[LARTC] 2 NICS - local services not shaping correctly
Hi Having a problem trying to figure out how to shape local services running on the debian box (asterisk, squid etc) as currently the voice only seems to be getting shaped one way when making external calls. For example I have the rules below (these are the matching rules only not the actual policy rules): #Create Chain for local traffic (outbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x4445 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.69 -d 193.xxx.xxx.66 -j MARK --set-mark 0x4445 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.69 -d 193.xxx.xxx.66 -j RETURN #Create Chain for all remaining traffic (outbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -j MARK --set-mark 0x4446 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -j RETURN #Phones match (outbound) /sbin/iptables -t mangle -A match-chain-eth1-1:11 -p tcp -m multiport --port 4569 -j CLASSIFY --set-class 1:1006 /sbin/iptables -t mangle -A match-chain-eth1-1:11 -p tcp -m multiport --port 4569 -j RETURN /sbin/iptables -t mangle -A match-chain-eth1-1:11 -p udp -m multiport --port 4569 -j CLASSIFY --set-class 1:1006 /sbin/iptables -t mangle -A match-chain-eth1-1:11 -p udp -m multiport --port 4569 -j RETURN #Create Chain for local traffic (inbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x4447 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s 193.xxx.xxx.69 -d 193.xxx.xxx.66 -j MARK --set-mark 0x4447 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s 193.xxx.xxx.69 -d 193.xxx.xxx.66 -j RETURN #Create Chain for all remaining traffic (inbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -j MARK --set-mark 0x4448 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -j RETURN #Phones match (inbound) /sbin/iptables -t mangle -A match-chain-eth0-1:12 -p tcp -m multiport --port 4569 -j CLASSIFY --set-class 1:2008 /sbin/iptables -t mangle -A match-chain-eth0-1:12 -p tcp -m multiport --port 4569 -j RETURN /sbin/iptables -t mangle -A match-chain-eth0-1:12 -p udp -m multiport --port 4569 -j CLASSIFY --set-class 1:2008 /sbin/iptables -t mangle -A match-chain-eth0-1:12 -p udp -m multiport --port 4569 -j RETURN Kind Regards William Bohannan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB - Setting up guaranteed minimum rate for a leaf
Hi I am current trying to set up a guaranteed minimum rate for the leaf (1:1x). Also would I be correct in saying that the quantum is the dividing rule (so if I keep it the same "1532" and keep all the leafs in "1:1x" prio 3 they should all get the same amount of bandwidth shared across them equally?). For example below would the "rate" in the "1:1x" leaf be the minimum rate for that leaf and what would happen if there were three leafs "1:10", "1:11", "1:12" all using 300Kbit as their rate, would the bandwidth be shared equally among them even though it is greater than the "1:1" root rate of 600Kbit? 1: 1:1 (600Kbit) 1:101:111:12 etc... 1:1001,1002... 1:2001,2002... 1:3001,3002... etc... # setting up the main root 1:1 (600Kbit) /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 600Kbit # setting up leafs 1:1x /sbin/tc class add dev eth1 parent 1:1 classid 1:1x htb rate kbit ceil kbit prio 3 quantum 1532 # setting up leafs 1: /sbin/tc class add dev eth1 parent 1:11 classid 1: htb rate Kbit ceil Kbit prio x quantum 1532 /sbin/tc qdisc add dev eth1 handle : parent 1: sfq Kind Regards William Bohannan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] 2 NICs Bridge + Router (working debian)
Thank you so much been wanting to do this for ages, finally got it working (had to remove the gw) :) ### /etc/network/interfaces # auto lo iface lo inet loopback auto br0 iface br0 inet static address 193.xxx.xxx.77 netmask 255.255.255.128 network 193.xxx.xxx.0 broadcast 193.xxx.xxx.127 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 ### /etc/init.d/brouter.sh # echo "Bringing up NAT" ip addr add 192.168.2.101/24 dev br0 iptables -t nat -A POSTROUTING -o br0 -d ! 192.168.2.0/24 -j MASQUERADE #enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward route add default gw 193.xxx.xxx.126 Kind Regards William Bohannan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Taylor Sent: Monday, June 04, 2007 4:53 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 06/04/07 11:28, William Bohannan wrote: > Works well except I cannot for the life of me get NAT working. I have > the following setup: Good. > ### Network Interface script > # /etc/init.d/network/interfaces > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address 193.xxx.xxx.77 > netmask 255.255.255.128 > network 193.xxx.xxx.0 > broadcast 193.xxx.xxx.127 > gateway 193.xxx.xxx.126 > > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 What would happen if you added additional address, netmask, network, broadcast, and gateway lines? Would