This chapter contains some categorized links to various further reading and reference materials on many topics in the linux and networking arenas. Also supplied are a number of links to software as well.
The best first place to go (if you can't find any help on this page) is to visit the comprehensive TLDP archive of networking-related documentation. Here you will find a breakdown of the available documentation, organized in a sensible way.
The Linux Network Administrator's Guide covers some of the same material as this guide. It additionally covers UUCP, SLIP, PPP, NIS, NFS, IPX, email administration, and NNTP. It is an excellent general reference.
The Networking HOWTO provides a good overview of most of the networking protocols and link layer devices supported under linux, though it covers primarily the 2.0 and 2.2 kernels.
Here's one step-by-step tutorial (among many) which shows how to configure a linux machine as a router/firewall. A brief summary rather than a thorough explanation, it instructs well by example.
Linux has been adopted widely as a platform on which to build network security devices as a result of its feature set. Here, you'll find links to network security documentation.
The Security HOWTO introduces many of the topics that touch on securing a linux machine, including many network security topics.
The Security Quickstart HOWTO is for the impatient.
FIXME
FIXME
There are a number of resources available to cover a large range of IP networking topics. I have selected a few here, but there are many other sources of this information both dead-tree versions and Internet documentation.
One of the key reference materials for any IP networking shop is the seminal work by the late W. Richard Stevens. Three volumes catalog the architecture of IP networking and higher layer protocols.
Here is a good introduction to Classless Inter Domain Routing (CIDR). CIDR is a technique employed since the mid 1990s to reduce the load on the routing devices employed on the Internet. A beneficial side effect is the simplicity of the CIDR addressing notation. For a CIDR address reference, RFC 1878 has proven invaluable to me.
Some general IP subnetting and other Internetworking questions are answered at SubnetOnline. At Cisco's site, you can find a good introduction to subnetting an IP space. Another one-page tutorial introduction to subnetting and CIDR networking is available here. And don't forget the IP subnetting mini-HOWTO from TLDP.
The Internet Assigned Numbers Authority (IANA) has selected a number of IP networks which are intended for discretionary use in private networks. RFC 1918 outlines the address ranges which are available for private use. Additionally, IANA has posted a summary of the identity of the subdelegates of each of the class A sized network address ranges. See also the update to RFC 1918 in RFC 3330
Address Resolution Protocol is used to provide the glue between Ethernet link layer information (hardware addresses) and the IP layer. This page is instructive in ARP.
As discussed in Section 10.1, “MTU, MSS, and ICMP”, MSS and MTU are key matters for IP communication. Path MTU discovery, as discussed in RFC 1911, is used as a way to make most efficient use of network resources by detecting the smallest link layer between two endpoints and setting the MTU accordingly. This breaks when ICMP is assiduously filtered. Visit this discussion or this page on MTU and MSS, and of course LARTC's discussion and solution. For more on the general issue of ICMP and what is required see also this SANS discussion. At a Usenix conference in late 2002, the issue of MTU and MSS prompted the MSS Initiative. Because this is a widely misunderstood issue, there is even a workaround in the RFCs, RFC 2923.
The Linux Documentation Project keeps a clear and up to date reference on IP masquerading which thoroughly covers the issues involved with masquerading.
If you have a 2.4 kernel and are using iptables, you should read Rusty Russell's documentation on NAT with netfilter.
The command reference for the iproute2 tools provides sparse documentation of the NAT features, but has an appendix which covers the key questions with regard to iproute2 NAT.
SuSe has Michael Hasenstein's paper on NAT, which is an excellent technical overview of the case for NAT.
Linas Vepstas has collected a number of links to projects and implementations relying heavily on NAT techniques.
Timur A. Bolokhov has written a good (though dated) introduction. to the policy routing features of iproute2 (supported by kernels 2.1 and later).
Mark Lamb hosts a good technical overview of both the iproute2 and tc packages.
If your copy of iproute2 did not get packaged
with ip-cref.ps
or if you prefer online HTML,
the command reference is available
in toto as HTML at
linux-ip.net,
www.linuxgrill.com,
or
snafu.freedom.org.
Julian Anastasov has been working on many aspects of traffic control and advanced routing with the iproute2 package. He has provided a large number of patches to iproute2 and some documentation with for the linux virtual server (LVS) in addition to a great deal of code for LVS. See his main site for both patches and documentation.
The Linux Advanced Routing and Traffic Control site provides a wealth of expertise for complex networking configurations. I also recommend the LARTC mailing list and archive.
A brief article distilled from Matthew Marsh's Policy Routing with Linux book, introduces the concepts of policy routing under linux quite admirably. For a fifteen minute overview of policy routing under linux, read this article.
See this brief article on describing advanced networking features of linux.
Visit Oskar Andreasson's iptables tutorial for examples, overview, details, and full documentation of iptables.
The netfilter site provides a wealth of tutorials, examples, documentation, and a mailing list. Of particular interest is the documentation section.
See this brief introduction to packet filtering with iptables.
Here is a brief summary of the logging output form from the netfilter engine.
