig(8).

Firewall operations
When a machine is connected to the Internet or any large public network, security becomes a concern: people might try to use the network to break into it or at least degrade its performance. It is often desirable to protect an entire subnet of machines from harassment by configuring the subnet's router to only let certain kinds of packets into (or out of) the subnet. When the router performs packet filtering of this sort it is called a ``firewall.'' Linux provides firewall capabilities. You specify simple filters which match packets according to properties such as their transport protocol or source or destination address. For each rule you can direct Linux to delete matching packets, to keep count of how many packets match a rule, and can even capture copies of matching packets for detailed inspection. See the Firewall HOWTO and especially the ipfwadm(8) command and the ipfw(4) manual page.

Proxy and Masquerading
Very often you want several machines to have access to the Internet without each having their own public IP address; instead you want all of their requests to be presented to the outside network as if they came from a single machine (to which you do allocate a public IP address). Such a machine is called a ``proxy'' for the hidden machines. This not only saves you from having to use up your public IP addresses, but also enhances security since the machines behind the proxy cannot be connected to directly from the outside world. There are two techniques to accomplish this, both of which are supported by Linux.

First, you can configure the software on the clients use a special protocol to send their Internet requests directly to the proxy; two popular proxy packages supported by Linux are TIS and SOCKS, both described in the Firewall HOWTO. But this approach is generally messy since all the software on the client has to know that it is talking to a proxy.

A much cleaner solution, called ``IP masquerading,'' lets the clients think they are accessing the Internet normally by having the masquerading machine automatically map its clients' socket connections on to its own collection of ports. Masquerading is supported in the Linux kernel, is exhaustively documented at the Linux IP Masquerade Resource page, is also described in the IP Masquerade mini-HOWTO, and is grouped with the other firewall functions under the control of the ipfwadm(8) command.

We have already noted that with the ipfwadm(8) command, an administrator can create a list of pattern/action rules, and that a packet is processed according to the rule (like "accept" or "deny") associated with the first pattern that matches it. You can also specify ``accounting rules,'' which are simply patterns that every packet is checked against. There is a counter associated with each pattern, which is incremented when a packet matches the pattern; by checking the counters' values you can collect information about the kind of traffic reaching your machine without the processor expense of running a full-fledged packet sniffer like tcpdump(8).

Tunneling and Intranets
``Tunneling'' is the practice of sending data packets across a network by carrying them inside of another packet. The act of putting one packet inside another is called ``encapsulation.'' Consider a company with two offices that each used IPX in its building, where the offices are across the country from each other. Each office could set up a router that got IPX packets destined for the other office, stuffed them into IP packets addressed for the other office's Internet server, and sent those packets across the country on the Internet. The receiving router could then take the IPX packet back out and put it on its own building's network. So to the IPX devices it would look like there was simply an IPX router sitting between the two office LANs.

A network created by tunneling is called an ``Intranet.'' Since subscribing to Internet service is much cheaper than buying leased lines between several locations and paying for the staff and maintenance to keep a private network up, businesses are very excited about creating Intranets for themselves. When sending private data over the Internet, privacy becomes an important issue, and some form of encryption is usually warranted. Details of setting up an intranet with Linux are in the Intranet Server HOWTO.

Tunneling IP packets through other IP packets is supported in the Linux kernel and described in the IPIP Encapsulation section of the Net-3 HOWTO. Putting IPX through IP can be accomplished using a program called ipxtunnel that is described in the IPX Over IP section of the IPX HOWTO.

Usually each network interface on a machine has a unique IP address and server programs running on the machine receive only packets that were destined for its address. Aliasing gives you the ability to assign several IP addresses to a network interface, so that a single machine can act as though it were several machines. The Apache httpd server, for example, can tailor its response to the interface on which an HTTP query arrived, so that each of your machine's IP addresses will look like a separate server with different web pages. Aliasing is briefly covered in both the IP Aliasing section of the Net-3 HOWTO as well as its own IP-Aliasing Mini-HOWTO. (Linux can currently handle 256 addresses per interface, which should only limit the most ambitious users of this feature.)

Generated 23 June 1998 by Brandon Craig Rhodes, who may be contacted at brandon@rhodesmill.org.