You are previewing Linux Networking Cookbook.

Linux Networking Cookbook

Cover of Linux Networking Cookbook by Carla Schroder Published by O'Reilly Media, Inc.
  1. Dedication
  2. Special Upgrade Offer
  3. A Note Regarding Supplemental Files
  4. Preface
    1. Audience
    2. Contents of This Book
    3. What Is Included
    4. Which Linux Distributions Are Used in the Book
    5. Downloads and Feedback
    6. Conventions
    7. Using Code Examples
    8. Comments and Questions
    9. Safari® Books Online
    10. Acknowledgments
  5. 1. Introduction to Linux Networking
    1. 1.0. Introduction
  6. 2. Building a Linux Gateway on a Single-Board Computer
    1. 2.0. Introduction
    2. 2.1. Getting Acquainted with the Soekris 4521
    3. 2.2. Configuring Multiple Minicom Profiles
    4. 2.3. Installing Pyramid Linux on a Compact Flash Card
    5. 2.4. Network Installation of Pyramid on Debian
    6. 2.5. Network Installation of Pyramid on Fedora
    7. 2.6. Booting Pyramid Linux
    8. 2.7. Finding and Editing Pyramid Files
    9. 2.8. Hardening Pyramid
    10. 2.9. Getting and Installing the Latest Pyramid Build
    11. 2.10. Adding Additional Software to Pyramid Linux
    12. 2.11. Adding New Hardware Drivers
    13. 2.12. Customizing the Pyramid Kernel
    14. 2.13. Updating the Soekris comBIOS
  7. 3. Building a Linux Firewall
    1. 3.0. Introduction
    2. 3.1. Assembling a Linux Firewall Box Problem
    3. 3.2. Configuring Network Interface Cards on Debian
    4. 3.3. Configuring Network Interface Cards on Fedora
    5. 3.4. Identifying Which NIC Is Which
    6. 3.5. Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
    7. 3.6. Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
    8. 3.7. Displaying the Status of Your Firewall
    9. 3.8. Turning an iptables Firewall Off
    10. 3.9. Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
    11. 3.10. Testing Your Firewall
    12. 3.11. Configuring the Firewall for Remote SSH Administration
    13. 3.12. Allowing Remote SSH Through a NAT Firewall
    14. 3.13. Getting Multiple SSH Host Keys Past NAT
    15. 3.14. Running Public Services on Private IP Addresses
    16. 3.15. Setting Up a Single-Host Firewall
    17. 3.16. Setting Up a Server Firewall
    18. 3.17. Configuring iptables Logging
    19. 3.18. Writing Egress Rules
  8. 4. Building a Linux Wireless Access Point
    1. 4.0. Introduction
    2. 4.1. Building a Linux Wireless Access Point
    3. 4.2. Bridging Wireless to Wired
    4. 4.3. Setting Up Name Services
    5. 4.4. Setting Static IP Addresses from the DHCP Server
    6. 4.5. Configuring Linux and Windows Static DHCP Clients
    7. 4.6. Adding Mail Servers to dnsmasq
    8. 4.7. Making WPA2-Personal Almost As Good As WPA-Enterprise
    9. 4.8. Enterprise Authentication with a RADIUS Server
    10. 4.9. Configuring Your Wireless Access Point to Use FreeRADIUS
    11. 4.10. Authenticating Clients to FreeRADIUS
    12. 4.11. Connecting to the Internet and Firewalling
    13. 4.12. Using Routing Instead of Bridging
    14. 4.13. Probing Your Wireless Interface Card
    15. 4.14. Changing the Pyramid Router’s Hostname
    16. 4.15. Turning Off Antenna Diversity
    17. 4.16. Managing dnsmasq’s DNS Cache
    18. 4.17. Managing Windows’ DNS Caches
    19. 4.18. Updating the Time at Boot
  9. 5. Building a VoIP Server with Asterisk
    1. 5.0. Introduction
    2. 5.1. Installing Asterisk from Source Code
    3. 5.2. Installing Asterisk on Debian
    4. 5.3. Starting and Stopping Asterisk
    5. 5.4. Testing the Asterisk Server
    6. 5.5. Adding Phone Extensions to Asterisk and Making Calls
    7. 5.6. Setting Up Softphones
    8. 5.7. Getting Real VoIP with Free World Dialup
    9. 5.8. Connecting Your Asterisk PBX to Analog Phone Lines
    10. 5.9. Creating a Digital Receptionist
    11. 5.10. Recording Custom Prompts
    12. 5.11. Maintaining a Message of the Day
    13. 5.12. Transferring Calls
    14. 5.13. Routing Calls to Groups of Phones