that allow you to have aliases defined in this manner, or would it simply over ride the existing settings? > ### Simple script to start at boot > # /etc/init.d/brouter.init > echo "Bringing up NAT" > ip addr add 10.10.1.254/24 dev br0 > iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE > route add -net -n 0.0.0.0 dev br0 > #enable forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward Hum, this looks like you will be MASQUERADEing any and all traffic that leaves br0. I'm betting that you are MASQUERADEing some traffic that you do not want to MASQUERADE. > Please advise. You need to selectively MASQUERADE traffic that is leaving your br0 interface. I.e. MASQUERADE any traffic that is leaving your network headed to the world. You can accomplish this a couple of different ways (possibly more). 1) MASQUERADE any traffic that is not destined to your internal network. In other words MASQUERADE any traffic that is leaving your network. I.e. iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE (If I have that IPTables syntax correct. You get the idea.) 2) MASQUERADE any traffic that is leaving the physical interface that is facing the internet via the physdev IPTables match extension. (Sorry, I have no experience with this option.) Personally, I would try to do it based on destination IP address rather than physical interface for various reasons that are not really pertinent here. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] 2 NICs Bridge + Router
Grant Thanks for the quick reply. On the test machine (10.10.1.20) can ping 193.xxx.xxx.77 & 10.10.1.254 (the brouter), however still cannot ping the internet gateway 193.xxx.xxx.126. Below is my routing table: [root:~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface localnet* 255.255.255.128 U 0 00 br0 10.10.1.0 * 255.255.255.0 U 0 00 br0 default * 0.0.0.0 U 0 00 br0 default 193.xxx.xxx.126 0.0.0.0 UG0 00 br0 ## Start up script # echo "Bringing up NAT" ip addr add 10.10.1.254/24 dev br0 iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE route add -net -n 0.0.0.0 dev br0 #enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward route add default gw 193.220.59.126 ## Network interfaces file # /etc/network/interfaces auto lo iface lo inet loopback auto br0 iface br0 inet static address 193.xxx.xxx.77 netmask 255.255.255.128 network 193.xxx.xxx.0 broadcast 193.xxx.xxx.127 gateway 193.xxx.xxx.126 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 Thanks again for all the help so far. Kind Regards William Bohannan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Taylor Sent: Monday, June 04, 2007 4:53 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 06/04/07 11:28, William Bohannan wrote: > Works well except I cannot for the life of me get NAT working. I have > the following setup: Good. > ### Network Interface script > # /etc/init.d/network/interfaces > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address 193.xxx.xxx.77 > netmask 255.255.255.128 > network 193.xxx.xxx.0 > broadcast 193.xxx.xxx.127 > gateway 193.xxx.xxx.126 > > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 What would happen if you added additional address, netmask, network, broadcast, and gateway lines? Would that allow you to have aliases defined in this manner, or would it simply over ride the existing settings? > ### Simple script to start at boot > # /etc/init.d/brouter.init > echo "Bringing up NAT" > ip addr add 10.10.1.254/24 dev br0 > iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE > route add -net -n 0.0.0.0 dev br0 > #enable forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward Hum, this looks like you will be MASQUERADEing any and all traffic that leaves br0. I'm betting that you are MASQUERADEing some traffic that you do not want to MASQUERADE. > Please advise. You need to selectively MASQUERADE traffic that is leaving your br0 interface. I.e. MASQUERADE any traffic that is leaving your network headed to the world. You can accomplish this a couple of different ways (possibly more). 1) MASQUERADE any traffic that is not destined to your internal network. In other words MASQUERADE any traffic that is leaving your network. I.e. iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE (If I have that IPTables syntax correct. You get the idea.) 2) MASQUERADE any traffic that is leaving the physical interface that is facing the internet via the physdev IPTables match extension. (Sorry, I have no experience with this option.) Personally, I would try to do it based on destination IP address rather than physical interface for various reasons that are not really pertinent here. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] 2 NICs Bridge + Router
