Tunneling with iProute2 Simone Piunno WQCH Translation 1, iProute2 Introduction iProute2 is a high-level network management tool software under Linux. In fact, it is dynamically configured by the RTNETLINK SOCKETS mode, starting from the Linux2.2 kernel, Alexey KuznetSov implements a network protocol stack through RTNETLINK SOCKETS, which is a modern powerful interface. The most attractive feature of iProute2 is that it replaces the functionality of the following commands with a complete and mechanism, such as IFConfig, ARP, ROUTE, IPTunnel, and other many functions have also been added. Today, iProute2 has been installed by default in many major issues, even if their initialized script commands are embedded in some old network kits, such as ifconfig, and less use IPTunnel. If your distribution does not include this important kit, you can also download it from the Internet and compile it yourself. Download address ftp://ftp.inr.ac.ru/ip-Routing/. When writing this article, iProute2's largest shortcomings are lack of relevant documentation, however, its IP command syntax is simple and very similar to English, which is largely compensated for the documentation. It is believed that people who are accustomed to ifconfig and route commands are unwilling to encounter any difficulties when using IP, and they will feel like they are in home. This article assumes that the reader already has a certain network basis and has been used in Linux for IFCONFIG and ROUTE commands.
2, Tunnel Profile We imagine the issue of data communication between the two network nodes, if the two nodes are transmitted over the protocol different from IPv4, or in a non-global available IP address directly to a private LAN LAN. In order to solve such problems, typically use virtual point-to-point connection between two nodes, we call it tunnel structure. You can imagine each packet transmitted on the web as an envelope, there are several bytes inside it, and the address of the sender and the receiver is still written. The tunnel briefs this envelope to the envelope of another different sender and recipient, which is valid for the transfer of packets. When the packet reaches the external recipient (the recipient written on the outermost envelope), the external envelope is removed and thrown, so the envelope (packet) at this time can continue to be transmitted to its true purpose . The nodes of packaging and splitting additional envelopes are called endpoints, they need a global IPv4 address available. This is why the tunnel cannot be used when the network address conversion (NAT) is passed. Moreover, if you build a tunnel through the firewall, the firewall must be specially configured to allow tunnel transmission. A typical tunnel application is to connect two IPv6 nodes through a pure IPv4 network. These two nodes can be connected to IPv6-In-IPv4 tunnels connected to a camouflage point-to-point IPv6, which can be connected to two IPv6 islands (6bone is working in such a network tunnel). IPv6-over-IPv4 transmission tunnels There are two ways: Automatic configuration (see RFC2373) and manual configuration (see RFC2373), this article will discuss the latter - manual configuration. 3. Creating a tunnel is very easy to build a tunnel with an iProute2. First, you need to live a name for the tunnel. If you choose the tunnel name to use foo, you can use the following command to create a Sit mode tunnel: IP Tunnel Add foo mode Sit Remote 192.168.1.42 In this way, The IPv4 address is also a remote endpoint of 192.168.1.42, an IPv6-In-IPv4 tunnel is also built. Note that we have not specified that IP address to use this local tunnel, and that interface, etc., these results can be seen by command ip tunnel show: [root @ Abulafia root] # ip Tunnel Show Sit0: IPv6 / IP Remote Any Local Any TTL 64 NOPMTUDISC FOO: IPv6 / IP Remote 192.168.1.42 Local Any TTL Inherit We created tunnels in the second line. Now you need to see a list of all available interfaces, no matter what they are real network adapters or simulated: [root @ Abulafia root] # ip link show 1: LO: MTU 16436 qdisc noqueue
