/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Marcell L. Toth <[EMAIL PROTECTED]> wrote:
>
> > Are there any problems that I might encounter? This machine would
> > need to keep track of the megabytes sent and received hence the need
> > for one HUGE table of ipfwadm-type commands, i.e. one line for each
> > user for each direction.
>
> Well I think your main problem would NOT be the amount of lines in
> your ipchains setup... thats what the netmask is for.
Several people on this list have posted "you don't need a zillion rules
in order to masquerade," but you are ignoring his requirement that he
needs to keep detailed usage statistics about traffic sent and received,
probably on a per-IP basis. Sure, the masq would work just fine with
one or two rules, but there is no way to get these per-IP statistics (at
least, using masq rules), without creating a distinct rule for each IP.
Now, there are probably ways to *reduce* the number of masq rules that
the kernel needs to search, which is probably where your biggest slow-
down would come from. I suggest that you could rules that trigger on a
subnet, but instead of giving a target of MASQ, they could call a
sub-ruleset which contains masq rules for each IP in that subnet. That
way, the kernel doesn't have to search the entire table for a match,
every time. It only needs to search a few short lists.
ipchains -A forward -s 192.168.1.0/24 -j subnet-1
ipchains -A forward -s 192.168.2.0/24 -j subnet-2
[...]
ipchains -N subnet-1
ipchains -A subnet-1 -s 192.168.1.2 -j MASQ
ipchains -A subnet-1 -s 192.168.1.2 -j MASQ
[...]
ipchains -N subnet-2
ipchains -A subnet-2 -s 192.168.2.2 -j MASQ
ipchains -A subnet-2 -s 192.168.2.2 -j MASQ
[...]
I think you get the idea.
> However, if you really masquerade 2-3000 machines you might run out of
> high ports quickly.
This is a good point. The number of ports is fixed at 4000 in the
standard kernel, and you must modify the kernel source in order to
change it.
In the 2.2 kernel, the file to edit is
/usr/src/linux/include/linux/ip_masq.h
The settings look like this:
#define PORT_MASQ_BEGIN 61000
#define PORT_MASQ_END (PORT_MASQ_BEGIN+4096)
This defines the starting port, and ending port, for masquerade. Since
the ending port cannot be larger than 65534, the right way to increase
the port range is to decrease PORT_MASQ_BEGIN by the same amount that
you increase the "4096" constant in the PORT_MASQ_END calculation.
For instance, if you decided that you really want 8192 ports, then you
would change it like so:
#define PORT_MASQ_BEGIN 57000
#define PORT_MASQ_END (PORT_MASQ_BEGIN+8192)
This gives a masq port range of 57000-65192.
Now, that being said, there is no real indication one way or the other,
that just because you have, say, 2000 clients, it means that you need X
number of ports available. It really depends entirely on how active
those users will be, and what protocols they will use.
For instance, you will cut down severely on the DNS traffic (and port
usage) by setting up a caching nameserver on your firewall, and letting
the clients point to that. If you have a lot of web traffic, you can
direct your clients to use a Squid proxy cache on the firewall box. If
you have a lot of mail being sent, a mail server on the firewall will
obviate the need for clients to deliver mail directly.
So you can see, some creative approaches here will yield good results.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Just about every computer on the market
sometimes known as David DeSimone || today runs Unix, except the Mac (and
http://www.dallas.net/~fox/ || nobody cares about it). -- Bill Joy '85
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
