[LARTC] problem whith htb script

2004-01-04 Thread saptah 
Hi all  happy new Year ;)

I'm try to made a script for shaping my outgoing traffic, but it doesn't
work fine.
The script work good if all packets go thru the default class, but, if I
try to send packets by other class, the packes doesn't go by this class
go also by the default class.

This script is installed in a router linux with ip masquerading for the
clients.

¿how I can classify the packets in this classes?

thx 4 all ;) and sorry for my (bad) english :P


# My script ##
#!/bin/bash
#QoS ;)=

DEV=eth1
RATEUP=100#En KiloBytes

# borro las bandas
tc qdisc del dev $DEV root 2 /dev/null  /dev/null
tc qdisc del dev $DEV ingress 2 /dev/null  /dev/null
tc qdisc del dev $DEV root 2 /dev/null  /dev/null
iptables -F   #también las relgas iptables

#creacion del arbol de bandas
tc qdisc add dev $DEV root handle 2: htb default 60
tc class add dev $DEV parent 2: classid 2:1 htb rate 120kbps ceil
${RATEUP}kbps
tc class add dev $DEV parent 2:5 classid 2:50 htb rate
$[70*$RATEUP/100]kbps ceil ${RATEUP}kbps
tc class add dev $DEV parent 2:6 classid 2:60 htb rate
$[20*$RATEUP/100]kbps ceil ${RATEUP}kbps prio 1
tc class add dev $DEV parent 2:7 classid 2:70 htb rate
$[10*$RATEUP/100]kbps ceil ${RATEUP}kbps prio 2

#asociacion de colas sfq con bandas
tc qdisc add dev $DEV parent 2:50 handle 50: sfq
tc qdisc add dev $DEV parent 2:60 handle 60: sfq
tc qdisc add dev $DEV parent 2:70 handle 70: sfq

#se asocian marcas con bandas
tc filter add dev $DEV protocol ip parent 2: handle 5 fw classid 2:50
tc filter add dev $DEV protocol ip parent 2: handle 6 fw classid 2:60
tc filter add dev $DEV protocol ip parent 2: handle 7 fw classid 2:70

#reglas de filtrado

#tc filter add dev $DEV parent 2: protocol ip prio 0 u32 match ip dport
21 0x flowid 2:50   #envia algo
#tc filter add dev $DEV parent 2: protocol ip prio 0 u32 match ip dport
20 0x flowid 2:50   #envia algo



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Multihomed Masquerading, routing and iptables

2004-01-04 Thread Gordan Bobic 
Hi.

I have a networking problem that is driving me nuts at the moment. I
have a multi homed network: Cable + DSL.

The problem I have is that although I am 99% sure that I have the
routing table rules set up correctly, for some reason
masqueraded/NATed traffic doesn't go out of the correct interface.
i.e. I am getting traffic leaving eth2 with the source IP header set
to eth3 and vice versa.

There are 3 network interfaces:

eth0 (internal)
eth2 (DSL)
eth3 (Cable)

(eth1 is unused at present)

Here is my iptables setup (/etc/sysconfig/iptables):

# Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003
*nat
:PREROUTING ACCEPT [0:0]
# Port forwarding to an internal machine
-A PREROUTING -i eth2 -d 217.79.103.2 -p tcp -m tcp --dport 18001 -j
DNAT --to-destination 192.168.0.10:18001
-A PREROUTING -i eth3 -d 62.252.21.17 -p tcp -m tcp --dport 18001 -j
DNAT --to-destination 192.168.0.10:18001
# SSH Port Forwarding
-A PREROUTING -i eth2 -d 217.79.103.3 -p tcp -m tcp --dport 22 -j DNAT
--to-destination 192.168.0.10:22
:POSTROUTING ACCEPT [0:0]
# IP Masquerading Traffic From eth2 and eth3
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -o eth3 -j MASQUERADE
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Dec 27 10:47:54 2003
# Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -i eth0 -o eth2 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth3 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state
--state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth3 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state
--state ESTABLISHED,RELATED -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Dec 27 10:47:54 2003
###

Additionally, here is the script I use to set up the multi homed
routing:


# Add ip rules for routing
ip rule add from 217.79.103.0/29table Griffin
ip rule add from 62.252.21.17   table NTL

# Add routing rules for specific interfaces to insure connectivity
ip route add to default via 217.79.103.1dev eth2 table Griffin
ip route add to default via 62.252.21.254   dev eth3 table NTL

ip route add to 217.79.103.0/29 dev eth2 table Griffin
ip route add to 62.252.21.0/24  dev eth3 table NTL