Grant Works well except I cannot for the life of me get NAT working. I have the following setup: ### Network Interface script # /etc/init.d/network/interfaces auto lo iface lo inet loopback auto br0 iface br0 inet static address 193.xxx.xxx.77 netmask 255.255.255.128 network 193.xxx.xxx.0 broadcast 193.xxx.xxx.127 gateway 193.xxx.xxx.126 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 ### Simple script to start at boot # /etc/init.d/brouter.init echo "Bringing up NAT" ip addr add 10.10.1.254/24 dev br0 iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE route add -net -n 0.0.0.0 dev br0 #enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward Please advise. Kind Regards William Bohannan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Taylor Sent: Thursday, May 31, 2007 2:36 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 05/31/07 07:22, William Bohannan wrote: > Thanks Grant, I am very new to combining NATing and Brigdge. Please > can you possibly give an example on how to add the virtual interface. I'll try. I don't recognize the format of the file below, but I'll take a stab at it. > Current /etc/networking/interfaces looks like this: > --- > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address xxx.xxx.xxx.xxx > netmask 255.255.255.128 > network xxx.xxx.xxx.xxx > broadcast xxx.xxx.xxx.xxx > gateway xxx.xxx.xxx.xxx auto br0:1 iface br0:1 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 > - Again this is just a guess and where I would start. You may have better luck seeking support through your distribution. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] 2 NICs Bridge + Router
Grant Didn't work comes up with cannot create bridge as already exists and current bridge br0 stops working. Currently using Debian. Will try the debian forums to see if someone can help. Thanks again for the assistance. # /etc/network/interfaces auto lo iface lo inet loopback # public ip auto br0 iface br0 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx # private ip auto br0:1 iface br0:1 inet static address 10.10.10.254 netmask 255.255.255.0 network 10.10.10.0 broadcast 10.10.10.255 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 Kind Regards William Bohannan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Taylor Sent: Thursday, May 31, 2007 2:36 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 05/31/07 07:22, William Bohannan wrote: > Thanks Grant, I am very new to combining NATing and Brigdge. Please > can you possibly give an example on how to add the virtual interface. I'll try. I don't recognize the format of the file below, but I'll take a stab at it. > Current /etc/networking/interfaces looks like this: > --- > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address xxx.xxx.xxx.xxx > netmask 255.255.255.128 > network xxx.xxx.xxx.xxx > broadcast xxx.xxx.xxx.xxx > gateway xxx.xxx.xxx.xxx auto br0:1 iface br0:1 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 > - Again this is just a guess and where I would start. You may have better luck seeking support through your distribution. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] 2 NICs Bridge + Router
Thanks Grant, I am very new to combining NATing and Brigdge. Please can you possibly give an example on how to add the virtual interface. Current /etc/networking/interfaces looks like this: --- auto lo iface lo inet loopback auto br0 iface br0 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.128 network xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 - Kind Regards William Bohannan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Taylor Sent: Monday, May 28, 2007 6:39 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] 2 NICs Bridge + Router On 5/28/2007 8:12 AM, William Bohannan wrote: > Hi wondering if anyone can help. I have two NICs on a debian sarge based > system and current running as a bridge (br0) which consists of eth0 and > eth1. Is it possible to add a virtual interface to the eth1 so I can > also do NAT on the box as well? I have tried many times and keep coming > up with errors. Why not add virtual aliased interfaces to the br0 interface? Do your NATing there. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] 2 NICs Bridge + Router
Hi wondering if anyone can help. I have two NICs on a debian sarge based system and current running as a bridge (br0) which consists of eth0 and eth1. Is it possible to add a virtual interface to the eth1 so I can also do NAT on the box as well? I have tried many times and keep coming up with errors. Kind Regards William Bohannan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Brouting on two NICS + 1 virtual NIC
Currently have a bridge working, would now like to add a third virtual nic so the machine can do nat as well to local users, however after a crazy amount of ready cant seem to get my head around it. Please help. Have a working bridge below (etc/network/interfaces and eth0 is the internet side interface so a virtual interface like eth1:0 would be nice :) auto lo iface lo inet loopback auto br0 iface br0 inet static address 193.220.59.77 netmask 255.255.255.128 network 193.220.59.0 broadcast 193.220.59.127 gateway 193.220.59.126 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] TC on multiple nics
