Re: [LARTC] Linux router configuration??
On Fri, 2003-09-26 at 00:25, Blu wrote: > Good morning at all, thanks for previous help, but I have another ask. > I have a few experience of Linux world's, and I need to configure a > Linux PC as router, what are the steps? What do I do? > Thanks. what you could do is. go to http://leaf.sf.net this is a router/firewall on a floppy disk system, that also can boot from hd, flash, cd, or whatever. it's dead easy to setup. reboots very quickly. and only uses media on boot so you wont wear out you'r floppy, hd, cd whatever on constant spinning. best regards -- Ronny Aasen <[EMAIL PROTECTED]> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linux router configuration??
I am going to assume you want the most basic router, just two interfaces. 1.) Make sure both network cards have been detected. ifconfig eth0 ifconfig eth1 2.) Set up each interface on its own network, make sure the interface has been activated, you can use ifconfig for this. 3.) issue the command echo 1 > /proc/sys/net/ipv4/ip_forward to enable ip fowarding, w/o this the kernel will not send packets between interfaces 4.) set the clients behind the router to point to the internal ip of your router Any changes made to the system will have to be initialized during the boot process. Of course if you have ip addresses that you would like to nat/masq behind the router, you will have to use iptables. You really should be more specific on your needs. Good luck. > Good morning at all, thanks for previous help, but I have another ask. I have a few > experience of Linux world's, and I need to configure a Linux PC as router, what are > the steps? What do I do? > Thanks. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Linux router configuration??
www.netfilter.org has up to date Kernel 2.4 firewall concepts. The links are also pretty good at describing how everything works if you can't find what you need at the site itself. -Original Message- From: Derek [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 4:40 PM To: Blu Cc: [EMAIL PROTECTED] Subject: Re: [LARTC] Linux router configuration?? I'll be a tad more helpful, but not much. Setting up a linux firewall/router is pretty specific to your network layout/configuration. You probably will be better off checking these links and going from there: General Linux setup/config documentation: http://www.tldp.org This document is a bit dated in that it doesnt include iptables as one of the firewalling software options, but it still is better than nothing. http://www.tldp.org/HOWTO/Firewall-HOWTO.html The HOWTO at http://www.lartc.org is good too (hehe, had to give kudos) Hope it helps! Derek On Thursday 25 September 2003 04:12 pm, Damion de Soto wrote: > Blu wrote: > > Good morning at all, thanks for previous help, but I have another ask. I > > have a few experience of Linux world's, and I need to configure a Linux > > PC as router, what are the steps? What do I do? > > That's a pretty vague question, so I'll give you a vague answer: > > Get any linux distribution and do a minimum install. > Setup the network cards and interfaces. > setup the routes and/or routing daemons > (setup the firewalling) > > In the popular distros, most of these steps are done for you in the > install. > > good luck. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linux router configuration??
I'll be a tad more helpful, but not much. Setting up a linux firewall/router is pretty specific to your network layout/configuration. You probably will be better off checking these links and going from there: General Linux setup/config documentation: http://www.tldp.org This document is a bit dated in that it doesnt include iptables as one of the firewalling software options, but it still is better than nothing. http://www.tldp.org/HOWTO/Firewall-HOWTO.html The HOWTO at http://www.lartc.org is good too (hehe, had to give kudos) Hope it helps! Derek On Thursday 25 September 2003 04:12 pm, Damion de Soto wrote: > Blu wrote: > > Good morning at all, thanks for previous help, but I have another ask. I > > have a few experience of Linux world's, and I need to configure a Linux > > PC as router, what are the steps? What do I do? > > That's a pretty vague question, so I'll give you a vague answer: > > Get any linux distribution and do a minimum install. > Setup the network cards and interfaces. > setup the routes and/or routing daemons > (setup the firewalling) > > In the popular distros, most of these steps are done for you in the > install. > > good luck. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linux router configuration??
Blu wrote: Good morning at all, thanks for previous help, but I have another ask. I have a few experience of Linux world's, and I need to configure a Linux PC as router, what are the steps? What do I do? That's a pretty vague question, so I'll give you a vague answer: Get any linux distribution and do a minimum install. Setup the network cards and interfaces. setup the routes and/or routing daemons (setup the firewalling) In the popular distros, most of these steps are done for you in the install. good luck. -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Linux router configuration??
Good morning at all, thanks for previous help, but I have another ask. I have a few experience of Linux world's, and I need to configure a Linux PC as router, what are the steps? What do I do? Thanks.
RE: [LARTC] IMQ Install Without Recompiling Kernel?