# Default route is multi homed
ip route add to default \
nexthop via 217.79.103.1dev eth2 weight 1   \
nexthop via 62.252.21.254   dev eth3 weight 1

# Commit routing changes
ip route flush cache
#

However, looking at tcpdump output from eth2:
11:19:27.153771 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 
217.81.134.183.57626: R 0:0(0) ack 2502579442 win 0 (DF)
11:19:30.212427 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 
217.81.134.183.57626: R 0:0(0) ack 1 win 0 (DF)
11:20:23.928900 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 
217.81.134.183.58367: R 0:0(0) ack 2551899092 win 0 (DF)

This is wrong because cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com is
62.252.21.17, which is the IP address of eth3.

Similarly, tcpdump from eth3 says things like:
11:18:32.787404 217.79.103.2.adsl.griffin.net.uk.18001 
p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 4066315873 win 0 (DF)
11:18:35.683228 217.79.103.2.adsl.griffin.net.uk.18001 
p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF)
11:18:41.744790 217.79.103.2.adsl.griffin.net.uk.18001 
p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF)

This is again wrong, because 217.79.103.2.adsl.griffin.net.uk is the
IP address of eth2.

I am pretty sure the IP rules I set up should work. They assign all
packets with source IP of a particular interface to a routing table
that is routed out via the correct gateway. However, some packets
(from what I have been able to tell, only the masqueraded packets,
but the test was not exhaustive) get sent out of the wrong interface.

Can anybody see a problem with this setup?

TIA.

Gordan
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] IMQ problems :-(

2004-01-04 Thread Robert Walker 

Hi Roy,

Thanks for getting back to me so promptly.

 Imq is very invasive componemt which requires to recompile almost everyhing
 this diver is very unstable and will crash for sure, sooner or later
 depending on load.

I have read about people having lots of problems with IMQ. So I just wanted to
try it and see how stable it is on my box. I gather it could actually
be problems with the Kernel and not the IMQ code??

 I sugest you to leave iptables alone and just modify imq.c source to catch
 what you need.
 ir you dont have too much trafic it may not crash for all day. ( if you will
 use it for download shaping)

I think that sounds even more messy :-)
I only wanted to ingress shape with IMQ to ensure that I don't drop UDP
or small TCP ACK packets for upload streams. I guess I will just give
up on the idea and using ingress policing... Its not so important anyway as my
DSL connection is very asymetric (2mbit D/L  256kbit U/L) and upload
shaping is more important.

Even if IMQ is fixed in kernel 2.6 (is it??) I won't be able to use it until I
can update the driver for my conexant PCI ADSL modem (which works fine
just now under kernel 2.4.22)

-- 
Best regards,
 Robert


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] IMQ problems :-(

2004-01-04 Thread Roy 

 I have read about people having lots of problems with IMQ. So I just
wanted to
 try it and see how stable it is on my box. I gather it could actually
 be problems with the Kernel and not the IMQ code??

That is possible but prpbably not because of bug in kernel I
as I think it is because kernel handles local trafic diferently than
forwarded

so you cant use imq to shape trafic generated by server
I am comtinuing development of imq abd I face this problem most of the time.

 I think that sounds even more messy :-)
 I only wanted to ingress shape with IMQ to ensure that I don't drop UDP
 or small TCP ACK packets for upload streams. I guess I will just give
 up on the idea and using ingress policing... Its not so important anyway
as my
 DSL connection is very asymetric (2mbit D/L; 256kbit U/L) and upload
 shaping is more important.

if only want to shape incoming trafic probably you can use imq quite safely,

anyway as I see you dont need it at all you can easily shape all uploads
anyway
and since your download speed is high enough you dont need to worry about
it.

however imq can be usefull to control trafic so that you can download with
kaza and browse web or play game without high latency.