Happy New Year. Finally got my fw and tc rules down pat for the bridge, now interested in introducing a third nic to have nat on the box as well. Does anyone have a idea of a good place to start reading up on the subject, mainly interested in how to setup the flow direction to start with as to get a overall understanding of the flow, found that help best. Internet --- eth0 --- eth1 --- bridge(eth0/eth1) Now trying... Internet --- eth0 --- eth1 --- bridge (eth0/eth1) |- eth2 --- nat (eth0/eth2) Would this be how it is done (started at least ;) )? Please advise? # create the required tables and route traffic to them /sbin/iptables -t mangle -N server-all /sbin/iptables -t mangle -N server-all-chains /sbin/iptables -t mangle -N server-prerouting /sbin/iptables -t mangle -A PREROUTING -j server-prerouting /sbin/iptables -t mangle -A server-prerouting -j CONNMARK --restore-mark # bridge traffic - input (eth0 -> eth1) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth0 --physdev-out eth1-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0 physdev-out eth1 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # bridge traffic - output (eth1 -> eth0) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth1 --physdev-out eth0-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth1 --physdev-out eth0 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - input (eth0 -> eth2) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth0 --physdev-out eth2-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0 physdev-out eth2 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - output (eth0 -> eth2) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth2 --physdev-out eth0-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth2 --physdev-out eth0 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - input (eth2 -> eth1) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth1 --physdev-out eth2-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth1 physdev-out eth2 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - output (eth1 -> eth2) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth2 --physdev-out eth1-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth2 --physdev-out eth1 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 Then simply create the rules for all the classids? And have a fallback for each classid. Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] filter policy drop and allow transparent proxy
Did exactly what you said and added the following lines to the code to make: iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT echo "1" > /proc/sys/net/ipv4/ip_forward iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0 --physdev-out eth1 -j ACCEPT Still had no luck. The output you asked for: server1:~# iptables -nvL INPUT Chain INPUT (policy DROP 35 packets, 2223 bytes) pkts bytes target prot opt in out source destination 2 146 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 255 17920 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth0 multiport ports 81,82,3003 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth1 multiport ports 81,82,3003 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth1 --physdev-out eth0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth0 --physdev-out eth1 Kind Regards William -Original Message- From: Jasbir Khehra [mailto:[EMAIL PROTECTED] Sent: 29 December 2006 08:40 To: lartc@mailman.ds9a.nl Cc: William Bohannan Subject: Re: [LARTC] filter policy drop and allow transparent proxy William Bohannan wrote: > Thanks for the quick response Jasbir. Tried doing as you said with no > luck, changed dport to port 8080 on the 4th line (see below). Same as > before if you remove line 1 the transparent proxy works. > > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Kind Regards > > William Need to do some debugging. Set default INPUT policy to ACCEPT and add various rules in the INPUT chain (without any target action ) to verify which rules are matching. for example: iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0 --physdev-out eth1 iptables -A INPUT -p tcp --dport 8080 -i br0 Then check out the output of: iptables -nvL INPUT HTH Jasbir ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] filter policy drop and allow transparent proxy