>> 2) Why the sarcasm about not wanting to recompile the kernel? I love >> using Linux, and I have recompiled kernels before. However, in this >> application it may not be my best choice. You do not know my >> situation. I tried recompiling the kernel on this machine and had much >> trouble with the particular SCSI card in that machine. However, I felt >> this list was limited to routing issues and NOT kernel recompilation >> issues with a SCSI card. >If this is a closed binary, you still can recomile the kernel with the RH >kernel sources. I did this before. I wanted to use a closed source binary >to access tape drives on my debian server. I used the RH kernel sources >and the module loaded without any problem. I had problems with the DPT_I2O if that is what you are talking about. You just have to remember to add the card's drivers to initrd-.img (gzipped ext2 file system). >> 3) My boss prefers that we stay with the stock RH kernel. If that is >> not possible then I will recompile, but only if absolutely necessary. >I'm afraid a recompile is needed. If the QOS stuff was compiled as a module, you don't even need to reinstall the entire system, just the QOS sub-system (not tested with QOS though). For example, with the kernel sources handy, you can patch PPP - MPPE into a stock Redhat kernel by just running one of their scripts. Two files from your existing system are changed, but everything else is untouched. My best bet without trying it is: - Download and install the kernel-source RPM (not SRPM) - # cp /boot/config- /usr/src/linux-/.config This gives you the environment setup more or less how RedHat builds them with, but without the RPM complexity. - Edit /usr/src/linux-/Makefile and remove the 'custom' tag from the end of extraversion. - # make menuconfig Add the module that you need inside here - # make dep; make modules If all goes well, you should get to the end of modules without errors. - Copy the module file that you added to the installation into the module directory in /lib/modules. - # depmod If there are no errors here, you are home free. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ Install Without Recompiling Kernel?
> 1) Why is RH a bad choice? It's not necessarily bad, for example they can sell you good commercial support, and most commercial binary-only applications will only support RH kernels (e.g. Clearcase). However, RH tends to have their own ideas about a bunch of stuff which doesn't always match the 'mainstream'. This is why I quit using RH for my own projects and instead use Mandrake. It's RH-like, but rather more in sync with the 'normal' Linux environment. There are other distributions which have their own 'better' attributes for any given task too. > 2) Why the sarcasm about not wanting to recompile the kernel? I love using > Linux, and I have recompiled kernels before. However, in this application it > may not be my best choice. You do not know my situation. I tried recompiling > the kernel on this machine and had much trouble with the particular SCSI > card in that machine. However, I felt this list was limited to routing > issues and NOT kernel recompilation issues with a SCSI card. Yeah, try the RPM rebuilding route that I suggested. I too became frustrated with the typical Linux community suggestion that you should rebuild from source in the classic manner---I found that the result almost always breaks something which previously worked in the distro kernel. If you build from the source RPM, modulo some corner cases such as using a different compiler build, you'll be making exactly the same binary that RH made. > 4) I'm not the qdisc or routing master, but from my reading I understand the > following: > -An egress qdisc applied to eth0 ONLY shapes traffic leaving eth0, > NOT eth1, eth2, etc. Right, it's per-interface shaping. > -I don't want to write an egress qdisc for each of my 9 interfaces, > plus I also want ingress control. Correct. Plus, if you want to correctly share incoming bandwidth between nodes which are on the other side of more than one of those interfaces, then separate shaping won't do what you want (the queue at each interface has no knowledge of the situation at any of the other interfaces). Therefore you need IMQ. > 5) I have different types of customers on each interface, hence different > traffic flows and speeds. Without IMQ you'll be able to shape on each interface, but you won't be able to fairly distribute the same bandwidth between customers on different interfaces. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ Install Without Recompiling Kernel?