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Ingress with WonderShaper

2004-01-04 Thread Gavin Hamill 
Hullo :)

I appear to be having a common problem, but the standard fix hasn't worked for 
me :/

I'm using a 2.4.23 kernel, with QoS options thusly: 

# QoS and/or fair queueing
#
CONFIG_NET_SCHED=y
# CONFIG_NET_SCH_CBQ is not set
CONFIG_NET_SCH_HTB=m
# CONFIG_NET_SCH_CSZ is not set
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_QOS=y
CONFIG_NET_ESTIMATOR=y
CONFIG_NET_CLS=y
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
# CONFIG_NET_CLS_RSVP is not set
# CONFIG_NET_CLS_RSVP6 is not set
CONFIG_NET_CLS_POLICE=y

The whole wshaper.htb script executes fine until the final two commands, and 
running the first one manually gives me:

$ tc qdisc add dev eth0 handle : ingress
RTNETLINK answers: Invalid argument

Now, the standard solution I've seen is get a newer tc, and one report [1] 
said that Debian's unstable one worked fine... so I backported it to woody, 
but had exactly the same problem :/

I even saw the q_ingress.c and q_htb.c files being compiled OK during the 
'debian/rules binary-arch' procedure so the code must be in the tc binary.

If I mis-type 'ingress', then the error changes to RTNETLINK answers: No such 
file or directory so it must be seeing /something/ ...

Any ideas? :D

Cheers,
Gavin.

[1] http://www.cs.helsinki.fi/linux/linux-kernel/2002-06/0035.html

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] problem whith htb script

2004-01-04 Thread Stef Coene 
On Sunday 04 January 2004 12:30, saptah wrote:
 Hi all  happy new Year ;)

 I'm try to made a script for shaping my outgoing traffic, but it doesn't
 work fine.
 The script work good if all packets go thru the default class, but, if I
 try to send packets by other class, the packes doesn't go by this class
 go also by the default class.

 This script is installed in a router linux with ip masquerading for the
 clients.

 ¿how I can classify the packets in this classes?

 thx 4 all ;) and sorry for my (bad) english :P
No problem.
Are you trying to match ftp traffic?  Is so, you can have a problem because 
ftp can use dynamic ports.  So it's not easy to filter out ftp traffic.
You also use a combination of fw and u32 filter.  But for that fw filter, I 
don't see the needed iptables rules.

Stef

-- 
[EMAIL PROTECTED]
 Using Linux as bandwidth manager
 http://www.docum.org/
 #lartc @ irc.openprojects.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] HTB filters - pls help me

2004-01-04 Thread Stef Coene 
On Sunday 04 January 2004 07:27, jayesh rathod wrote:
 Hi,

 we r using HTB algorithm,for traffic shaping, we are facing a problem.

 we are able to create multiple classes,filters. But when we delete 1 filter
 all filter gets deleted. how do we avoid that.

 waiting for you reply
What I do, is creating a script that delets the root qdisc and re-add 
everything.  Deleting the root qdisc delets all classes and filters.  So I 
never delete a filter.
Anyway, can you post your commands ?

Stef

-- 
[EMAIL PROTECTED]
 Using Linux as bandwidth manager
 http://www.docum.org/
 #lartc @ irc.openprojects.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] QoS with 1 interface

2004-01-04 Thread Andrius Kazimieras Kasparaviius 

hi, as far I know, iproute QoS works in interface, not in all interfaces. I 
want give one inner interface priority over other inner, like PRIO one IP 
over other. HOW?

-- 
Andrius K. Kasparaviius


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Port limiting on forward

2004-01-04 Thread MCraciun 






I heard that matching ports with mangle and shape with CBQ or HTBwill cost me some resources so i want to limit that way :

1. On forward I want to limit a port range like 0 to 79 at 8kbps.And after that i want to be able to add lines with other port range , also at 8kbps, but only on forward .Today i had just started to use BBQ and HTB

[LARTC] virtual interface

2004-01-04 Thread alen sarkinovic 
can i add HTB rule on virtual interface\
example: eth0:0

alens
- Original Message -
From: Stef Coene [EMAIL PROTECTED]
To: jayesh rathod [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, January 04, 2004 10:41 AM
Subject: Re: [LARTC] HTB filters - pls help me


 On Sunday 04 January 2004 07:27, jayesh rathod wrote:
  Hi,
 
  we r using HTB algorithm,for traffic shaping, we are facing a problem.
 
  we are able to create multiple classes,filters. But when we delete 1
filter
  all filter gets deleted. how do we avoid that.
 
  waiting for you reply
 What I do, is creating a script that delets the root qdisc and re-add
 everything.  Deleting the root qdisc delets all classes and filters.  So I
 never delete a filter.
 Anyway, can you post your commands ?