Thanks for the quick response Jasbir. Tried doing as you said with no luck, changed dport to port 8080 on the 4th line (see below). Same as before if you remove line 1 the transparent proxy works. iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT Kind Regards William -Original Message- From: Jasbir Khehra [mailto:[EMAIL PROTECTED] Sent: 28 December 2006 18:37 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] filter policy drop and allow transparent proxy William Bohannan wrote: > Trying to use the policy drop rule with the bridged firewall, when I > removed the first line the transparent proxy works great? It seems a > bit strange as from reading several articles on it I thought the > following occurs. > 1st line - if it doest match it gets dropped on the local filter input. > 2nd line - redirects the traffic off the link layer into the network > layer ready for line 3. > 3rd line - redirects the port 80 to 8080 and then goes to the local > process (squid) through the input filter > 4th line - input filter accepts the traffic over riding the global > reject policy. > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Any help would be most welcome. > > Kind Regards > William > > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > The 4th line should look for packets on dport 8080 instead of 80 -Jasbir ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] filter policy drop and allow transparent proxy
Trying to use the policy drop rule with the bridged firewall, when I removed the first line the transparent proxy works great? It seems a bit strange as from reading several articles on it I thought the following occurs. 1st line - if it doest match it gets dropped on the local filter input. 2nd line - redirects the traffic off the link layer into the network layer ready for line 3. 3rd line - redirects the port 80 to 8080 and then goes to the local process (squid) through the input filter 4th line - input filter accepts the traffic over riding the global reject policy. iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT Any help would be most welcome. Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] blocking traffic on the FORWARD chain using physdev
All good, had input instead of forward on the establish / related now fixed. To test I used: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m physdev --physdev-in eth0 -p icmp -j DROP works great! Kind Regards William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Bohannan Sent: 20 December 2006 16:33 To: [EMAIL PROTECTED] Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Still can't seem to block on the FORWARD chain in one direction. I tried ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp -j DROP Just as a test no other rules enabled at all (in iptables, tc or ebtables), and it blocks both directions. Please can someone help? Kind Regards William -Original Message- From: Oscar Mechanic [mailto:[EMAIL PROTECTED] Sent: 14 December 2006 12:41 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote: > Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -Original Message- > From: Oscar Mechanic [mailto:[EMAIL PROTECTED] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev > > Hi > >Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. I use > ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stop the > > flow in one direction on the FORWARD chain?? Can someone please help?? > > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > ___ > > LARTC mailing list > > > [EMAIL PROTECTED]://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar > tc > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] blocking traffic on the FORWARD chain using physdev
Still can't seem to block on the FORWARD chain in one direction. I tried ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp -j DROP Just as a test no other rules enabled at all (in iptables, tc or ebtables), and it blocks both directions. Please can someone help? Kind Regards William -Original Message- From: Oscar Mechanic [mailto:[EMAIL PROTECTED] Sent: 14 December 2006 12:41 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote: > Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -Original Message- > From: Oscar Mechanic [mailto:[EMAIL PROTECTED] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev > > Hi > >Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. I use > ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stop the > > flow in one direction on the FORWARD chain?? Can someone please help?? > > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > ___ > > LARTC mailing list > > > [EMAIL PROTECTED]://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar > tc > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] blocking traffic on the FORWARD chain using physdev
