运维网工学习

7.4. The Netfilter Architecturepacket filtering engine in kernel 2.2 (skip history, adequately documented elsewhere) packet filtering engine as part of netfilter in kernel 2.4, backwar

5.2. Application Layer Protocols with Embedded Network InformationNetwork address translation is beautifully invisible when it works, but has adverse effects on some protocols. Some netw

Chapter 5. Network Address Translation (NAT)Table of Contents5.1. Rationale for and Introduction to NAT5.2. Application Layer Protocols with Embedded Network Information5.3. Stateles

4.10. ICMP and RoutingICMP is a very important part of the communication between hosts on IP networks. Used by routers and endpoints (clients and servers) ICMP communicates error conditi

2.3. ARP filteringThis section should be part of the "ghetto" which will include documentation on ip arp. Theres nothing more to add here at the moment (low priority).  #

2.2. Proxy ARPOccasionally, an IP network must be split into separate segments. Proxy ARP can be used for increased control over packets exchanged between two hosts or to limit exposur

7.3. General Packet Filter Requirementsminimum ICMP required to meet the networking needs; xref PMTU discussion source quench parameter problem inbound destination unreachable ou

Chapter 6. Masquerading and Source Network Address TranslationTable of Contents6.1. Concepts of Source NAT6.1.1. Differences Between SNAT and Masquerading6.1.2. Double SNAT/Masquerad

5.4. Stateless NAT and Packet FilteringBecause NAT rewrites the packet as it passes through the IP stack, packet filtering can become complex. With attentiveness to the addressing of the

4.7. Routing CacheThe routing cache is also known as the forwarding information base (FIB). This term may be familiar to users of other routing systems. The routing cache stores rece

4.5. Route Selection Crucial to the proper ability of hosts to exchange IP packets is the correct selection of a route to the destination. The rules for the selection of route path are

5.3. Stateless NAT with iproute2Stateless NAT, occasionally maligned as dumb NAT [31], is the simplest form of NAT. It involves rewriting addresses passing through a routing device: inbo

5.6. Port Address Translation (PAT) from UserspacePort address translation (hereafter PAT) provides a similar functionality to NAT, but is a more specific tool. PAT forwards requests for

7.2. Limits and Weaknesses of Packet FilteringAlthough the functionality offered by linux kernels for protecting network resources with packet filtering allows tremendously specific netw

7.1. Rationale for and Introduction to Packet FilteringPacket filtering refers to the technique of conditionally allowing or denying packets entering or exiting a network or host based o

Chapter 7. Packet FilteringTable of Contents7.1. Rationale for and Introduction to Packet Filtering7.1.1. History of Linux Packet Filter Support7.2. Limits and Weaknesses of Packet F

6.1. Concepts of Source NAT 6.1.1. Differences Between SNAT and MasqueradingThough SNAT and masquerading perform the same fundamental function, mapping one address spac

5.5. Destination NAT with netfilter (DNAT)Destination NAT with netfilter is commonly used to publish a service from an internal RFC 1918 network to a publicly accessible IP. To enable DN

4.8. Routing TablesLinux kernel 2.2 and 2.4 support multiple routing tables [22]. Beyond the two commonly used routing tables (the local and main routing tables), the kernel supports u

4.6. Source Address Selection The selection of the correct source address is key to correct communication between hosts with multiple IP addresses. If a host chooses an address from a

4.1. Introduction to Linux RoutingThe design of IP routing allows for very simple route definitions for small networks, while not hindering the flexibility of routing in complex environm

7.8. Further ResourcesThe use of linux packet filtering features is mature and well-documented in many places throughout the Internet. One of the most thorough introductions to the use o

7.6. Protecting a HostHost protection in the past was typically performed with application layer checks on the originating IP or hostname. This was (and still is) frequently accomplished

4.4. Operating as a RouterOperating as a router allows a linux machine to accept packets on one interface and transmit them on another. This is the nature of a router. The process of a

4.3. Sending Packets Through a Gateway By comparison to the total number of publicly accessible hosts on the Internet there is an almost insignificant number of hosts inside any locall

Chapter 4. IP RoutingTable of Contents4.1. Introduction to Linux Routing4.2. Routing to Locally Connected Networks4.3. Sending Packets Through a Gateway4.4. Operating as a Router4.5.

Chapter 1. Basic IP ConnectivityTable of Contents1.1. IP Networking Control Files1.2. Reading Routes and IP Information1.2.1. Sending Packets to the Local Network1.2.2. Sending Packe

Part 1. ConceptsTable of Contents1. Basic IP Connectivity1.1. IP Networking Control Files1.2. Reading Routes and IP Information1.2.1. Sending Packets to the Local Network1.2.2. Sendi

4. Technical Note and Summary of ApproachThere are many tools available under linux which are also available under other unix-like operating systems, but there are additional tools and

2. ConventionsThis text was written in DocBook with vim. All formatting has been applied by xsltproc based on DocBook and LDP XSL stylesheets. Typeface formatting and display conventions

I assume a few things about the reader. First, the reader has a basic understanding (at least) of IP addressing and networking. If this is not the case, or the reader has some trouble following my net

Table of ContentsIntroduction................................................................................................................................................iTarget Audience, Assumptio

Revision HistoryRevision 0.4.4 2003-04-26 Revised by: MABadded index, began packet filtering chapterRevision 0.4.3 2003-04-14 Revised by: MABongoing editing, ARP/NAT fixes, routing contentRevision 0.4

1.1. IP Networking Control FilesDifferent linux distribution vendors put their networking configuration files in different places in the filesystem. Here is a brief summary of the locati

5. Acknowledgements and Request for RemarksAs with many human endeavours, this work is made possible by the efforts of others. For me, this effort represents almost four years of learnin

3. Bugs and RoadmapPerhaps this should be called things that are wrong with this document, or things which should be improved. See the src/ROADMAP for notes on what is likely to be forth

1.2. Reading Routes and IP InformationAssuming an already configured machine named tristan, lets look at the IP addressing and routing table. Next well examine how the machine communic

1.3. Changing IP Addresses and RoutesThis section introduces changing the IP address on an interface, changing the default gateway, and adding and removing a static route. With the knowl

Chapter 3. BridgingTable of Contents3.1. Concepts of Bridging3.2. Bridging and Spanning Tree Protocol3.3. Bridging and Packet Filtering3.4. Traffic Control with a Bridge3.5. ebtables

2.4. Connecting to an Ethernet 802.1q VLAN Virtual LANs are a way to take a single switch and subdivide it into logical media segments. A single switch port in a VLAN-capable switch ca