On Thursday 25 September 2003 21:51, Walter D. Wyndroski wrote: > 1) Why is RH a bad choice? I think RH changes too much. If you you have a RH apache server and you want support from the apache community, you are out of luck. The RH apache server is so much patched that can't help you. And apt-get rocks :) > 2) Why the sarcasm about not wanting to recompile the kernel? I love using > Linux, and I have recompiled kernels before. However, in this application > it may not be my best choice. You do not know my situation. I tried > recompiling the kernel on this machine and had much trouble with the > particular SCSI card in that machine. However, I felt this list was limited > to routing issues and NOT kernel recompilation issues with a SCSI card. If this is a closed binary, you still can recomile the kernel with the RH kernel sources. I did this before. I wanted to use a closed source binary to access tape drives on my debian server. I used the RH kernel sources and the module loaded without any problem. > 3) My boss prefers that we stay with the stock RH kernel. If that is not > possible then I will recompile, but only if absolutely necessary. I'm afraid a recompile is needed. > 4) I'm not the qdisc or routing master, but from my reading I understand > the following: > -An egress qdisc applied to eth0 ONLY shapes traffic leaving eth0, > NOT eth1, eth2, etc. Indeed. > -I don't want to write an egress qdisc for each of my 9 interfaces, > plus I also want ingress control. > -With that said, I want a subnet to be limited to speed X megabits > no matter if traffic is leaving or entering eth0, eth1, or any other > interface. If it's only rate limiting, you can try filter + policers. > 5) I have different types of customers on each interface, hence different > traffic flows and speeds. If you only need to limit speed and don't care about how bandwidth is divided, the ingress qdisc + filters + policers can help you. > 6) I have read this mailing list for well over a year now and enjoyed it > quite a bit. I really appreciate all the members who help and give really > good pointers. Thx:) Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ Install Without Recompiling Kernel?
1) Why is RH a bad choice? 2) Why the sarcasm about not wanting to recompile the kernel? I love using Linux, and I have recompiled kernels before. However, in this application it may not be my best choice. You do not know my situation. I tried recompiling the kernel on this machine and had much trouble with the particular SCSI card in that machine. However, I felt this list was limited to routing issues and NOT kernel recompilation issues with a SCSI card. 3) My boss prefers that we stay with the stock RH kernel. If that is not possible then I will recompile, but only if absolutely necessary. 4) I'm not the qdisc or routing master, but from my reading I understand the following: -An egress qdisc applied to eth0 ONLY shapes traffic leaving eth0, NOT eth1, eth2, etc. -I don't want to write an egress qdisc for each of my 9 interfaces, plus I also want ingress control. -With that said, I want a subnet to be limited to speed X megabits no matter if traffic is leaving or entering eth0, eth1, or any other interface. 5) I have different types of customers on each interface, hence different traffic flows and speeds. 6) I have read this mailing list for well over a year now and enjoyed it quite a bit. I really appreciate all the members who help and give really good pointers. Thank you. Walt - Original Message - From: "Damjan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "Walter D. Wyndroski" <[EMAIL PROTECTED]> Sent: Wednesday, September 24, 2003 7:30 PM Subject: Re: [LARTC] IMQ Install Without Recompiling Kernel? > > I'm really needing the ability to ingress and egress on a subnet, actually > > multiple subnets. Primarily I need to ratelimit said subnet no mater which > > of the nine interfaces (in my router) from which it's traffic is leaving or > > entering the router. However, I still classful queuing using HTB/SFQ. Are > > any other options available which could assist me until IMQ becomes part of > > the RH stock kernel? > > First I must say that RH is a bad choice for what you want to do. > And second why use Linux if you can't/dont want to recompile a kernel - > its not rocket science > > But anyway, if I understand you corectly you want to shape your > traffic - the traffic is passing trough your Linux router. If this is > the case you don't need IMQ. You see although shaping works only on the > packets LEAVING YOUR ROUTER, still packets are leaving the router in the > direction to the Inerenet but also packets are leaving your router in > the direction to you internal network. > > > > -- > Damjan Georgievski > jabberID: [EMAIL PROTECTED] > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > ** > * This message has been scanned by CityNET's email scanner for viruses and dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For more information * > * concerning MailScanner, visit http://www.mailscanner.info * > ** > ** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ** ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ Install Without Recompiling Kernel?
Thank you. I had not thought of that route. I will probably go with your suggestion. Walt - Original Message - From: "David Boreham" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 24, 2003 12:40 PM Subject: Re: [LARTC] IMQ Install Without Recompiling Kernel? > > Why don't you take the RH kernel source, apply the imq patch, use the RH > > kernel options and recompile the kernel? > > A reasonably painless way to do this is to get the RH kernel RPM source. > Modify the .spec file to add the patches, and rebuild. I've done this in the > past and it tends to result in something which is closer to the original > kernel than if you just take the source tree and compile that. It's also a > more reproducable build process which helps if you need to do it > several times (e.g. when RH releases a new kernel). > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > ** > * This message has been scanned by CityNET's email scanner for viruses and dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For more information * > * concerning MailScanner, visit http://www.mailscanner.info * > ** > > ** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ** ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Connection Tracking - How Many???