Thanks for that. Would you be able to give a simple example on how to block outgoing traffic using ebtables and icmp? as I get an error when using icmp? ebtables -A FORWARD -i eth1 -p icmp -j DROP Error message - "Problem with the specified protocol." Kind Regards William -Original Message- From: Oscar Mechanic [mailto:[EMAIL PROTECTED] Sent: 14 December 2006 12:27 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev Hi Physdev may no longer be supported soon something to do with hooks and how this is difficult to support. I have stopped using it cause I found some odd behavior in physdev-in, out seemed fine I remember. I use ebtables and marks for this now. On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > Currently using physdev on a bridge to try and isolate certain paths > across and to the bridge. It all works except when trying to stop the > flow in one direction on the FORWARD chain?? Can someone please help?? > > Below is the testing done so far. > > eth1 <---> BRIDGE <---> eth0 > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > # Block (eth0 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > # Block (eth1 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > # Block (eth1 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > Kind Regards > William > > ___ > LARTC mailing list > [EMAIL PROTECTED]://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar tc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] blocking traffic on the FORWARD chain using physdev
Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 <---> BRIDGE <---> eth0 # Block (eth0 ---> eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 <--- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 ---> BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP # Block (eth0 <--- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP # Block (eth1 ---> BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP # Block (eth1 <--- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] classid, prio and position
Having a problem with classid and prio and position. Wondering if someone could help? Below I have pasted a part of my current rules, now it consists of one chain and two pipes. If they both use 60Kbit which one would get priority? Would it be the one with the better prio or the one with the lower classid or would it be the one which is first on the list? /sbin/tc class add dev eth1 parent 1:1 classid 1:11 htb rate 2000kbit ceil 2000kbit prio 3 quantum 1532 /sbin/iptables -t mangle -N test-chain-eth1-1:11 /sbin/iptables -t mangle -A test-all-chains -m connmark --mark 0x4445 -j protocop-chain-eth1-1:11 /sbin/iptables -t mangle -A test-all -m physdev --physdev-in eth0 -s 192.168.2.0/24 -d 192.168.2.0/24 -j MARK --set-mark 0x4445 /sbin/iptables -t mangle -A test-all -m physdev --physdev-in eth0 -s 192.168.2.0/24 -d 192.168.2.0/24 -j RETURN /sbin/tc class add dev eth1 parent 1:11 classid 1:1001 htb rate 8Kbit ceil 60Kbit prio 4 quantum 1532 /sbin/tc qdisc add dev eth1 handle 1001: parent 1:1001 sfq /sbin/iptables -t mangle -A test-chain-eth1-1:11 -p tcp -m multiport --port 81,3003,82,1 -j CLASSIFY --set-class 1:1001 /sbin/iptables -t mangle -A test-chain-eth1-1:11 -p tcp -m multiport --port 81,3003,82,1 -j RETURN /sbin/tc class add dev eth1 parent 1:11 classid 1:1002 htb rate 8Kbit ceil 60Kbit prio 2 quantum 1532 /sbin/tc qdisc add dev eth1 handle 1002: parent 1:1002 sfq /sbin/iptables -t mangle -A test-chain-eth1-1:11 -p icmp -j CLASSIFY --set-class 1:1002 /sbin/iptables -t mangle -A test-chain-eth1-1:11 -p icmp -j RETURN Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] process id with firewall and tc
Thanks Simon. That helps out heaps. Going to use what you said and use monit. Kind Regards William -Original Message- From: Simon Lodal [mailto:[EMAIL PROTECTED] Sent: 16 September 2006 14:17 To: lartc@mailman.ds9a.nl Cc: William Bohannan Subject: Re: [LARTC] process id with firewall and tc Routing, firewalling and shaping run in kernel and has no pid. Instead you can get/set /proc flags, and check for the presence of certain data structures. /proc/sys/net/ipv4/ip_forward is the routing master switch. If 0, the machine forwards nothing. You can both set and get the value, should be relatively easy from a web page. Beware that setting it to 1 may reset other /proc keys to default values. For iptables firewalling you probably need to check if your rules are loaded or not, a script parsing 'iptables -nL' output could do it. Or you could use a condition match "enabled" in the beginning of each table, and drop all traffic if the condition is false. The /proc/net/ipt_condition/enabled value can then be read and set as a master switch from the web page. Shaping has no /proc files, and no way to create a master switch, so you need a script that parses 'tc qdisc show dev eth0' or 'tc class show dev eth0' output. Regards, Simon On Saturday 16 September 2006 15:38, William Bohannan wrote: > Not sure this is the correct place to post this but I am looking to have > status of the firewall and traffic control (active, disabled, stopped etc) > on a webpage controlled via something like pid as the machine has many > things running on it, like firewall, traffic control, data collection for > graphing the traffic flows, as well as other services like squid etc. Any > ideas would be most helpful. > > > > Kind Regards > > > > William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] process id with firewall and tc