    15. 5.14. Parking Calls
    16. 5.15. Customizing Hold Music
    17. 5.16. Playing MP3 Sound Files on Asterisk
    18. 5.17. Delivering Voicemail Broadcasts
    19. 5.18. Conferencing with Asterisk
    20. 5.19. Monitoring Conferences
    21. 5.20. Getting SIP Traffic Through iptables NAT Firewalls
    22. 5.21. Getting IAX Traffic Through iptables NAT Firewalls
    23. 5.22. Using AsteriskNOW, “Asterisk in 30 Minutes”
    24. 5.23. Installing and Removing Packages on AsteriskNOW
    25. 5.24. Connecting Road Warriors and Remote Users
  10. 6. Routing with Linux
    1. 6.0. Introduction
    2. 6.1. Calculating Subnets with ipcalc
    3. 6.2. Setting a Default Gateway
    4. 6.3. Setting Up a Simple Local Router
    5. 6.4. Configuring Simplest Internet Connection Sharing
    6. 6.5. Configuring Static Routing Across Subnets
    7. 6.6. Making Static Routes Persistent
    8. 6.7. Using RIP Dynamic Routing on Debian
    9. 6.8. Using RIP Dynamic Routing on Fedora
    10. 6.9. Using Quagga’s Command Line
    11. 6.10. Logging In to Quagga Daemons Remotely
    12. 6.11. Running Quagga Daemons from the Command Line
    13. 6.12. Monitoring RIPD
    14. 6.13. Blackholing Routes with Zebra
    15. 6.14. Using OSPF for Simple Dynamic Routing
    16. 6.15. Adding a Bit of Security to RIP and OSPF
    17. 6.16. Monitoring OSPFD
  11. 7. Secure Remote Administration with SSH
    1. 7.0. Introduction
    2. 7.1. Starting and Stopping OpenSSH
    3. 7.2. Creating Strong Passphrases
    4. 7.3. Setting Up Host Keys for Simplest Authentication
    5. 7.4. Generating and Copying SSH Keys
    6. 7.5. Using Public-Key Authentication to Protect System Passwords
    7. 7.6. Managing Multiple Identity Keys
    8. 7.7. Hardening OpenSSH
    9. 7.8. Changing a Passphrase
    10. 7.9. Retrieving a Key Fingerprint
    11. 7.10. Checking Configuration Syntax
    12. 7.11. Using OpenSSH Client Configuration Files for Easier Logins
    13. 7.12. Tunneling X Windows Securely over SSH
    14. 7.13. Executing Commands Without Opening a Remote Shell
    15. 7.14. Using Comments to Label Keys
    16. 7.15. Using DenyHosts to Foil SSH Attacks
    17. 7.16. Creating a DenyHosts Startup File
    18. 7.17. Mounting Entire Remote Filesystems with sshfs
  12. 8. Using Cross-Platform Remote Graphical Desktops
    1. 8.0. Introduction
    2. 8.1. Connecting Linux to Windows via rdesktop
    3. 8.2. Generating and Managing FreeNX SSH Keys
    4. 8.3. Using FreeNX to Run Linux from Windows
    5. 8.4. Using FreeNX to Run Linux from Solaris, Mac OS X, or Linux
    6. 8.5. Managing FreeNX Users
    7. 8.6. Watching Nxclient Users from the FreeNX Server
    8. 8.7. Starting and Stopping the FreeNX Serve
    9. 8.8. Configuring a Custom Desktop
    10. 8.9. Creating Additional Nxclient Sessions
    11. 8.10. Enabling File and Printer Sharing, and Multimedia in Nxclient
    12. 8.11. Preventing Password-Saving in Nxclient
    13. 8.12. Troubleshooting FreeNX
    14. 8.13. Using VNC to Control Windows from Linux
    15. 8.14. Using VNC to Control Windows and Linux at the Same Time
    16. 8.15. Using VNC for Remote Linux -to-Linux Administration
    17. 8.16. Displaying the Same Windows Desktop to Multiple Remote Users
    18. 8.17. Changing the Linux VNC Server Password
    19. 8.18. Customizing the Remote VNC Desktop
    20. 8.19. Setting the Remote VNC Desktop Size
    21. 8.20. Connecting VNC to an Existing X Session
    22. 8.21. Securely Tunneling x11vnc over SSH
    23. 8.22. Tunneling TightVNC Between Linux and Windows
  13. 9. Building Secure Cross-Platform Virtual Private Networks with OpenVPN
    1. 9.0. Introduction
    2. 9.1. Setting Up a Safe OpenVPN Test Lab
    3. 9.2. Starting and Testing OpenVPN
    4. 9.3. Testing Encryption with Static Keys
    5. 9.4. Connecting a Remote Linux Client Using Static Keys
    6. 9.5. Creating Your Own PKI for OpenVPN
    7. 9.6. Configuring the OpenVPN Server for Multiple Clients
    8. 9.7. Configuring OpenVPN to Start at Boot
    9. 9.8. Revoking Certificates
    10. 9.9. Setting Up the OpenVPN Server in Bridge Mode
    11. 9.10. Running OpenVPN As a Nonprivileged User
    12. 9.11. Connecting Windows Clients
  14. 10. Building a Linux PPTP VPN Server
    1. 10.0. Introduction
    2. 10.1. Installing Poptop on Debian Linux
    3. 10.2. Patching the Debian Kernel for MPPE Support
    4. 10.3. Installing Poptop on Fedora Linux
    5. 10.4. Patching the Fedora Kernel for MPPE Support
    6. 10.5. Setting Up a Standalone PPTP VPN Server
    7. 10.6. Adding Your Poptop Server to Active Directory
    8. 10.7. Connecting Linux Clients to a PPTP Server
    9. 10.8. Getting PPTP Through an iptables Firewall
    10. 10.9. Monitoring Your PPTP Server
    11. 10.10. Troubleshooting PPTP
  15. 11. Single Sign-on with Samba for Mixed Linux/Windows LANs
    1. 11.0. Introduction
    2. 11.1. Verifying That All the Pieces Are in Place
    3. 11.2. Compiling Samba from Source Code
    4. 11.3. Starting and Stopping Samba
    5. 11.4. Using Samba As a Primary Domain Controller
    6. 11.5. Migrating to a Samba Primary Domain Controller from an NT4 PDC
    7. 11.6. Joining Linux to an Active Directory Domain
    8. 11.7. Connecting Windows 95/98/ME to a Samba Domain
    9. 11.8. Connecting Windows NT4 to a Samba Domain
    10. 11.9. Connecting Windows NT/2000 to a Samba Domain
    11. 11.10. Connecting Windows XP to a Samba Domain
    12. 11.11. Connecting Linux Clients to a Samba Domain with Command-Line Programs
    13. 11.12. Connecting Linux Clients to a Samba Domain with Graphical Programs
  16. 12. Centralized Network Directory with OpenLDAP
    1. 12.0. Introduction
    2. 12.1. Installing OpenLDAP on Debian
    3. 12.2. Installing OpenLDAP on Fedora
    4. 12.3. Configuring and Testing the OpenLDAP Server
    5. 12.4. Creating a New Database on Fedora
    6. 12.5. Adding More Users to Your Directory
    7. 12.6. Correcting Directory Entries
    8. 12.7. Connecting to a Remote OpenLDAP Server
    9. 12.8. Finding Things in Your OpenLDAP Directory
    10. 12.9. Indexing Your Database
    11. 12.10. Managing Your Directory with Graphical Interfaces
    12. 12.11. Configuring the Berkeley DB
    13. 12.12. Configuring OpenLDAP Logging
    14. 12.13. Backing Up and Restoring Your Directory
    15. 12.14. Refining Access Controls
    16. 12.15. Changing Passwords
  17. 13. Network Monitoring with Nagios
    1. 13.0. Introduction
    2. 13.1. Installing Nagios from Sources
    3. 13.2. Configuring Apache for Nagios
    4. 13.3. Organizing Nagios’ Configuration Files Sanely
    5. 13.4. Configuring Nagios to Monitor Localhost
    6. 13.5. Configuring CGI Permissions for Full Nagios Web Access
    7. 13.6. Starting Nagios at Boot
    8. 13.7. Adding More Nagios Users
    9. 13.8. Speed Up Nagios with check_icmp
    10. 13.9. Monitoring SSHD
    11. 13.10. Monitoring a Web Server
    12. 13.11. Monitoring a Mail Server
    13. 13.12. Using Servicegroups to Group Related Services
    14. 13.13. Monitoring Name Services
    15. 13.14. Setting Up Secure Remote Nagios Administration with OpenSSH
    16. 13.15. Setting Up Secure Remote Nagios Administration with OpenSSL
  18. 14. Network Monitoring with MRTG
    1. 14.0. Introduction
    2. 14.1. Installing MRTG
    3. 14.2. Configuring SNMP on Debian
    4. 14.3. Configuring SNMP on Fedora
    5. 14.4. Configuring Your HTTP Service for MRTG
    6. 14.5. Configuring and Starting MRTG on Debian
    7. 14.6. Configuring and Starting MRTG on Fedora
    8. 14.7. Monitoring Active CPU Load
    9. 14.8. Monitoring CPU User and Idle Times
    10. 14.9. Monitoring Physical Memory
    11. 14.10. Monitoring Swap Space and Memory
    12. 14.11. Monitoring Disk Usage
    13. 14.12. Monitoring TCP Connections
    14. 14.13. Finding and Testing MIBs and OIDs
    15. 14.14. Testing Remote SNMP Queries
    16. 14.15. Monitoring Remote Hosts
    17. 14.16. Creating Multiple MRTG Index Pages
    18. 14.17. Running MRTG As a Daemon
  19. 15. Getting Acquainted with IPv6
    1. 15.0. Introduction
    2. 15.1. Testing Your Linux System for IPv6 Support
    3. 15.2. Pinging Link Local IPv6 Hosts
    4. 15.3. Setting Unique Local Unicast Addresses on Interfaces
    5. 15.4. Using SSH with IPv6
    6. 15.5. Copying Files over IPv6 with scp
    7. 15.6. Autoconfiguration with IPv6
    8. 15.7. Calculating IPv6 Addresses
    9. 15.8. Using IPv6 over the Internet
  20. 16. Setting Up Hands-Free Network Installations of New Systems
    1. 16.0. Introduction
    2. 16.1. Creating Network Installation Boot Media for Fedora Linux
    3. 16.2. Network Installation of Fedora Using Network Boot Media
    4. 16.3. Setting Up an HTTP-Based Fedora Installation Server
    5. 16.4. Setting Up an FTP-Based Fedora Installation Server
    6. 16.5. Creating a Customized Fedora Linux Installation
    7. 16.6. Using a Kickstart File for a Hands-off Fedora Linux Installation
    8. 16.7. Fedora Network Installation via PXE Netboot
    9. 16.8. Network Installation of a Debian System
    10. 16.9. Building a Complete Debian Mirror with apt-mirror
    11. 16.10. Building a Partial Debian Mirror with apt-proxy
    12. 16.11. Configuring Client PCs to Use Your Local Debian Mirror
    13. 16.12. Setting Up a Debian PXE Netboot Server
    14. 16.13. Installing New Systems from Your Local Debian Mirror
    15. 16.14. Automating Debian Installations with Preseed Files
  21. 17. Linux Server Administration via Serial Console
    1. 17.0. Introduction
    2. 17.1. Preparing a Server for Serial Console Administration
    3. 17.2. Configuring a Headless Server with LILO
    4. 17.3. Configuring a Headless Server with GRUB
    5. 17.4. Booting to Text Mode on Debian
    6. 17.5. Setting Up the Serial Console
    7. 17.6. Configuring Your Server for Dial-in Administration
    8. 17.7. Dialing In to the Server
    9. 17.8. Adding Security
    10. 17.9. Configuring Logging
    11. 17.10. Uploading Files to the Server
  22. 18. Running a Linux Dial-Up Server
    1. 18.0. Introduction
    2. 18.1. Configuring a Single Dial-Up Account with WvDial
    3. 18.2. Configuring Multiple Accounts in WvDial
    4. 18.3. Configuring Dial-Up Permissions for Nonroot Users
    5. 18.4. Creating WvDial Accounts for Nonroot Users
    6. 18.5. Sharing a Dial-Up Internet Account
    7. 18.6. Setting Up Dial-on-Demand
    8. 18.7. Scheduling Dial-Up Availability with cron
    9. 18.8. Dialing over Voicemail Stutter Tones
    10. 18.9. Overriding Call Waiting
    11. 18.10. Leaving the Password Out of the Configuration File
    12. 18.11. Creating a Separate pppd Logfile
  23. 19. Troubleshooting Networks
    1. 19.0. Introduction
    2. 19.1. Building a Network Diagnostic and Repair Laptop
    3. 19.2. Testing Connectivity with ping Problem
    4. 19.3. Profiling Your Network with FPing and Nmap
    5. 19.4. Finding Duplicate IP Addresses with arping
    6. 19.5. Testing HTTP Throughput and Latency with httping
    7. 19.6. Using traceroute, tcptraceroute, and mtr to Pinpoint Network Problems
    8. 19.7. Using tcpdump to Capture and Analyze Traffic
    9. 19.8. Capturing TCP Flags with tcpdump
    10. 19.9. Measuring Throughput, Jitter, and Packet Loss with iperf
    11. 19.10. Using ngrep for Advanced Packet Sniffing
    12. 19.11. Using ntop for Colorful and Quick Network Monitoring
    13. 19.12. Troubleshooting DNS Servers
    14. 19.13. Troubleshooting DNS Clients
    15. 19.14. Troubleshooting SMTP Servers
    16. 19.15. Troubleshooting a POP3, POP3s, or IMAP Server
    17. 19.16. Creating SSL Keys for Your Syslog-ng Server on Debian
    18. 19.17. Creating SSL Keys for Your Syslog-ng Server on Fedora
    19. 19.18. Setting Up stunnel for Syslog-ng
    20. 19.19. Building a Syslog Server
  24. A. Essential References
  25. B. Glossary of Networking Terms
  26. C. Linux Kernel Building Reference
    1. C.1. Building a Custom Kernel
  27. About the Author
  28. Colophon
  29. Special Upgrade Offer
  30. Copyright

Chapter 1. Introduction to Linux Networking

1.0. Introduction

Computer networking is all about making computers talk to each other. It is simple to say, but complex to implement. In this Introduction, we’ll take a bird’s-eye view of Ethernet networking with Linux, and take a look at the various pieces that make it all work: routers, firewalls, switches, cabling, interface hardware, and different types of WAN and Internet services.

A network, whether it is a LAN or WAN, can be thought of as having two parts: computers, and everything that goes between the computers. This book focuses on connectivity: firewalls, wireless access points, secure remote administration, remote helpdesk, remote access for users, virtual private networks, authentication, system and network monitoring, and the rapidly growing new world of Voice over IP services.

We’ll cover tasks like networking Linux and Unix boxes, integrating Windows hosts, routing, user identification and authentication, sharing an Internet connection, connecting branch offices, name services, wired and wireless connectivity, security, monitoring, and troubleshooting.

Connecting to the Internet

One of the biggest problems for the network administrator is connecting safely to the Internet. What sort of protection do you need? Do you need expensive commercial routers and firewalls? How do you physically connect your LAN to the Internet?

Here are the answers to the first two questions: at a minimum, you need a firewall and a router, and no, you do not need expensive commercial devices. Linux on ordinary PC hardware gives you all the power and flexibility you need for most home and business users.

The answer to the last question depends on the type of Internet service. Cable and DSL are simple—a cable or DSL line connects to an inexpensive broadband modem, which you connect to your Linux firewall/gateway, which connects to your LAN switch, as Figure 1-1 shows.

Broadband Internet connected to a small LAN
Figure 1-1. Broadband Internet connected to a small LAN

In this introduction, I’m going to refer to the interface between your LAN and outside networks as the gateway. At a bare minimum, this gateway is a router. It might be a dedicated router that does nothing else. You might add a firewall. You might want other services like name services, a VPN portal, wireless access point, or remote administration. It is tempting to load it up with all manner of services simply because you can, but from security and ease-of-administration perspectives, it is best to keep your Internet gateway as simple as possible. Don’t load it up with web, mail, FTP, or authentication servers. Keep it lean, mean, and as locked-down as possible.

If you are thinking of upgrading to a high-bandwidth dedicated line, a T1 line is the next step up. Prices are competitive with business DSL, but you’ll need specialized interface hardware that costs a lot more than a DSL modem. Put a PCI T1 interface inside your Linux gateway box to get the most flexibility and control. These come in many configurations, such as multiple ports, and support data and voice protocols, so you can tailor it to suit your needs exactly.

If you prefer a commercial router, look for bundled deals from your service provider that include a router for free. If you can’t get a deal on a nice router, check out the abundant secondhand router market. Look for a router with a T1 WAN interface card and a Channel Service Unit/Data Service Unit (CSU/DSU). Don’t expect much from a low-end router—your Linux box with its own T1 interface has a lot more horsepower and customizability.

A typical T1 setup looks like Figure 1-2.

Connecting to a T1 line
Figure 1-2. Connecting to a T1 line

Beyond T1, the sky’s the limit on service options and pricing. Higher-end services require different types of hardware LAN interfaces. A good service provider will tell you what you need, and provide optional on-site services. Don’t be too proud to hire help—telecommunications is part engineering and part voodoo, especially because we started pushing data packets over voice lines.

Overview of Internet Service Options

The hardworking network administrator has a plethora of choices for Internet connectivity, if you are in the right location. A wise (though under-used) tactic is to investigate the available voice and data services when shopping for an office location. Moving into a space that is already wired for the services you want saves money and aggravation. Otherwise, you may find yourself stuck with nothing but dial-up or ISDN, or exotic, overpriced, over-provisioned services you don’t want.

Cable, DSL, and Dial-Up

Cable, DSL, and dial-up are unregulated services. These are the lowest-cost and most widely available.


Cable Internet is usually bundled with television services, though some providers offer Internet-only service. Cable’s primary attraction is delivering higher download speeds than DSL. Many providers do not allow running public services, and even block common ports like 22, 25, 80, and 110. Some vendors are notorious for unreliable service, with frequent outages and long downtimes. However, some cable providers are good and will treat you well, so don’t be shy about shopping around. Beware restrictive terms of service; some providers try to charge per-client LAN fees, which is as silly as charging per-user fees for tap water.


DSL providers are usually more business-friendly. Some DSL providers offer business DSL accounts with SLAs, and with bandwidth and uptime guarantees. DSL isn’t suitable for mission-critical services because it’s not quite reliable enough for these, but it’s fine for users who can tolerate occasional downtimes.

DSL runs over ordinary copper telephone lines, so anyone with a regular landline is a potential DSL customer. It is also possible to get a DSL line without telephone service, though this is usually expensive. DSL is limited by distance; you have to be within 18,000 wire-feet of a repeater, though this distance varies a lot between providers, and is affected by the physical quality of the line. Residential accounts are often restricted to shorter distances than business accounts, presumably to limit support costs.

With DSL, you’re probably stuck with a single telco, but you should have a choice of ISP.

DSL comes in two primary flavors: symmetric digital subscriber line (SDSL) and asymmetric digital subscriber line (ADSL). SDSL speeds are the same upstream and downstream, up to a maximum of 3 Mbps. ADSL downstream speeds go as high as 9 Mbps, but upstream maxes out at 896 Mbps. ADSL2+, the newest standard, can deliver 24 Mbps downstream, if you can find a provider. Keep in mind that no one ever achieves the full speeds; these are theoretical upper limits.

Longer distances means less bandwidth. If you’re within 5,000 feet you’re golden, assuming the telco’s wires are healthy. 10,000 is still good. The reliability limit of the connection is around 18,000 feet—just maintaining connectivity is iffy at this distance.


Good old dial-up networking still has its place, though its most obvious limitation is bandwidth. It’s unlikely you’ll get more than 48 Kbps. However, dial-up has its place as a backup when your broadband fails, and may be useful as a quick, cheap WAN—you can dial in directly to one of your remote servers, for example, and do a batch file transfer or some emergency system administration, or set it up as a VPN for your users.

Cable, DSL, and dial-up gotchas

One thing to watch out for is silly platform limitations—some ISPs, even in these modern times, are notorious for supporting only Microsoft Windows. Of course, for ace network administrators, this is just a trivial annoyance because we do not need their lackluster support for client-side issues. Still, you must make sure your Linux box can connect at all, as a significant number of ISPs still use Microsoft-only networking software. Exhibit A is AOL, which supports only Windows and Mac, and replaces the Windows networking stack with its own proprietary networking software. This causes no end of fun when you try to change to a different ISP—it won’t work until you reinstall Windows networking, which sometimes works, or reinstall Windows, which definitely works, and is almost as much fun as it sounds.

Regulated Broadband Services

Regulated services include broadband networking over copper telephone lines and fiber optic cable. These are supposed to be more reliable because the network operators are supposed to monitor the lines and fix connectivity problems without customer intervention. When there is a major service interruption, such as a widespread power outage, regulated services should be restored first. As always in the real world, it depends on the quality of your service provider.

T1, T3, E-1, E-3, DS1, and DS3 run over copper lines. T1/T3 and DS1/DS3 are the same things. These are symmetrical (same bandwidth upstream and downstream) dedicated lines. Because it’s an unshared line, even a T1 handles a lot of traffic satisfactorily. OC-3–OC-255 run over fiber optic cable; these are the super-high capacity lines that backbone providers use. Table 1-1 shows a sampling of the many available choices, including European standards (prefixed with an E).

Table 1-1. Regulated broadband service offerings




1.544 Mbps


43.232 Mbps


155 Mbps


622 Mbps


2.5 Gbps


9.6 Gbps


13.21 Gbps


2.048 Mbps


8.448 Mbps


34.368 Mbps

Other common options are frame relay and fractional services, like fractional T1, fractional T3, and fractional OC-3. Frame relay is used point-to-point, for example, between two branch offices. It’s shared bandwidth, and used to be a way to save money when a dedicated T1 was too expensive. These days, it’s usually not priced low enough to make it worthwhile, and the hardware to interface with frame relay is expensive. DSL or T1 is usually a better deal.

Fractional T1 is still an option for users on a budget, though DSLis often a good lower-cost alternative. When you need more than a single T1, bonding two T1 lines costs less than the equivalent fractional T3 because the T3 interface hardware costs a mint. Linux can handle the bonding, if your interface hardware and service provider support it. When you think you need more than two T1s, it’s time to consult with your friendly service provider for your best options.

Always read the fine print, and make sure all fees are spelled out. The circuit itself is often a separate charge, and there may be setup fees. If you’re searching online for providers and information, beware of brokers. There are good ones, but as a general rule, you’re better off dealing directly with a service provider.

Private Networks

As more service providers lay their own fiber optic networks, you’ll find interesting options like Fast Ethernet WAN, even Gigabyte Ethernet WAN, and also high-speed wireless services. Again, these depend on being in the right location. The nice part about these private services is they bypass the Internet, which eliminates all sorts of potential trouble spots.

Latency, Bandwidth, and Throughput

When discussing network speeds, there is often confusion between bandwidth, latency, and throughput. Broadband means fat pipe, not necessarily a fast pipe. As us folks out here in the sticks say, “Bandwidth is capacity, and latency is response time. Bandwidth is the diameter of your irrigation line. Latency is waiting for the water to come out.”

Throughput is the amount of data transferred per unit of time, like 100 Kbps. So, you could say throughput is the intersection of bandwidth and latency.

Many factors affect latency, such as server speed, network congestion, and inherent limitations in circuits. The ping command can measure latency in transit time roundtrip:

	$ ping
	PING ( 56(84) bytes of data.
	64 bytes from ( icmp_seq=2 ttl=45 time=489 ms
	64 bytes from ( icmp_seq=3 ttl=45 time=116 ms

Compare this to LAN speeds:

	$ ping windbag
	PING localhost.localdomain ( 56(84) bytes of data.
	64 bytes from localhost.localdomain ( icmp_seq=1 ttl=64 time=0.040 ms
	64 bytes from localhost.localdomain ( icmp_seq=2 ttl=64 time=0.039 ms

It doesn’t get any faster than pinging localhost. The latency in an Ethernet interface is around 0.3 milliseconds (ms). DSLand cable are around 20 ms. T1/T3 have a latency of about 4 ms. Satellite is the highest, as much as two seconds. That much latency breaks IP. Satellite providers play a lot of fancy proxying tricks to get latency down to a workable level.

Hardware Options for Your Linux Firewall/Gateway

There are a lot of hardware choices for your gateway box. Linux supports more hardware platforms than any other operating system, so you don’t have to stick with x86. Debian in particular supports a large number of hardware architectures: Alpha, ARM, HPPA, i386, ia64, m68k, MIPS, MIPSEL, PowerPC, SPARC, and s/390, so you can use whatever you like. (If you build one on an s/390, please send photos to !)

Of course, you have the option of purchasing a commercial appliance. These range from little SOHO devices like the Linksys, Netgear, and SMC broadband routers for sharing a DSL or cable Internet line for under $100, to rackmount units that end up costing several thousand dollars for software licenses and subscriptions. A growing number of these are Linux-based, so your Linux skills will serve you well.

But, it’s not necessary to go this route—you can get unlimited flexibility, and possibly save money by purchasing the bare hardware, or reusing old hardware, and installing your own favorite Linux distribution on it.

There are many choices for form factor and hardware types: small embedded boards like Soekris and PC Engines, Mini-ITX, microATX, blade, rackmount, and more. The smaller units use less power, take up less space, and are fanless for peace and quiet. Larger devices are more configurable and handle bigger loads.

A plain old desktop PC makes a perfectly good gateway box, and is a good way to keep obsolete PCs out of landfills. Even old 486s can do the job for up to a hundred or so users if they are just sharing an Internet connection and not running public services. Repurposed PCs may be a bit questionable for reliability just from being old, and you may not be able to get replacement parts, so if you’re nervous about their reliability, they still work great for training and testing. An excellent use for one of these is as a fully provisioned backup box—if your main one fails, plug in the backup for minimal downtime.

High-End Enterprise Routers

When do you need an elite, hideously expensive, top-of-the-line Cisco or Juniper router? To quote networking guru Ed Sawicki: “You don’t need more performance than what you need.” Unless you’re an ISP handling multimegabyte routing tables, need the fastest possible performance, highest throughput, good vendor support, and highest reliability, you don’t need these superpowered beasts.

The highest-end routers use specialized hardware. They are designed to move the maximum number of packets per second. They have more and fatter data buses, multiple CPUs, and TCAM memory.

TCAM is Ternary Content Addressable Memory. This is very different from ordinary system RAM. TCAM is several times faster than the fastest system RAM, and many times more expensive. You won’t find TCAM in lower-cost devices, nor will you find software that can shovel packets as fast as TCAM.

Not-So-High-End Commercial Routers

The mid-range commercial routers use hardware comparable to ordinary PC hardware. However, their operating systems can make a significant performance difference. Routers that use a real-time operating system, like the Cisco IOS, perform better under heavy loads than Linux-based routers, because no matter how hard some folks try to make Linux a real-time operating system, it isn’t one.

But, for the average business user this is not an issue because you have an ISP to do the heavy lifting. Your needs are sharing your Internet connection, splitting a T1 line for voice and data, connecting to some branch offices, offsite backups, or a data center. Linux on commodity hardware will handle these jobs just fine for a fraction of the cost.


Switches are the workhorses of networking. Collision domains are so last millennium; a cheap way to instantly improve LAN performance is to replace any lingering hubs with switches. Once you do this, you have a switched LAN. As fiber optic lines are becoming more common, look for cabling compatibility in switches. (And routers and NICs, too.)

Switches come in many flavors: dumb switches that simply move packets, smart switches, and managed switches. These are marketing terms, and therefore imprecise, but usually, smart switches are managed switches with fewer features and lower price tags. Higher-end features have a way of falling into lower-priced devices over time, so it no longer costs a scary amount to buy managed or smart switches with useful feature sets. There are all kinds of features getting crammed into switches these days, so here is a list of some that I think are good to have.