Link / loopBack 00: 00: 00: 00: 00: 00: 00: 00: 00: 00:
2: eth0:
MTU 1500 QDISC PFIFO_FAST QLEN 100
LINK / Ether 00: 48: 54: 1B: 25: 30 BRD FF: FF: FF: FF: FF: FF
4: SIT0 @ none:
MTU 1480 QDISC NOOP
LINK / SIT 0.0.0.0 BRD 0.0.0.0
6: foo @ none:
MTU 1480 QDISC NOOP
LINK / SIT 0.0.0.0 Peer 192.168.1.42
In fact, it is necessary to note that LO and ETH0 are marked as UP, indicating that it is already activated, and the tunnel is not. In order to check again, use ifConfig View: [Root @ Abulafia root] # ifconfig eth0 Link Encap: Ethernet Hwaddr 00:48: 54: 1b: 25: 30 inet addr: 192.168.0.1 bcast: 192.168.255 mask: 255.255.255.0 inet6 Addr: Fe80 :: 248: 54ff: Fe1b: 2530/10 Scope: Lin Up Broadcast Running Multicast MTU: 1500 Metric: 1 RX Packets: 0 Errors: 0 Dropped: 0 Overruns: 0 Frame: 0 TX Packets: 8 Errors: 0 Dropped: 0 overruns: 0 trarier: 0 Collisions: 0 TXQuelelen: 100 rx bytes: 0 (0.0 b) TX bytes: 528 (528.0 B) Interrupt: 9 Base Address: 0x5000 Lo Link Encap: Local Loopback inet addr: 127.0.0.1 Mask: 255.0.0.0 inet6 Addr: :: 1/128 scope: Host Up loopback Running MTU: 16436 Metric: 1 RX Packets: 35402 Errors: 0 Dropped: 0 overruns: 0 frame: 0 TX Packets: 35402 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0 Collisions: 0 TXQuelelen: 0 rx bytes: 3433996 (3.2 MB) TX bytes: 3433996 (3.2 MB) Obviously, the interface that is not activated is not displayed, so it is necessary to remember that the IP connection command displays all available Interface, whether they are activated whether they are activated. In order to activate foo, use the command: IP link set foo up to remove it: IP link set foo down thoroughly delete tunnels: IP Tunnel del Foo 4, special tunnels in previous paragraphs, introduce how to build an IPv6-in -IPv4 tunnel, now take a look at several different situations. 4.1, GRE Tunnel If you don't need IPv6, but if you want to pass a normal IPv4 packet through a transmission network of different protocols, then it is best to use the GRE mode instead of SIT mode. For example: [root @ abulafia root] # ip tunnel add foo4 mode gre remote 192.168.1.42 [root @ abulafia root] # ip tunnel show gre0: gre / ip remote any local any ttl inherit nopmtudisc foo4: gre / ip remote 192.168.1.42 Local Any TTL Inherit [root @ Abulafia root] # ip link show 1: LO: MTU 16436 qdisc noqueue
Link / loopBack 00: 00: 00: 00: 00: 00: 00: 00: 00: 00:
2: eth0:
MTU 1500 QDISC PFIFO_FAST QLEN 100
LINK / Ether 00: 48: 54: 1B: 25: 30 BRD FF: FF: FF: FF: FF: FF
7: GRE0 @ none:
MTU 1476 QDISC NOOP
LINK / GRE 0.0.0.0 BRD 0.0.0.0
9: foo4 @ none: MTU 1476 qdisc noop
LINK / GRE 0.0.0.0 Peer 192.168.1.42
The GRE mode is a special tunnel transmission that is supported by the Cisco router, and the Cisco router can implement the transfer of packets between different protocols on IPv4. There is also another tunnel implemented by Linux: IPIP, which can also achieve IPv4-in-IPv4 package, but it is only implemented by Linux, and only unicast IP over IP (so you cannot transfer IPX or broadcast packets) ). In general, the GRE mode is better. 4.2 Direct local endpoints can make tunnel selection for you even if the kernel is very smart, it is best to clearly describe the IPv4 address and interface sign of the tunnel. Implement with the local and device parameters: [root @ Abulafia root] # ip tunnel add foo mode sit local 192.168.0.1 remove 192.168.1.0.1 Remote 192.168.1.42 dev @ @ Abulafia root} # ip Tunnel Show Sit0: IPv6 / ip remote Any Local Any TTL 64 NOPMTUDISC FOO: IPv6 / IP Remote 192.168.1.42 local 192.168.0.1 dev eth0 TTL inherit [root @ Abulafia root] # ip link show 1: LO:
MTU 16436 qdisc noqueue
Link / loopBack 00: 00: 00: 00: 00: 00: 00: 00: 00: 00:
2: eth0:
MTU 1500 QDISC PFIFO_FAST QLEN 100
LINK / Ether 00: 48: 54: 1B: 25: 30 BRD FF: FF: FF: FF: FF: FF
4: SIT0 @ none:
MTU 1480 QDISC NOOP
LINK / SIT 0.0.0.0 BRD 0.0.0.0
11: foo @ t0:
MTU 1480 QDISC NOOP
Link / Sit 192.168.0.1 Peer 192.168.1.42
Please Notice That Now The Interface Is Labled As Foo @ Eth0, To Remind Us Where The Tunnel Has Been Explicitly Connected.
