Linux Networking Primitives

Adding IPv4/IPv6 addresses to interfaces

Setting up (static) routes

TODO: image showing router-to-router communication; two nodes can communicate with each other as long as each router in between including the nodes themselves have a route defined that encloses the other node's IP address, and which is directed correctly to the other node.

TODO: image showing differences between "access" and non-"access" subnets

Using iptables / firewall

Common use case: Simple stateful (connection tracking) firewall

Common use case: Internet connection sharing using the "nat" table

Less common use case: IPv6 many-to-smaller-many NAT

ip6tables -t nat -A POSTROUTING -s 2001:db8:1::/48 -o eth0 -j NETMAP --to 2001:db8:0:1:300::/72

See 300 IPv6 addresses.

Using bridges

Use case: Preserve IP address even if USB NIC is removed

Network namespaces

Further information: Notes about namespaces#Network namespaces

Using macvlan/ipvlan/veth

VETH devices in layer 3 mode

veth devices are inherently layer 2, but they can be used in a layer-3 mode.

Use case: Multiple IP addresses on one machine, in a way that is transparent to the application

This is mostly useful if you want to run multiple instances of the same type of server on the same ports, but for whatever reason other programs (servers or non-servers) behave strangely if you have multiple IP addresses assigned to a particular network interface.

Use case: Managing the network subsystem without root access

This is mostly useful for self-contained networks that are only used within a single program or a set or bundle of programs.


IPv6 prefix delegation using isc-dhcp-client

You can write a custom script to do whatever you want once you receive an IPv6 prefix from your ISP or upstream DHCPv6 server.

6in4 and WireGuard tunnels

Adding a list of allowed IPs to a client allows that client to receive packets destined for that prefix through the WireGuard tunnel, and allows the client to communicate back to the server using that prefix as a source IP address through that tunnel.

AllowedIPs is similar to the prefix delegation model shown to the right.

Use case: WireGuard with network namespaces

By putting the WireGuard interface in a different network namespace as the original namespace, the configuration for the WireGuard interface now becomes independent of the network configuration of the host. This is useful for some scenarios like avoiding IP conflicts, especially when using public WiFi.

Further information:

Policy-based routing

Use case: Multihomed network with provider-assigned IPv6 addresses

ARP and NDP proxying

802.1Q VLANs

Wi-Fi (802.11)