Networking with Linux; Linux Advanced Routing & Traffic Control HOWTO

[Originally posted Mar 13, 2012 4:55 AM by Antti Uitto]

Great resource:

Linux Advanced Routing & Traffic Control HOWTO

As I said, Linux is a powerful tool for network-related stuff. 
The link above is to an extensive HOWTO article about routing and other networking services available in most Linux distributions. 

Here is a nice one that I tried on my own router host.

If you are hosting Internet gateway for some community, put this to the interface from where the traffic returns to their LAN:

sudo tc qdisc add dev eth1 root tbf rate 64kbit latency 50ms burst 128kbit

They’ll love you for it! 🙂

Networking with Linux; what goes where?

[Originally posted Mar 13, 2012 4:38 AM by Antti Uitto]

A modern Linux distribution is an impressive tool for networking. You can rather easily set up a router, firewall or VPN gateway. If you are working with a traditional router, such as Cisco or Juniper or if you have the fabulous Vyatta router at hand, you will have one place where about everything goes: the configuration. You add commands from command line and as you commit and save them, they are stored in the configuration. After next reload, your gateway will come alive with that configuration in it.This is not quite so when working with a Linux gateway. Here too you can give most if not all your commands from CLI and they will be applied either immediately or after reloading the service in question. But mostly they do not survive a boot unless you do something. 

That something you need to do is to write these commands in config files and save them.

In Linux there is, I guess always more than one way of doing any given thing.

Here are the programs I use and the config files where I write their settings. 

What’s your setup like?
– Physical interfaces
– Logical Interfaces (Vlan and Bridge)
– IP addresses/etc/rc.local
– Invoke firewall ( iptables-restore < /path/to/firewall_rules )
– VPN (OpenVPN commands)
– Tunnel interfaces (ip tu add)
– Static routes (ip route add)
– Source routing commands (ip route add & ip rule add) 

Quagga router
– Dynamic routing (RIP, OSPF, BGP)
– When you say “write”, Quagga will write it’s own config in appropriate place

– Iptables firewall rules for filtering and logging
– Network address translation (NAT)

– Connection attempts logged by iptables

So there is a file where the physical and logical interfaces are configured, including their IP’s. There is another place where I like to put my VPN’s, tunnels and all the static routes. If I was to use dynamic routing, I would move all my routes to Quagga and handle them from there. But If there is no need for dynamic routing, then all the statics go to a file mentioned in the list.

I do my best to write accurate and compact descriptions for things that are in these files. It nicer like that when you have to search for something or you want to take a quick look at what is here to be found.

cat /etc/rc.local | grep descr -A 3

IPv6 Over IPv4, secured with OpenVPN

(Originally posted Mar 13, 2012 4:31 AM by Antti Uitto [ updated Apr 27, 2012 12:37 PM ]

In this lab we create a OpenVPN connection between two routers that are connected to IPv4-only network. We then connect two IPv6 sites via a sit tunnel that goes inside this protected connection.

You can tunnel IPv6 over IPv4 without using encrypted VPN connection (such as OpenVPN), just make the sit tunnel between the router’s public IPv4 addresses.

Network diagram:


sudo apt-get install openvpn


example: host1


iface eth0 inet6 static
pre-up modprobe ipv6
address 2001:22::2
netmask 64
gateway 2001:22::1


Create key on router1

openvpn –genkey –secret router1-router2

Copy the key file to router2Run these from command line and place them in to /etc/rc.local to make persistent.router1
openvpn –remote –port 1199 –dev tun199 –ifconfig –verb 5 –secret /home/user/router1-router2

openvpn –remote –port 1199 –dev tun199 –ifconfig –verb 5 –secret /home/user/router1-router2


Run these from command line and place them in to /etc/rc.local to make persistent.

sudo ip tu ad sit199 mode sit local remote ttl 64
sudo ip ad ad dev sit199 2001:acdc::1/64
sudo ip li se dev sit199 up
sudo ip -6 ro ad 2001:33::/64 via 2001:acdc::2

sudo ip tu ad sit199 mode sit local remote ttl 64
sudo ip ad ad dev sit199 2001:acdc::2/64
sudo ip li se dev sit199 up
sudo ip -6 ro ad 2001:22::/64 via 2001:acdc::1