Note that the interface is marked as foo @ eth0, which is more clearly suggesting where the tunnel is connected. 4.3 When the survival time uses a tunnel, it is easy to build an additional loopback network interface. In order to limit this problem, the basic principle is to generate a packet of a lower TTL value. The initial TTL can specify the TTL value with the command IP tunnel add, and the default value is inherited from the associated tunnel network interface. IANA recommends that the value of TTL is 64. 5. The tunnel can also be assigned one or more addresses for the interface to assign IP addresses like other network interfaces. 5.1, the primary address directly assigns the main address: IP AddR Add 3ffe: 9001: 210: 3 :: 42/64 dev foo ip addr add 192.168.0.2/24 dev foo4 ip addr add 10.20.30.40/8 dev eth0 the number immediately Following the slash is to suggest to the kernel the network prefix we prefer, useful to automatically compute broadcast address and netmask on IPv4 LANs (this is called CIDR notation). However, tunnels are point-to-point interfaces and this number is then ignored. The numbers followed by the address are the network prefix, which is used to automatically calculate the broadcast address and the network mask (called CIDR) in the IPv4 LAN. However, the tunnel is a point-to-point interface, which are ignored. Note: In order to assign an IP address to the interface, first you need to use IP link to activate the interface. To remove an address from an interface, you can use DEL to replace the Add: IP Addr del 3ffe: 9001: 210: 3 :: 42/64 dev foo ip addr del 192.168.0.2/24 dev foo4 listing IP address available on your own server: [root @ Abulafia root] # ip addr show 1: LO: MTU 16436 qdisc noqueue
Link / loopBack 00: 00: 00: 00: 00: 00: 00: 00: 00: 00:
INET 127.0.0.1/8 BRD 127.255.255.255 Scope host LO
INET6 :: 1/128 Scope Host
2: eth0:
MTU 1500 QDISC PFIFO_FAST QLEN 100
LINK / Ether 00: 48: 54: 1B: 25: 30 BRD FF: FF: FF: FF: FF: FF
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
INET6 Fe80 :: 248: 54ff: Fe1b: 2530/10 Scope Link
4: SIT0 @ none:
MTU 1480 QDISC NOOP
LINK / SIT 0.0.0.0 BRD 0.0.0.0
5: foo @ none:
MTU 1480 QDISC NOOP
LINK / SIT 0.0.0.0 Peer 192.168.1.42
INET6 3ffe: 9001: 210: 3 :: 42/64 Scope Global
INET6 Fe80 :: C0A8: 1/10 Scope Link
5.2, alias When using multiple addresses on an interface, people who are accustomed to using ifconfig will add multiple IPs to the IP addr add command, but do not produce virtual interfaces such as Eth0: 1, Eth0: 2. be surprised. This is a naming mechanism from 2.0 kernel until today has not changed. For example: [root @ Abulafia root] # ip addr add 192.168.0.11/24 dev eth0 [root @ Abulafia root] # ip addr show eth0 2: Eth0: MTU 1500 qdisc PFIFO_FAST QLEN 100
LINK / Ether 00: 48: 54: 1B: 25: 30 BRD FF: FF: FF: FF: FF: FF
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
INET 192.168.0.11/24 Scope Global Secondary Eth0
INET6 Fe80 :: 248: 54ff: Fe1b: 2530/10 Scope Link
[root @ Abulafia root] # ifconfig
Eth0 Link Encap: Ethernet Hwaddr 00:48: 54: 1b: 25: 30
inet addr: 192.168.0.1 Bcast: 192.168.0.255 Mask: 255.255.255.0
INET6 AddR: Fe80 :: 248: 54ff: Fe1b: 2530/10 Scope: LINK
Up Broadcast Running Multicast MUNTU: 1500 metric: 1
RX Packets: 0 Errors: 0 Dropped: 0 overruns: 0 frame: 0
TX Packets: 8 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0
Collisions: 0 TXQuelelen: 100
Rx bytes: 0 (0.0 b) TX bytes: 528 (528.0 B)
Interrupt: 9 Base Address: 0x5000
Lo Link Encap: Local Loopback
INET Addr: 127.0.0.1 Mask: 255.0.0.0
inet6 addr: :: 1/128 scope: Host
