Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Advanced Routing & Traffic Control HOWTO

Linux Advanced Routing & Traffic Control HOWTO

Bert Hubert

Gregory Maxwell
Remco van Mook
Martijn van Oosterhout
Paul B Schroeder
Jasper Spaans

A very hands-on approach to iproute2, traffic shaping and a bit of netfilter.

Table of Contents
1. Dedication
2. Introduction
2.1. Disclaimer & License
2.2. Prior knowledge
2.3. What Linux can do for you
2.4. Housekeeping notes
2.5. Access, CVS & submitting updates
2.6. Mailing list
2.7. Layout of this document
3. Introduction to iproute2
3.1. Why iproute2?
3.2. iproute2 tour
3.3. Prerequisites
3.4. Exploring your current configuration
3.4.1. ip shows us our links
3.4.2. ip shows us our IP addresses
3.4.3. ip shows us our routes
3.5. ARP
4. Rules - routing policy database
4.1. Simple source policy routing
4.2. Routing for multiple uplinks/providers
4.2.1. Split access
4.2.2. Load balancing
5. GRE and other tunnels
5.1. A few general remarks about tunnels:
5.2. IP in IP tunneling
5.3. GRE tunneling
5.3.1. IPv4 Tunneling
5.3.2. IPv6 Tunneling
5.4. Userland tunnels
6. IPv6 tunneling with Cisco and/or 6bone
6.1. IPv6 Tunneling
7. IPsec: secure IP over the Internet
8. Multicast routing
9. Queueing Disciplines for Bandwidth Management
9.1. Queues and Queueing Disciplines explained
9.2. Simple, classless Queueing Disciplines
9.2.1. pfifo_fast
9.2.2. Token Bucket Filter
9.2.3. Stochastic Fairness Queueing
9.3. Advice for when to use which queue
9.4. Terminology
9.5. Classful Queueing Disciplines
9.5.1. Flow within classful qdiscs & classes
9.5.2. The qdisc family: roots, handles, siblings and parents
9.5.3. The PRIO qdisc
9.5.4. The famous CBQ qdisc
9.5.5. Hierarchical Token Bucket
9.6. Classifying packets with filters
9.6.1. Some simple filtering examples
9.6.2. All the filtering commands you will normally need
9.7. The Intermediate queueing device (IMQ)
9.7.1. Sample configuration
10. Load sharing over multiple interfaces
10.1. Caveats
10.2. Other possibilities
11. Netfilter & iproute - marking packets
12. Advanced filters for (re-)classifying packets
12.1. The u32 classifier
12.1.1. U32 selector
12.1.2. General selectors
12.1.3. Specific selectors
12.2. The route classifier
12.3. Policing filters
12.3.1. Ways to police
12.3.2. Overlimit actions
12.3.3. Examples
12.4. Hashing filters for very fast massive filtering
13. Kernel network parameters
13.1. Reverse Path Filtering
13.2. Obscure settings
13.2.1. Generic ipv4
13.2.2. Per device settings
13.2.3. Neighbor policy
13.2.4. Routing settings
14. Advanced & less common queueing disciplines
14.1. bfifo/pfifo
14.1.1. Parameters & usage
14.2. Clark-Shenker-Zhang algorithm (CSZ)
14.3. DSMARK
14.3.1. Introduction
14.3.2. What is Dsmark related to?
14.3.3. Differentiated Services guidelines
14.3.4. Working with Dsmark
14.3.5. How SCH_DSMARK works.
14.3.6. TC_INDEX Filter
14.4. Ingress qdisc
14.4.1. Parameters & usage
14.5. Random Early Detection (RED)
14.6. Generic Random Early Detection
14.7. VC/ATM emulation
14.8. Weighted Round Robin (WRR)
15. Cookbook
15.1. Running multiple sites with different SLAs
15.2. Protecting your host from SYN floods
15.3. Rate limit ICMP to prevent dDoS
15.4. Prioritizing interactive traffic
15.5. Transparent web-caching using netfilter, iproute2, ipchains and squid
15.5.1. Traffic flow diagram after implementation
15.6. Circumventing Path MTU Discovery issues with per route MTU settings
15.6.1. Solution
15.7. Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, cable, PPPoE & PPtP users)
15.8. The Ultimate Traffic Conditioner: Low Latency, Fast Up & Downloads
15.8.1. Why it doesn't work well by default
15.8.2. The actual script (CBQ)
15.8.3. The actual script (HTB)
15.9. Rate limiting a single host or netmask
16. Building bridges, and pseudo-bridges with Proxy ARP
16.1. State of bridging and iptables
16.2. Bridging and shaping
16.3. Pseudo-bridges with Proxy-ARP
16.3.1. ARP & Proxy-ARP
16.3.2. Implementing it
17. Dynamic routing - OSPF and BGP
18. Other possibilities
19. Further reading
20. Acknowledgements


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.