 Stef

 --
 [EMAIL PROTECTED]
  Using Linux as bandwidth manager
  http://www.docum.org/
  #lartc @ irc.openprojects.net

 ___
 LARTC mailing list / [EMAIL PROTECTED]
 http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] virtual interface

2004-01-04 Thread Stef Coene 
On Monday 05 January 2004 05:55, alen sarkinovic wrote:
 can i add HTB rule on virtual interface\
 example: eth0:0
No.

Stef

-- 
[EMAIL PROTECTED]
 Using Linux as bandwidth manager
 http://www.docum.org/
 #lartc @ irc.openprojects.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Port limiting on forward

2004-01-04 Thread MCraciun 






I have 40 Users on P2 200 MMX 32 RAM .
So i know how to match packets .
iptables -t mangle -N MYSHAPER-OUT
iptables -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT



iptables -t mangle -A MYSHAPER-OUT-s! 192.168.0.5-p tcp --dport 0:1024 -j MARK --set-mark 23


iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 6660:65000 -j MARK --set-mark 24

How do i shape mark 23 at 1 KB/s and mark 24 at 1 MB/s ?

Re: [LARTC] QoS with 1 interface

2004-01-04 Thread Andrius Kazimieras Kasparaviius 

there is 3 interfaces on router, one - internet, other two - client's. On one 
interface there is girls lan, on other - boys. I want give higher internet 
priority to girls, there is NAT, so ingress resheduling IMO won't work.

2004 m. Sausio 4 d., Sekmadienis 22:11, Roy ra:
 Labas,

 What do you mean give priority to interface ?
 Do you want to route high priority packets to one interface and low
 priority to other?
 Or you want to give higer priority to packets forwarded from one interface
 than from another?


 hi, as far I know, iproute QoS works in interface, not in all interfaces. I
 want give one inner interface priority over other inner, like PRIO one IP
 over other. HOW?

-- 
Andrius K. Kasparaviius
GSM +370 687 256 30

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] QoS with 1 interface

2004-01-04 Thread Artras lajus 
Roy wrote:

Labas,

What do you mean give priority to interface ?
Do you want to route high priority packets to one interface and low priority
to other?
Or you want to give higer priority to packets forwarded from one interface
than from another?
I believe that he wants to send packets po some interface as soon as they arrive, 
not
sending packets on other interfaces.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Port limiting on forward

2004-01-04 Thread Roy 
So what is the problem?
create root class

/qos/bin/tc qdisc del dev eth0 root
/qos/bin/tc qdisc add dev eth0 root handle 2

and add these
# mark 23
/qos/bin/tc class add dev eth0 parent 2: classid 2:41 htb rate 8Kbit ceil
8Kbit
/qos/bin/tc qdisc add dev eth0 parent 2:41 sfq
/qos/bin/tc filter add dev eth0 parent 2: protocol ip pref 4 handle 23 fw
classid 2:41

# mark 24
/qos/bin/tc class add dev eth0 parent 2: classid 2:42 htb rate 1000Kbit ceil
1000Kbit
/qos/bin/tc qdisc add dev eth0 parent 2:42 sfq
/qos/bin/tc filter add dev eth0 parent 2: protocol ip pref 4 handle 24 fw
classid 2:42

-
I have 40 Users on P2 200 MMX 32 RAM .
So i know how to match packets .
iptables -t mangle -N MYSHAPER-OUT
iptables -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT



iptables -t mangle -A MYSHAPER-OUT -s! 192.168.0.5 -p tcp --dport 0:1024 -j
MARK --set-mark 23

iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 6660:65000 -j
MARK --set-mark 24

How do i shape mark 23 at 1 KB/s and mark 24 at 1 MB/s ?



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] QoS with 1 interface

2004-01-04 Thread Roy 

there is 3 interfaces on router, one - internet, other two - client's. On
one
interface there is girls lan, on other - boys. I want give higher internet
priority to girls, there is NAT, so ingress resheduling IMO won't work.

Imq will work there but it will crash anyway ;)
imq has nothing to do with ingress except that it can shape it too.

there is no way to do this in other way, you can do some shaping by using
police index
but this way it will not work very well
it can probably do this: if girls rate is  x then drop all packets for
boys.

I suggest you to use only one interface, or you want to separate networks so
much.