Up loopback Running MTU: 16436 Metric: 1
RX Packets: 34732 Errors: 0 Dropped: 0 overruns: 0 frame: 0
TX Packets: 34732 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0
Collisions: 0 TXQuelelen: 0
RX bytes: 3386912 (3.2 MB) TX bytes: 3386912 (3.2 MB)
Foo Link ENCAP: IPv6-In-IPv4
INET6 AddR: 3ffe: 9001: 210: 3 :: 42/64 SCOPE: GLOBAL
INET6 Addr: Fe80 :: C0A8: 1/10 Scope: LINK
Up Pointopoint Running Noarp MTU: 1480 metric: 1
RX Packets: 0 Errors: 0 Dropped: 0 overruns: 0 frame: 0
TX Packets: 0 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0
Collisions: 0 TXQuelelen: 0
Rx bytes: 0 (0.0 b) TX bytes: 0 (0.0 b)
The added IP address has been working and can be displayed with IP AddR Show, but ifconfig does not even see its existence. In order to solve this problem, coupled with a tag parameter: [root @ Abulafia root] # ip add 192.168.0.11/24 label eth0: 1 dev eth0 [root @ Abulafia root] # ip addr show eth0 2: eth0: MTU 1500 qdisc PFIFO_FAST QLEN 100
LINK / Ether 00: 48: 54: 1B: 25: 30 BRD FF: FF: FF: FF: FF: FF
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
inet 192.168.0.11/24 Scope Global Secondary Eth0: 1
INET6 Fe80 :: 248: 54ff: Fe1b: 2530/10 Scope Link
[root @ Abulafia root] # ifconfig
Eth0 Link Encap: Ethernet Hwaddr 00:48: 54: 1b: 25: 30
inet addr: 192.168.0.1 Bcast: 192.168.0.255 Mask: 255.255.255.0
INET6 AddR: Fe80 :: 248: 54ff: Fe1b: 2530/10 Scope: LINK
Up Broadcast Running Multicast MUNTU: 1500 metric: 1
RX Packets: 0 Errors: 0 Dropped: 0 overruns: 0 frame: 0
TX Packets: 8 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0
Collisions: 0 TXQuelelen: 100
Rx bytes: 0 (0.0 b) TX bytes: 528 (528.0 B)
Interrupt: 9 Base Address: 0x5000
Eth0: 1 Link Encap: Ethernet Hwaddr 00:48: 54: 1b: 25: 30
inet addr: 192.168.0.11 Bcast: 0.0.0.0 Mask: 255.255.255.0
Up Broadcast Running Multicast MUNTU: 1500 metric: 1
Interrupt: 9 Base Address: 0x5000
Note: We can choose any string for interface tags, no forced use of the 2.0 core naming mechanism; if you want to use ifconfig to make backward compatibility, you must follow this naming mechanism. 5.3, Tunnel IP Address When our computer is a stand-alone host or not a router that provides access to the entire LAN IPv6, a global / public IP address is the best thing, which is a SIT / IPv6, respectively. -in-IPv4 tunnel IPv6 address and IPv4 address of a GRE / IPv4-In-IPv4 tunnel. Instead, if a router is configured, it is best to let SIT / IPv6-IPv4 tunnel use a link local address (IPv6 link local address can be automatically configured or manually configured) and GRE / IPv4-In-IPv4 Tunnels use a private address (IPv4 no link local address). Effective addresses can only be used on Eth0 (or on the interface over the local area network). Note You need to activate the forwarding interface when configured, with a command: sysctl -w net.ipv4.conf.all.forwarding = 1 # for gre (IPv4-in-ipv4) sysctl -w net.ipv6.conf.all.Forwarding = 1 # for Sit (IPv6-IPv4) can even decide to open on a pair of forwarding, in this case, with the following command: sysctl -w net.ipv6.conf.th0.Forwarding = 1 sysctl -w net.ipv6 .conf.pippo.forwarding = 1 6, routing Since the tunnel has been configured, now you need to specify which data transport will be directed through it. The general command format of IPv6 is as follows: IP Route Add 2000 :: / 3 DEV FOO This is the address of 001 at the first 3 digits of the destination address (ie the global IPv6 unicast address space) will be oriented to the Foo interface, this is just IPv6 address space One-third, but to ensure that all possible remote hosts are within this range.