Not sure this is the correct place to post this but I am looking to have status of the firewall and traffic control (active, disabled, stopped etc) on a webpage controlled via something like pid as the machine has many things running on it, like firewall, traffic control, data collection for graphing the traffic flows, as well as other services like squid etc. Any ideas would be most helpful. Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Accounting using ip addresses and ulogd
Hi use traffic shaping on my local lan and it keeps all drops packets by logging them to mysql via ulogd. Since there is windows and apple users on the network I would like to have their “computer names” instead of ip address to make for easy accounting. Does anyone know of a script or tool to get the ip address of a drop packet and turn it into a computer name (via wins or something like that?)? Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] smallest rate
So far the smallest rate I have been able to get is 1, why not use a firewall if you want 0? Kind Regards William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kristiadi Himawan Sent: 15 August 2006 07:17 To: lartc@mailman.ds9a.nl Subject: [LARTC] smallest rate Hi, anyone know the smallest rate for tc, is it possible using 0 bps ? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] getting a local name on a network
Hi I have written my firewall rules and it is working great, blocking p2p with layer7 and ipp2p between pm and 6am, also using ulog to get in all into mysql only problem is when it comes to accounting for the local traffic as all it shows is ip address, I have been looking around for a command to get the “windoz” name from an ip address then a quick script to change the log entries to also have names. Wondering if anyone has done this? Kind Regards William Bohannan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] linux transparent bridge running squid and dansguardian
Thanks or the quick reply. Although I have had no success, I have been trying all day using both physdev and ebtables, neither of which I can get working :( Please help - below is what I am currently using. *** #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Don't forward from the outside to the inside. #iptables -A FORWARD -i eth0 -o eth0 -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward # This line tells ebtables to route (accept) the packages // going to port 80, instead of bridging them: ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT # This line tells ebtables to route (accept) the packages // going to port 80, instead of bridging them: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 # This line is from www.linux.com transparent proxy which allows port 8080 from the local network #iptables -A INPUT -i eth1 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT ** Please help - if I use Shorewall it works first go? Internet - (eth0 - eth1) - local lan Kind regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] linux transparent bridge running squid
Hi I have been using Shorewall for a while now and find it very useful and easy to configure, I am learning iptables and having trouble getting the bridge to successfully work with squid, although I get it working with Shorewall straight away? Does anyone know the rules to successfully use squid with a transparent bridge? Internet – router - (bridge eth0 – eth1) – local lan auto lo iface lo inet loopback auto br0 iface br0 inet static address 192.168.0.253 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.254 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 > /proc/sys/net/ipv4/ip_forward with no luck ☹ kind regards william ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] learning iptables
Hi I am currently learning iptables and would like to see the output of shorewall rules in iptables format, as I would like to make a script for the rules instead of using shorewall. Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] time matching in the mangle stage?? is it possible??
Hi I am having problems trying to get a time match with iptables 1.3.5 and the latest pom it says time match only works in the prerouting stage but I really need to use the classify command which only works in the postrouting. Does any one have a patch for 2.6 kernel, latest pom and iptables 1.3.5 so time matching can occur in the post routing? machinenemae login: ipt_time loading ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT) many thanks william ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] iptables CLASSIFY vs fwmark?