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Ingress with WonderShaper

2004-01-04 Thread Damion de Soto 
Hi Gavin,
You're missing the INGRESS option in the kernel,
you should have:
# QoS and/or fair queueing
#
CONFIG_NET_SCHED=y
# CONFIG_NET_SCH_CBQ is not set
CONFIG_NET_SCH_HTB=m
# CONFIG_NET_SCH_CSZ is not set
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_INGRESS=y

CONFIG_NET_QOS=y
CONFIG_NET_ESTIMATOR=y
CONFIG_NET_CLS=y
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
# CONFIG_NET_CLS_RSVP is not set
# CONFIG_NET_CLS_RSVP6 is not set
CONFIG_NET_CLS_POLICE=y
You'll need the NETFILTER kernel option turned on to be able to see/select the 
INGRESS option.

I even saw the q_ingress.c and q_htb.c files being compiled OK during the 
'debian/rules binary-arch' procedure so the code must be in the tc binary.

If I mis-type 'ingress', then the error changes to RTNETLINK answers: No such 
file or directory so it must be seeing /something/ ...
yeah, it looks like the tc binary is right, so once you fix the kernel, everything 
should work.

--
~~~
Damion de Soto - Software Engineer  email: [EMAIL PROTECTED]
SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809
 | Custom Embedded Solutions  fax: +61 7 3891 3630
 | and Security Appliancesweb: http://www.snapgear.com
~~~
 ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Multihomed Masquerading, routing and iptables

2004-01-04 Thread Rio Martin 
Ooops ..
Sorry, i havent read the entire email sent to the list by Bobic. 
My mistake. 

Bobic having the problem similar to what i got with one of my server running 
kernel-2.4.20. All the interface i have are under the same brand (Realtek), 
eth0 would be for clients, eth1 for DSLCable, eth2 for Wireless 2.4Ghz.
Weirdly, several of my clients set up correctly to use both eth1 and eth2, but 
there are many clients having the wrong route packets just as Bobic.

This problem can be solved if i change to use SNAT instead of MASQUERADE. Try 
it Bobic.

This Masquerade problem didnt appeared under my Linux 2.4.21

Regards,
Rio Martin.

On Monday 05 January 2004 09:04, Rio Martin wrote:
 Dear Bobic,
 I am sure you havent read Lartc Document clearly.
 Find inside the document, iproute2
 Those are clue for setting up local area network to connect using two or
 more connections to ISP.

 Regards,
 Rio Martin.

 On Wednesday 31 December 2003 23:49, Gordan Bobic wrote:
  Hi.
  I have a networking problem that is driving me nuts at the moment. I
  have a multi homed network: Cable + DSL.
  The problem I have is that although I am 99% sure that I have the
  routing table rules set up correctly, for some reason
  masqueraded/NATed traffic doesn't go out of the correct interface.
  i.e. I am getting traffic leaving eth2 with the source IP header set
  to eth3 and vice versa.
  There are 3 network interfaces:
  eth0 (internal)
  eth2 (DSL)
  eth3 (Cable)
  (eth1 is unused at present)
 
  Here is my iptables setup (/etc/sysconfig/iptables):
  
  # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003
  *nat
 
  :PREROUTING ACCEPT [0:0]
 
  # Port forwarding to an internal machine
  -A PREROUTING -i eth2 -d 217.79.103.2 -p tcp -m tcp --dport 18001 -j
  DNAT --to-destination 192.168.0.10:18001
  -A PREROUTING -i eth3 -d 62.252.21.17 -p tcp -m tcp --dport 18001 -j
  DNAT --to-destination 192.168.0.10:18001
  # SSH Port Forwarding
  -A PREROUTING -i eth2 -d 217.79.103.3 -p tcp -m tcp --dport 22 -j DNAT
  --to-destination 192.168.0.10:22
 
  :POSTROUTING ACCEPT [0:0]
 
  # IP Masquerading Traffic From eth2 and eth3
  -A POSTROUTING -o eth2 -j MASQUERADE
  -A POSTROUTING -o eth3 -j MASQUERADE
 
  :OUTPUT ACCEPT [0:0]
 
  COMMIT
  # Completed on Sat Dec 27 10:47:54 2003
  # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003
  *filter
 