Documentation for ipchains is available courtesy of the author, Rusty Russell. A mirror of the ipchains HOWTO is available at TLDP.
Here is a brief summary of logging outputfrom the kernel.
Along with a huge pile of other linux-related traffic control and packet filtering documentation, there is a postscript reference card for ipchains at snafu.freedom.org.
Not covered in this documentation, ipfwadm is only supported in the linux 2.2 and 2.4 kernels via backward compatible interfaces to the internal packet filtering architectures. Read more on ipfwadm here.
To learn how to query the kernel's iptables directly, you need this progamming reference.
For a description of the path a frame on the wire takes through the kernel from the Ethernet through to the upper layers, Harald Welte's brief proves instructive.
If you are only interested in the path an IP packet takes through the netfilter (ipchains or iptables), routing and ingress/egress QoS code, refer to Stef Coene's excellent ASCII representation, the kernel 2.4 packet traveling diagram.
Oskar Andreasson (of
iptables
tutorial fame) has written an
IP sysctl
tutorial which covers the different
/proc
filesystem entries. (kernel 2.4 only)
Your linux box can function as a bridge, and two boxen connected to the same hubs can use Spanning Tree Protocol (STP) to protect against failure of one or the other. See the Bridge HOWTO.
For a brief article on using a linux bridge as a firewall see David Whitmarsh's introduction to the topic.
There's some fledgling documentation of the bridging code in kernel 2.4 (and 2.2) available, especially in conjunction with netfilter here.
Consider also, ebtables named by analogy to iptables. If you are bridging at all, or using ebtables at all, you'll want to know about the interaction between bridging and iptables, so visit the bridge and Netfilter HOWTO.
The Linux Advanced Routing and Traffic Control website is the first place to go for any traffic control (and advanced routing) documentation. I also recommend the LARTC mailing list and archive.
Stef Coene has written prodigiously on traffic control under linux. His site contains practical guidance on traffic control and bandwidth shaping matters.
There is an ADSL Bandwidth Management HOWTO on TLDP.
Michael Babcock has a page discussing QoS on linux. This is a good introduction, though a bit dated (it seems to discuss only kernel 2.2).
Leonardo Balliache's has published a brief overview of the compared QoS offerings.
Sally Floyd is apparently one of the leading researchers in the use of QoS on the Internet. See her work as a researcher at icir.org.
Another major research center for QoS under linux is the University of Kansas. For some very technical material on QoS under linux, see their main page. Here you will find some documentation of the tools available to those programming for QoS implementations under linux.
An implementation of DiffServ, is underway under linux. DiffServ is an intermediate step to IntServ. There are also the old DiffServ archive and the current archive.
A dated multicast routing mini-HOWTO provides the best introduction to multicast routing under linux.
The smcroute utility provides a command line interface to manipulate the multicast routing tables via a method other than mrouted.
The sysctl utility is a convenient tool for
manipulating kernel parameters. Combined with the
/etc/sysctl.conf
this utility allows an
administrator to alter or tune kernel parameters in a convenient
fashion across a reboot. See this
brief
RedHat page on the use of sysctl. See
also
Oskar
Andreasson's IP Sysctl Tutorial for a detailed examination
of the parameters and their affect on system operation.
For users who need to provide a standards compliant VPN solution FreeS/WAN can be part of a good interoperable solution. Additionally, there are issues with using FreeS/WAN on linux as a VPN solution. John Denker (appropriate last name) has grappled with the issue of IPSec and routing and has suggested the following work around. Here's a summary of one network admin's perspective on some of the issues related to FreeS/WAN, roving users and network administration for VPN users. Note! The 2.5.x development kernel contains an IPSec implementation natively. This means that by the release of 2.6.x, linux may support IPSec out of the box.
Explicit Congestion Notification is supported under linux kernel 2.4 with a sysctl entry.
The 2.2 and 2.4 series support bonding of interfaces which allows
both link aggregation (IEEE 802.3ad) and failover use of Ethernet
interfaces. The canonical source for documentation about bonding
is Documentation/networking/bonding.txt
in
the kernel source distribution.
If you are looking for virtual router redundancy protocol (VRRP) support under linux, there are several fledgling options. The reference implementation is (according to LARTC scuttlebut) mostly a proof of concpt endeavor. At least one other implementation is available for linux--and this one has the reputation of being more practical: keepalived.
If you want your linux box to support 802.1q VLAN tagging, you should read up on Ben Greear's site.
Don't forget the value of looking for the answer to your question in the linux-net mailing list archive.
Linux Journal has published a two part article on by Gianluca Insolvibile describing the path a packet takes through the kernel. Part I covers the input of the packet until just before layer 4 processing. Part II covers higher layer packet handling, including simple diagram of the kernel's decisions for each IP packet.
This PDF from the linux-kongress introduces some plans for MPLS and RSVP support under linux. (There are also many other interesting papers available here.) Another (the same?) MPLS implementation is available from SourceForge.
A clearly written but probably quite dated introduction in English to the kernel networking code was written by David Rusling. (An update/replacement to this is under development by David Rusling, although no URL is available.)