Linux Networking Primitives
Adding IPv4/IPv6 addresses to interfaces
ip addr add 192.0.2.1/24 dev eth0 ip addr add 2001:db8::1/64 dev eth0 ip addr add 192.0.2.1 dev eth0 ip addr add 2001:db8::1 dev eth0
The last two forms do not have a prefix length associated with the address, so it will simply just set the IP address specified as "local" and any other routes have to be added in manually, with ip route
.
Setting up (static) routes
TODO: image showing router-to-router communication; two nodes can communicate with each other as long as each router in between including the nodes themselves have a route defined that encloses the other node's IP address, and which is directed correctly to the other node.
TODO: image showing differences between "access" and non-"access" subnets
Using iptables / firewall
Common use case: Simple stateful (connection tracking) firewall
Common use case: Internet connection sharing using the "nat" table
Less common use case: IPv6 many-to-smaller-many NAT
ip6tables -t nat -A POSTROUTING -s 2001:db8:1::/48 -o eth0 -j NETMAP --to 2001:db8:0:1:300::/72
See 300 IPv6 addresses.
Using bridges
Use case: Preserve IP address even if USB NIC is removed
Network namespaces
- Further information: Notes about namespaces#Network namespaces
Using macvlan/ipvlan/veth
VETH devices in layer 3 mode
veth devices are inherently layer 2, but they can be used in a layer-3 mode.
Use case: Multiple IP addresses on one machine, in a way that is transparent to the application
This is mostly useful if you want to run multiple instances of the same type of server on the same ports, but for whatever reason other programs (servers or non-servers) behave strangely if you have multiple IP addresses assigned to a particular network interface.
Use case: Managing the network subsystem without root access
This is mostly useful for self-contained networks that are only used within a single program or a set or bundle of programs.
DNSMasq
IPv6 prefix delegation using isc-dhcp-client
You can write a custom script to do whatever you want once you receive an IPv6 prefix from your ISP or upstream DHCPv6 server.
6in4 and WireGuard tunnels
AllowedIPs
is similar to the prefix delegation model shown to the right.
Use case: WireGuard with network namespaces
By putting the WireGuard interface in a different network namespace as the original namespace, the configuration for the WireGuard interface now becomes independent of the network configuration of the host. This is useful for some scenarios like avoiding IP conflicts, especially when using public WiFi.
- Further information: https://www.wireguard.com/netns