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
 
  -A FORWARD -i eth0 -o eth2 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state
  --state NEW,ESTABLISHED,RELATED -j ACCEPT
  -A FORWARD -i eth0 -o eth3 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state
  --state NEW,ESTABLISHED,RELATED -j ACCEPT
  -A FORWARD -i eth2 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state
  --state ESTABLISHED,RELATED -j ACCEPT
  -A FORWARD -i eth3 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state
  --state ESTABLISHED,RELATED -j ACCEPT
 
  :OUTPUT ACCEPT [0:0]
 
  COMMIT
  # Completed on Sat Dec 27 10:47:54 2003
  ###
 
  Additionally, here is the script I use to set up the multi homed
  routing:
 
  
  # Add ip rules for routing
  ip rule add from 217.79.103.0/29table Griffin
  ip rule add from 62.252.21.17   table NTL
 
  # Add routing rules for specific interfaces to insure connectivity
  ip route add to default via 217.79.103.1dev eth2 table Griffin
  ip route add to default via 62.252.21.254   dev eth3 table NTL
 
  ip route add to 217.79.103.0/29 dev eth2 table Griffin
  ip route add to 62.252.21.0/24  dev eth3 table NTL
 
  # Default route is multi homed
  ip route add to default \
  nexthop via 217.79.103.1dev eth2 weight 1   \
  nexthop via 62.252.21.254   dev eth3 weight 1
 
  # Commit routing changes
  ip route flush cache
  #
 
  However, looking at tcpdump output from eth2:
  11:19:27.153771 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 
  217.81.134.183.57626: R 0:0(0) ack 2502579442 win 0 (DF)
  11:19:30.212427 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 
  217.81.134.183.57626: R 0:0(0) ack 1 win 0 (DF)
  11:20:23.928900 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 
  217.81.134.183.58367: R 0:0(0) ack 2551899092 win 0 (DF)
 
  This is wrong because cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com is
  62.252.21.17, which is the IP address of eth3.
 
  Similarly, tcpdump from eth3 says things like:
  11:18:32.787404 217.79.103.2.adsl.griffin.net.uk.18001 
  p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 4066315873 win 0 (DF)
  11:18:35.683228 217.79.103.2.adsl.griffin.net.uk.18001 
  p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF)
  11:18:41.744790 217.79.103.2.adsl.griffin.net.uk.18001 
  p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF)
 
  This is again wrong, because 217.79.103.2.adsl.griffin.net.uk is the
  IP address of eth2.
 
  I am pretty sure the IP rules

[LARTC] vpn control

2004-01-04 Thread Rick Marshall 
we have an external 2Mbit dsl connection and running on it are several
gre vpn tunnels

so far i've given priority to the vpn traffic (using htb)

can i now put rules in for the tunnels to control traffic within each
tunnel (that's where our video conferencing etc runs)? or can i only
control the real interface (eth1 in our setup)? if not can i somehow see
the packets inside the vpn packets and then control them?

thanks

rick

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] vpn control

2004-01-04 Thread Damion de Soto 
Hi Rick,
can i now put rules in for the tunnels to control traffic within each
tunnel (that's where our video conferencing etc runs)?
What type of VPNs are you using? IPSec ?
You can put htb rules on ipsecX interfaces and they will work.
the pppX interfaces for pptp and l2tp VPNs should work just as well.
control the real interface (eth1 in our setup)? if not can i somehow see
the packets inside the vpn packets and then control them?
With some clever kernel hackery, you probably could do this, I don't think it would 
be any fun at all though.

regards,

--
~~~
Damion de Soto - Software Engineer  email: [EMAIL PROTECTED]
SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809
 | Custom Embedded Solutions  fax: +61 7 3891 3630
 | and Security Appliancesweb: http://www.snapgear.com
~~~
 ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] vpn control

2004-01-04 Thread Damion de Soto 
Rick Marshall wrote:
linux-linux using ip tunnels - modprobe ip_gre

ip tunnel add china mode gre remote xxx.xxx.xxx.xxx local \
xxx.xxx.xxx.xxx ttl 255
ip link set china up
ip addr add 192.168.1.11 dev china
ip route add 192.168.5.0/24 dev china
Hrrm, not 100% sure on GRE tunnels, but I can't see why they wouldn't.
You should be able to just create all your tc rules on the 'china' device.
--
~~~
Damion de Soto - Software Engineer  email: [EMAIL PROTECTED]
SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809
 | Custom Embedded Solutions  fax: +61 7 3891 3630
 | and Security Appliancesweb: http://www.snapgear.com
~~~
 ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/