10.4. Linux as a network appliance

10.4.1. Router

IP Routing is the process by which a host with multiple network connections decides where to deliver the IP datagrams that it has received.

While this is a fairly simple sentence, routing is a topic on which large volumes of text have been written. Most people have fairly simple routing requirements, but get mixed up easily enough. Detailed information can be found in the Linux Networking HOWTO. For now, remember that you need at least two network interfaces for building a router. While it is a sensible thing to install a firewall on every machine, hosts with only one network interface should never be configured as a router.

The Linux kernel has built-in support for routing functions. A Linux box can act either as an IP or IPX router for a fraction of the cost of a commercial router. Recent kernels include special options for machines acting primarily as routers, such as multi-casting and IP policy routing.

As with some other special functions, there is a project for running a Linux router off a floppy disk. More information may be found at the Linux router project homepage.

10.4.2. Bridge

An Ethernet bridge is a device that controls data packets within a subnet in an attempt to cut down the amount of traffic. A bridge is usually placed between two separate groups of computers that talk within themselves, but not so much with the computers in the other group. A good example of this is to consider a cluster of MacIntoshes and a cluster of UNIX machines. Both of these groups of machines tend to be quite chatty among themselves, and the traffic they produce on the network causes collisions for the other machines who are trying to speak to one another. A bridge would be placed between these groups of computers. The job of the bridge is then to examine the destination of the data packets one at a time and decide whether or not to pass the packets to the other side of the Ethernet segment. The result is a faster, quieter network with less collisions.

The Linux kernel has built-in support for acting as an Ethernet bridge, which means that the different Ethernet segments it is connected to will appear as one Ethernet to the participants. Several bridges can work together to create even larger networks. Linux bridges will inter-operate properly with other third party bridge products. Additional packages allow filtering based on IP, IPX or MAC addresses.

Additional information can be found in the Linux Bridge+Firewall Mini-HOWTO or in the Bridging mini-HOWTO.

10.4.3. IP Masquerading and IP aliasing

With the appropriate modules loaded, the Linux kernel will act as the official connection point for hosts without an officially assigned IP address connecting to that machine, as with a workstation with the unresolvable IP address of This means cost reductions, since a lot of hosts may be connected to the Internet using a single connection. Since the masquerading machine will not accept direct connections for the machines with the unresolvable addresses, it also contributes to increase security.

Extended information can be found in the IP Masquerade HOWTO.

The IP aliasing feature of the Linux kernel provides the possibility of setting up multiple network addresses on the same network interface. This is typically used for services that behave differently based on the address they listen on (for example, virtual domains).

10.4.4. Firewall and IP accounting

A firewall is a device that protects a private network from the public part (the Internet as a whole). It is designed to control the flow of packets based on the source, destination, port and packet type information contained in each packet. In combination with the IP accounting features, the Linux kernel can perform packet logging. A series of rules may be defined to have the firewall take actions upon a pattern match, such as increasing a counter or accepting or rejecting the packet.

Different firewall toolkits exist for Linux as well as built-in support in the kernel. More information can be found in the Firewall and Proxy Server HOWTO.

10.4.5. Port forwarding

An increasing number of web sites are becoming interactive by having cgi-bins or Java applets that access some database or other service. Since this access may pose a security problem, the machine containing the database should not be directly connected to the Internet.

Port forwarding can provide an almost ideal solution to this access problem. On the firewall, IP packets that come in to a specific port number can be rewritten and forwarded to the internal server providing the actual service. The reply packets from the internal server are rewritten to make it appear that they came from the firewall.

10.4.6. Load balancing

Load balancing is achieved using the Network Address Translation features provided in the Linux kernel. Network administrators can replace a single server that provides things like Web services with a logical pool of servers sharing a common IP address. Incoming connections are directed to a particular server using one load-balancing algorithm. The virtual server rewrites incoming and outgoing packets to give clients the appearance that only one server exists.

The Apache webserver itself comes with several modules that allow distribution of requests among servers, for redundancy, increased availability and so on. One technique is the reverse proxy, which consists of having an Apache front-end server acting as a proxy for the back-end servers. Another method allows seamless redirection of HTTP requests from one server to another. This redirection can be used to target machines with under-utilized resources, thus providing fine-tuned, per-request balancing. Detailed documentation is on the Apache Web site.

10.4.7. Proxy

The term proxy means "to do something on behalf of someone else." In networking terms, a proxy server computer can act on the behalf of several clients. An HTTP proxy is a machine that receives requests for web pages from another machine (Machine A). The proxy gets the page requested and returns the result to Machine A. The proxy may have a cache containing the last n megabytes of requested pages, so if Machine B asks for the same page as Machine A, the copy in the cache will be returned instead. This allows efficient use of bandwidth resources and reduces response time. As a side effect, as client machines are not directly connected to the outside world this is a way of securing the internal network. A well-configured proxy can be as effective as a good firewall.

The two best known proxy server solutions for Linux are Squid and the Apache proxy module. More information is located at the Squid and Apache web sites.

10.4.8. Dial on demand

The purpose of dial on demand is to make it transparently appear that the users have a permanent connection to a remote site. Usually, there is a daemon who monitors the traffic of packets and where an interesting packet (interesting is defined usually by a set of rules/priorities/permissions) arrives it establishes a connection with the remote end. When the channel is idle for a certain period of time, it drops the connection.

Full information is in the Diald HOWTO.

10.4.9. Tunneling, mobile IP and VPNs

The Linux kernel allows the tunneling (encapsulation) of protocols. It can do IPX tunneling through IP, allowing the connection of two IPX networks through an IP-only link. It can also do IP-IP tunneling, which it is essential for mobile IP support, multi-cast support and amateur radio.

Mobile IP specifies enhancements that allow transparent routing of IP datagrams to mobile nodes in the Internet. Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet. While situated away from its home, a mobile node is also associated with a care-of address, which provides information about its current point of attachment to the Internet. The protocol provides for registering the care-of address with a home agent. The home agent sends datagrams destined for the mobile node through a tunnel to the care-of address. After arriving at the end of the tunnel, each datagram is then delivered to the mobile node.

Point-to-Point Tunneling Protocol (PPTP) is a networking technology that allows the use of the Internet as a secure virtual private network (VPN). PPTP is integrated with the Remote Access Services (RAS) server which is built into Windows NT Server. With PPTP, users can dial into a local ISP or connect directly to the Internet, and access their network as if they were at their desks. PPTP is a closed protocol and its security has recently been compromised. It is highly recommended that you use other Linux based alternatives, since they rely on open standards which have been carefully examined and tested.

Detailed information can be found at the PPTP Client Project homepage, in the Linux HAM HOWTO and in the VPN HOWTO.

10.4.10. Network management station

There is a huge amount of tools available for network management, remote administration, monitoring, traffic analysis, security, backup and so forth. An archive of the most important tools is kept at Metalab. Your local provider probably also has a mirror of one of the many sites providing Free/Open Source software.

Most Linux distributions support SNMP, the Simple Network Management Protocol. Here, too, a lot of applications are available. More information can be found on the Linux SNMP Network Management Tools site.