9.2. Adding a route with the new ip tools
In the previous section, we spoke about both listing the routing table and we discussed what the basics of that listing meant. Fortunately, the output is very similar to the syntax that you would use to implement that exact routing table on your own.
ip route add 207.149.43.62 dev eth0 scope link
ip route add 207.149.43.0/24 dev eth0 proto kernel scope link src 207.149.43.62 ip route add 127.0.0.0/8 dev lo scope link
ip route add default via 207.149.43.1 dev eth0
As you can see, the output and input are almost exact (except for the adding of the ip route add in front of the line).
Note: We are aware that the documentation on Routing with 2.2 is sorely lacking in details. In fact, I think
EVERYONE is aware of it! If you have any experience in this matter, please contact us at:
[email protected] We would like to get any information that you may have to help strengthen our documentation!
Was this section helpful? Why not Donate $2.50?
9.3. Using NAT with Kernel 2.2
The IP Network Address Translation facility is pretty much the standardized "big brother" of the Linux IP Masquerade facility. It is specified in some detail in RFC−1631 (at your nearest RFC archive). NAT provides features that IP−Masquerade does not (which make it eminently more suitable for use in both corporate firewall router designs, and in larger scale installations).
An alpha implementation of NAT for Linux 2.0.29 kernel has been developed by Michael.Hasenstein:
[email protected]−chemnitz.de. Michael's documentation and implementation are available from:
Linux IP Network Address Web Page
The much improved TCP/IP stack of Linux 2.2 kernel has NAT functionality built−in. This facility seems to render the work by Michael Hasenstein somewhat obsolete
([email protected]−chemnitz.de).
To get it to work, you need the kernel with enabled CONFIG_IP_ADVANCED_ROUTER,
CONFIG_IP_MULTIPLE_TABLES (aka policy routing) and CONFIG_IP_ROUTE_NAT (aka fast NAT). And if you want to use finer grained NAT rules, you may also want to turn on firewalling
(CONFIG_IP_FIREWALL) and CONFIG_IP_ROUTE_FWMARK. To actually operate these kernel features, you will need the "ip" program by Alexey Kuznyetsov from ftp://ftp.inr.ac.ru/ip−routing/. Incoming datagrams NAT
Now, to translate addresses of incoming datagrams, the following command is used: ip route add nat <ext−addr>[/<masklen>] via <int−addr>
This will make an incoming packet destined to "ext−addr" (the address visible from outside Internet) to have its destination address field rewritten to "int−addr" (the address in your internal network, behind your gateway/firewall). The packet is then routed according to the local routing table. You can translate either single host addresses or complete blocks. Examples:
ip route add nat 195.113.148.34 via 192.168.0.2 ip route add nat 195.113.148.32/27 via 192.168.0.0
First command will make internal address 192.168.0.2 accessible as 195.113.148.34. The second example shows remapping block 192.168.0.0−31 to 195.113.148.32−63. Was this section helpful? Why not Donate $2.50?
(Work In Progress)
10.1. ip
If you have the iproute2 tools installed, then executing the ip command will allow the basic syntax to be displayed.
[root@jd Net4]# ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
where OBJECT := { link | addr | route | rule | neigh | tunnel | maddr | mroute | monitor }
OPTIONS := { −V[ersion] | −s[tatistics] | −r[esolve] |
−f[amily] { inet | inet6 | dnet | link } | −o[neline] }
There are also several options available:
−V, −Version −− print the version of the ip utility you are using and exit.
−s, −stats, −statistics −− obtain more output on the speficied device. You can issue this option more than
once to increase the amount of information being displayed.
−f, −family followed by a protocol family identifier such as: inet, inet6 or link. −− Specify the exact protocol
family to use. Inet uses the standard IPv4 (e.g.; current Internet standard), inet6 uses IPv6 (ground breadking, never to be implemented Internet standard), and link (a physical link). If you do not present the option, the protocol family is guessed. If not enough information is present, it will fallback to the default setting.
−o, −oneline Show the output each device record in a single line.
−r, −resolve Use the system resolver (e.g.; DNS) to print actual names (versus IP numbers).
OBJECT Is the object (device) that you can retrieve information from, and/or you can also manage the
device. The current device types understood by the current implementation are: link −− The network device e.g.; eth0 or ppp0 .
•
address −− The IP (IP or IPv6) address on the specified device. •
neigh −− The ARP or NDISC cache entry. •
route −− The routing table entry. •
rule −− The rule in routing policy database. •
maddress −− The multicast address. •
mroute −− The multicast route cache entry. •
tunnel −− Whether or not to tunnel over IP. •
The amount of possible options allowed on each object type depend on the type of action being taken. As a basic rule, it is possible to add, delete, or to show the object(s). Not all object will allow additional
commands to be used. Of course, command help is available for all objects. When help is used, it will print out a list of available sytanx conventions for the given object.
If you do not give a command, the default command will be assumed. Typically the default command is to list the objects.If the the objects can not be listed, the default will provide standard help output.