Sorry, I must have missed it when reading the netfilter howto. I found it later when reading through it again: approx 32,000 connections per 512 megs of ram. Walt - Original Message - From: Walter D. Wyndroski To: [EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 10:44 PM Subject: [LARTC] Connection Tracking - How Many??? How many connections can be tracked with: 512 megabytes of RAM? 1 gigabyte of RAM? I know there is a limit. I read it somewhere about eight months ago in some obscure location. Thanks in advance. Walt This message has been scanned by CityNET's email scanner for viruses and dangerous content and is believed to be clean. CityNET is proud to use MailScanner. For more information concerning MailScanner, visit http://www.mailscanner.info This message has been scanned by CityNET's email scanner for viruses and dangerous content and is believed to be clean. CityNET is proud to use MailScanner. For more information concerning MailScanner, visit http://www.mailscanner.info
[LARTC] Simulated latency
This seems like it ought to be simple, but so far, no joy. I need to simulate latency in a network connection, e.g. a sattelite link, but can't figure out how to do that. I don't need to drop packets or otherwise limit rates, just introduce certain fixed amounts of latency. I know about NIST Net, but would rather use iptables, ip, tc, etc. Any ideas? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] More layer7 filtering issues
Hi > So, 1:10 is getting data passed through it, but I can't figure out a way to > attach a policing filter that just drops them all into oblivion. tc filter add dev $DEV parent : \ protocol ip prio 20 \ u32 match ip protocol 1 0xff \ police mtu 1 drop \ flowid :1 Drops all packets with a length > 1 byte which is probably what you want. Regards, -- Thomas GRAF ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Simple PRIO + TBF at high rates
>> I'm trying to slow down http traffic on Gigabit link. The outbound rates on >> that interface range 0 .. 400 Mbit/s and I would like to throttle accurately >> to any rate between these while keeping non-http traffic unthrottled. >Then create a couple of filters to send traffic to the correct classes >and, maybe, attach a "sfq" qdisc to your HTTP and default leaves to >guarantee fairness for individual connections. Ok, first of all I was trying to use PRIO + TBF because I thought it was the simpler. You suggest me HTB, which is far more flexible, and I guess flexibility goes along with more overhead. Then my question is: will HTB behave accuratetly at those rates (100-600 mbits) with moderate CPU impact? Or better yet: Has anyone tried it in a production environment? Javier ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Proper filter syntax for matching Netfilter packet marks
> > But it apparently isn't working right; this is the only filter in an > > egress HTB queue discipline, and all my traffic goes through the default > > class instead of my special class. This is as per "tc -s -d class show > > ..." > Can you check your iptables ruls so you are sure the mark gets placed? In case your NetFilter rules really match and packet are marked, then you should try using hexadecimal for marks. I know ip(8) interprets marks as hexadecimal, although it's not documented AFAIK. I don't have time to look at it in tc(8), but there are good chances it runs in the same way. I have posted a mail on this inconsistency one week ago, but no one replied. http://mailman.ds9a.nl/pipermail/lartc/2003q3/010074.html Regards, -- Jeremie aka TtZ/TataZ [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Proper filter syntax for matching Netfilter packet marks
On Thursday 25 September 2003 04:14, Lance Dryden wrote: > Howdy. Sorry if I make a mistake; this is my first list posting. > > I'm running into ... somewhat conflicting and incomplete documentation > when working out what exactly I'm to do in order to tc-filter match > against packet MARKs set by NetFilter. > > The syntax I'm trying looks like this: >tc filter add dev eth1 \ >protocol ip \ >parent 1:0 \ >prio 1 \ >handle 0x66 \ >fw classid 1:102 > > But it apparently isn't working right; this is the only filter in an > egress HTB queue discipline, and all my traffic goes through the default > class instead of my special class. This is as per "tc -s -d class show > ..." Can you check your iptables ruls so you are sure the mark gets placed? Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] From where to get IPT_CONTINUE ?
Hi all, I 'm working on Bandwidth management. I need the facility of traversing the rules in IPTABLES even after processing a rule. I was told that IPT_CONTINUE would help me. But I 'm not able to get information about FROM WHERE TO GET and HOW TO MAKE MY KERNEL PATCHED WITH IPT_CONTINUE. I will be greatful if any one can help me out. -regards, Senthil Nathan V Deeproot Linux Pvt Ltd, Bangalore ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] From where to get IPT_CONTINUE
Hi all, I 'm working on Bandwidth management. I need the facility of traversing the rules in IPTABLES even after processing a rule. I was told that IPT_CONTINUE would help me. But I 'm not able to get information about FROM WHERE TO GET and HOW TO MAKE MY KERNEL PATCHED WITH IPT_CONTINUE. I will be greatful if any one can help me out. -regards, Senthil Nathan V Deeproot Linux Pvt Ltd, Bangalore ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/