Using fwmark would mean that packets have to pass two filter systems. First iptables, where the got marked and then the tc-filter ruleset where the mark needs to be matched again. And this is something I want to avoid because this means worse performance, so I was wondering if there is a possible way to do time matching with classify instead of forward mark?? Anyone have a patch for time matching so it can be used in the postrouting section? Kind Regards William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Whitelaw Sent: 06 May 2006 11:58 To: Denis Ovsienko Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] iptables CLASSIFY vs fwmark? My observation also, but one example shows using fwmark in the PREROUTING chain while CLASSIFY can be used in POSTROUTING only (correct?). My experience with tc at this point is limited but sometimes added flexibility is useful, even if it's a little more effort. Edwin Denis Ovsienko wrote: >> Could someone comment on the benefits of using CLASSIFY vs fwmark (or >> vice versa) in iptables? >> > One benefit I see is that one avoids extra filters, this can be useful > with lots of classes. > > -- <=+=+=+==+=+=+==+=+=+=+=+=+=+=+=> Edwin Whitelaw, P.E. New River Valley Unwired, LLC 2200 Lonesome Dove Dr Christiansburg, VA 24073 540-239-0318 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] iptables time match mangle stage
Hi I am having problems trying to get a time match with iptables 1.3.5 and the latest pom it says time match only works in the prerouting stage but I really need to use the classify command which only works in the postrouting. Does any one have a patch for 2.6 kernel, latest pom and iptables 1.3.5 so time matching can occur in the post routing? machinenemae login: ipt_time loading ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT) many thanks william ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] trying to get time working - had error in first email
Hi I am currently trying to get time control working but come up with an error.. /sbin/iptables -t mangle -A ms-chain-eth0-1:11 -m time --datestart 2006:01:26:17:00:00 --datestop 2006:12:26:18:00:00 -j CLASSIFY --set-class 1:111 iptables: Unknown error 4294967295 iptables -m time -help displays the help for it I am using Debian with kernel 2.6.15-2, iproute2-2.6.16-060323, iptables 1.3.5, patch-o-matic-ng-20060330. Any help would be most greatful Regards, William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] trying to get time control working
Hi I am currently trying to get time control working but come up with an error.. /sbin/iptables -t mangle -A ms-chain-eth0-1:11 -m time --datestart 2006:01:26:17:00:00 --datestop 2006:12:26:18:00:00 -j CLASSIFY --set-class 1:111 iptables: Unknown error 4294967295 iptables -m tos -help displays the help for it I am using Debian with kernel 2.6.15-2, iproute2-2.6.16-060323, iptables 1.3.5, patch-o-matic-ng-20060330. Any help would be most greatful Regards, William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Sip Traffic
Hi I am pretty much a newbie, I found with sip if I match ports 5060 and 1 - 2 it works I noticed on some phones the use 13000 - 14000 and others use 18000 - 19000. there is a new sip-contrack out although I haven't tried it yet. william -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of LinuXKiD Sent: 17 April 2006 15:59 To: lartc Subject: [LARTC] Sip Traffic Hi. there is a way to MARK udp VOIP (SIP) traffic, in order to put in a highest prio class ? Traffic flow seems start on udp 5060 port, but next both server and client seems jump to a random(?) port. I can't use CONNMARK because is udp traffic. I only see a pattern for L7 patch in order to SIP traffic identification , but I run 2.4 kernel series . When you patch 2.4 kernel with L7 patch, later, Connmark (patch o matic ) can't apply. (conflicts) thank you. -- Andres ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] transparent bridge
Hi installed Debian with bridging enabled then I install squid. Squid work if I manually enter proxy setting in firefox. Then I ran the following to make it transparent: echo 1 > /proc/sys/net/ipv4/ip_forward ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Now all I get when I go to firefox is a blank page and down the bottom is: Waiting for www.google.com.au... Please need help.. I have tried the squid forum and looked everywhere L Many thanks william ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] bridge + extra nic traffic shaping
Hi I am using traffic shaping on br0 and working nicely. Only problem is when I nat off br0 with a third nic I run into the following problems when traffic shaping: Wondering if anyone has had success with the following layout??? __br0(eth0,eth1)-eth1 --- local network | | (public address) Internet 1--- eth0 | (public address) | eth2 --- local network (private ip via nat from br0) (private address and behind nat) ive done some further tests. and got these results @ eth2: bridge mode router mode UP DOWN UP DOWN eth0,eth1 YES NO NO NO eth0,eth2 YES NO NO YES eth0,br0 YES NO YES NO eth1,eth2 NO NO NO YES eth1,br0 NO NO YES NO eth2,br0 NO NO NO YES many thanks william ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc