Product SiteDocumentation Site

Chapter 10. Network Infrastructure

10.1. Gateway
10.2. Virtual Private Network
10.2.1. OpenVPN
10.2.2. Virtual Private Network with SSH
10.2.3. IPsec
10.2.4. PPTP
10.3. Quality of Service
10.3.1. Principle and Mechanism
10.3.2. Configuring and Implementing
10.4. Dynamic Routing
10.5. IPv6
10.5.1. Tunneling
10.6. Domain Name Servers (DNS)
10.6.1. Principle and Mechanism
10.6.2. Configuring
10.7. DHCP
10.7.1. Configuring
10.7.2. DHCP and DNS
10.8. Network Diagnosis Tools
10.8.1. Local Diagnosis: netstat
10.8.2. Remote Diagnosis: nmap
10.8.3. Sniffers: tcpdump and wireshark
Linux sports the whole Unix heritage for networking, and Debian provides a full set of tools to create and manage them. This chapter reviews these tools.

10.1. Gateway

A gateway is a system linking several networks. This term often refers to a local network's “exit point” on the mandatory path to all external IP addresses. The gateway is connected to each of the networks it links together, and acts as a router to convey IP packets between its various interfaces.
When a local network uses a private address range (not routable on the Internet), the gateway needs to implement address masquerading so that the machines on the network can communicate with the outside world. The masquerading operation is a kind of proxy operating on the network level: each outgoing connection from an internal machine is replaced with a connection from the gateway itself (since the gateway does have an external, routable address), the data going through the masqueraded connection is sent to the new one, and the data coming back in reply is sent through to the masqueraded connection to the internal machine. The gateway uses a range of dedicated TCP ports for this purpose, usually with very high numbers (over 60000). Each connection coming from an internal machine then appears to the outside world as a connection coming from one of these reserved ports.
The gateway can also perform two kinds of network address translation (or NAT for short). The first kind, Destination NAT (DNAT) is a technique to alter the destination IP address (and/or the TCP or UDP port) for a (generally) incoming connection. The connection tracking mechanism also alters the following packets in the same connection to ensure continuity in the communication. The second kind of NAT is Source NAT (SNAT), of which masquerading is a particular case; SNAT alters the source IP address (and/or the TCP or UDP port) of a (generally) outgoing connection. As for DNAT, all the packets in the connection are appropriately handled by the connection tracking mechanism. Note that NAT is only relevant for IPv4 and its limited address space; in IPv6, the wide availability of addresses greatly reduces the usefulness of NAT by allowing all “internal” addresses to be directly routable on the Internet (this does not imply that internal machines are accessible, since intermediary firewalls can filter traffic).
Enough theory, let's get practical. Turning a Debian system into a gateway is a simple matter of enabling the appropriate option in the Linux kernel, by way of the /proc/ virtual filesystem:
# echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
This option can also be automatically enabled on boot if /etc/sysctl.conf sets the net.ipv4.conf.default.forwarding option to 1.

Example 10.1. The /etc/sysctl.conf file

net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
The same effect can be obtained for IPv6 by simply replacing ipv4 with ipv6 in the manual command and using the net.ipv6.conf.all.forwarding line in /etc/sysctl.conf.
Enabling IPv4 masquerading is a slightly more complex operation that involves configuring the netfilter firewall.
Similarly, using NAT (for IPv4) requires configuring netfilter. Since the primary purpose of this component is packet filtering, the details are listed in Chapter 14: “Security (see Section 14.2, “Firewall or Packet Filtering”).