Management port

Because switches forward traffic directly to the intended hosts, instead of promiscuously spewing them to anyone who cares to capture them, you can’t sniff a switched network from anywhere on a subnet like you could in the olden hub days. So, you need a switch that supports port mirroring, or, as Cisco calls it, SPAN. (An alternative is to use the arpspoof utility—use it carefully!)

Serial port

Most managed switches are configured via Ethernet with nice web interfaces. This is good. But still, there may be times when you want to get to a command line or do some troubleshooting, and this is when a serial port will save the day.

MDI/MDI-X (Medium Dependent Interfaces)

This is pretty much standard—it means no more hassles with crossover cables, because now switches can auto-magically connect to other switches without needing special uplink ports or the exactly correct crossover or straight-through cables.

Lots of blinky lights

Full banks of LEDs can’t be beat for giving a fast picture of whether things are working.

Jumbo frames

This is a nice feature on gigabit switches, if it is supported across your network. Standard frames are 1,500 bytes, which is fine for Fast Ethernet. Some Gigabit devices support 9,000 byte frames.

Port trunking

This means combining several switch ports to create a fatter pipeline. You can connect a switch to a switch, or a switch to a server if it has a NIC that supports link aggregation.


This is a feature that will have you wondering why you didn’t use it sooner. Virtual LANs (VLANs) are logical subnets. They make it easy and flexible to organize your LAN logically, instead of having to rearrange hardware.


Quality of Service, or traffic prioritization, allows you to give high priority to traffic that requires low latency and high throughput (e.g., voice traffic), and low priority to web-surfin’ slackers.

Per-port access controls

Another tool to help prevent intruders and snoopy personnel from wandering into places they don’t belong.

Network Interface Cards (NICs)

With Linux, it’s unlikely you’ll run into driver hassles with PCI and PCI-Express NICs; most chipsets are well-supported. New motherboards commonly have 10/ 100/1000 Ethernet onboard. Just like everything else, NICs are getting crammed with nice features, like wake-on-LAN, netboot, QoS, and jumbo frame support.

USB NICs, both wired and wireless, are good for laptops, or when you don’t feel like opening the box to install a PCI card. But beware driver hassles; a lot of them don’t have Linux drivers.

Server NICs come with nice features like link aggregation, multiple ports, and fiber Gigabit.

Gigabit Ethernet Gotchas

As Gigabit Ethernet becomes more common, it’s important to recognize the potential choke points in your network. Now we’re at the point where networking gear has outstripped PC capabilities, like hard drive speeds, I/O, and especially bus speeds.

The PCI bus is a shared bus, so more devices result in slower performance. Table 1-2 shows how PCI has evolved.

Table 1-2. Evolution of PCI






132 Mbps



264 Mbps



512 Mbps



1 Gbps

PCI-Express is different from the old PCI, and will probably replace both PCI and AGP. It is backward-compatible, so you won’t have to chuck all of your old stuff. PCI-E uses a point-to-point switching connection, instead of a shared bus. Devices talk directly to each other over a dedicated circuit. A device that needs more band-width gets more circuits, so you’ll see slots of different sizes on motherboards, like PCI-Express 2x, 4x, 8x, and 16x. PCI-E x16 can theoretically move 8 Gbps.

USB 1.1 tops out at 11 Mbps, and you’ll be lucky to get more than 6–8 Mbps. USB 2.0 is rated at 480 Mbps, which is fine for both Fast and Gigabit wired Ethernet. You won’t get full Gigabit speeds, but it will still be faster than Fast Ethernet.

32-bit Cardbus adapters give better performance on laptops than the old 16-bit PCMCIA, with a data transfer speed of up to 132 Mbps.


Ordinary four-twisted-pair Cat5 should carry you into Gigabit Ethernet comfortably, though Cat5e is better. Chances are your Cat5 is really Cat5e, anyway; read the cable markings to find out. Watch out for cheapie Cat5 that has only two twisted pairs.

Cat6 twisted-pair cabling, the next generation of Ethernet cabling, is a heavier gauge (23 instead of Cat5’s 24), meets more stringent specifications for crosstalk and noise, and it always has four pairs of wires.

Wireless Networking

Wireless networking gear continues to be a source of aggravation for admins of mixed LANs, which is practically all of them. Shop carefully, because a lot of devices are unnecessarily Windows-dependent. Wireless gear is going to be a moving target for awhile, and bleeding-edge uncomfortable. Go for reliability and security over promises of raw blazing speeds. As far as security goes, Wired Equivalent Privacy (WEP) is not suitable for the enterprise. WEP is far too weak. Wi-Fi Protected Access (WPA) implementations are all over the map, but WPA2 seems to be fairly sane, so when you purchase wireless gear, make sure it supports WPA2. Also, make sure it is Wi-Fi Certified, as this ensures interoperability between different brands.

Whatever you do, don’t run naked unprotected wireless. Unless you enjoy having your network compromised.

The best content for your career. Discover unlimited learning on demand for around $1/day.