RE: [LARTC] traffic queueing and ipsec vpn
hi alexis, its been a while since i did this modification to the kptd. the diagram assumes that this a linux box doing a vpn tunnel(s). lets assume that eth0 is facing the lan and eth1 is facing the internet and that eth1 has one or more ipsec interfaces. a packet from the lan comes in on eth0 and is destined to lan via an ipsec tunnel. i *believe* that before the routing decision is made, the ipsec process changes the interface to the appropriate ipsecX interface name. the packet, as it is not destined for this local machine, pass thru FORWARD, POSTROUTING, and then EGRESS. ipsec encrypts the packet and the new esp packet is repassed thru POSTROUTING and EGRESS and is dequeued to the hardware. if i am not mistaken, meta data from the unencrypted packet is preserved, that is, that you may mark the packet in POSTROUTING and then use that mark to make an QOS EGRESS decision on the ESP packet. i'll have to check this again, but i don't have a bunch of time at the moment. now, assume an esp packet arrives on eth1 addressed to this box because it is at the end of the tunnel. the esp packet passes PREROUTING, INGRESS, and passes INPUT as it addressed for this machine. after INPUT, ipsec decrypts the packet and it is passed thru PREROUTING, INGRESS, FORWARD (as it is destined now for a machine on the lan), POSTROUTING, EGRESS and dequeued to the hardware. cheers chalres On Fri, 2004-09-03 at 22:16, Alexis wrote: Thank you very much for the quick answer. Let me ask you a question about it so I can save time, analyzing this ascii I can see after qos ingress and before input routing a statement that says if dst ip via ipsec put on ipsecX interface Ok, this is my basic schema LAN |ethX| linuxbox |ethZ| IPSEC VPN This means, all the LAN traffic that reaches the linuxbox is forwarded from ethX to ethZ and then via ipsec reaches its destination. As ive never configured an ipsec vpn using linux yet (only used cisco and nortel) my question is. if dst ip via ipsec put on ipsecX interface this means that ill have an ipsecX interface and I need to set the queues in this interface? Or I need to set up my queues on ethZ? Thanks in advance. Ps: ill configure ipsec vpn using kernel 2.6 -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: Viernes, 03 de Septiembre de 2004 16:32 Para: Alexis; LARTC list Asunto: Re: [LARTC] traffic queueing and ipsec vpn hi alexis, i -- THINK -- that this is how it happens. cheers charles On Fri, 2004-09-03 at 20:12, Alexis wrote: Hi all, ive been reading lartc howto, im new about traffic shaping/police. As far as red (chapter 9 complete) i saw that first the packet passes at the ingress qdisc, then it passes to the ip stack if the packet is directed to the box or its forwarded (is my case), then it falls to the egress classifier/s. Now, i understand if i have an ipsec vpn at the outside interface, the egress classifiers will act before the packet leave the kernel and enter to the vpn tunnel, is this correct? Here's my situation , i have a headquarter box that is a database (to call it with a name) and then a lot of branches that send queries to this database and based on the results, the branches send packets to other branches trough some established IPSEC tunnels. So, hq is the route database, and the branches send voice traffic to other branches. Now i have to set traffic shaping and manage the bandwith for senialization and for voice flows (rtp flows). So i need to be shure that i can classify the packets at the outside interface before them enters to the vpn tunnel. is this correct? Thanks in advance. -- Alexis ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Ipsec and kernel 2.6.8
Hi all :-) I have a problem with my current configuration of ipsec. I'm using ipsec with kernel 2.6 and racoon. I have two computers linked by wireless cards. The first (192.168.1.1 Zeus) is connected to internet through a DSL modem and the second (192.168.1.2 Memphis) is accessing internet through the first. I want with ipsec to encrypt all datas between the two computers. I can exchange data between the two computers and Memphis can access the internet but when I tried to download a big file, it didn't work although it worked fine on Zeus. I've tried to change the MTU to 1300 but it changed nothing. I have another problem, when I exchanged data between Memphis and internet, the ip header is not protected by AH , I can see the destination adress with tcpdump! Can somebody help me? Thanks in advance! Here is my configuration file for Zeus (it's nearly the same for Memphis) Setkey : #!/user/sbin/setkey -f flush; spdflush; spdadd 192.168.1.2/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.1.2-192.168.1.1/require ah/tunnel/192.168.1.2-192.168.1.1/require; spdadd 0.0.0.0/0 192.168.1.2/32 any -P in ipsec esp/tunnel/192.168.1.1-192.168.1.2/require ah/tunnel/192.168.1.1-192.168.1.2/require; Racoon.conf remote 192.168.1.1 { exchange_mode main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 Memphis.public Memphis.private; peers_certfile Zeus.public; proposal{ encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group modp1024; #I don't understand this option } } sainfo anonymous { pfs_group modp1024; #I don't understand this option lifetime time 2 min; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] masquerade and mac problem
Hello guys Idon't know if this thing has been posted before (if it was , please forgive me). I have 7 computers at home and I want all of them to have access to the internet. In order to do that , I set up a linux router (2 network cards) as a usual router (eth0 : 82.77.69.75 - internet connection ; eth1 : 192.168.10.1 - local network) . The other computers have ips ranging from 192.168.10.2 to 192.168.10.8 . The linux router masquerades the other computers. The problemI have is that I want to do the masquerading based on mac AND the ip not only on the ip (so if I change the ip on a computer and use another ip from another computer which is down , the masquerading processshouldn't work) What I came up with is this : - #!/bin/shipt="/usr/sbin/iptables" $ipt -F$ipt -F -t nat $ipt -t filter -Ncomputer1 /dev/null 21$ipt -t filter -Ncomputer2 /dev/null 21$ipt -t filter -Ncomputer3 /dev/null 21$ipt -t filter -N computer4 /dev/null 21$ipt -t filter -Ncomputer5 /dev/null 21 $ipt -A FORWARD -s 192.168.10.2 -j computer1 $ipt -A FORWARD -s 192.168.10.3 -j computer2 $ipt -A FORWARD -s 192.168.10.4 -j computer3 $ipt -A FORWARD -s 192.168.10.5 -j computer4$ipt -A FORWARD -s 192.168.10.6 -j computer5 $ipt -Acomputer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT$ipt -Acomputer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT$ipt -Acomputer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT$ipt -Acomputer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT$ipt -Acomputer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT $ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE$ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE$ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE$ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE$ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE#$ipt -P FORWARD DROP If I uncomment the last line ("#$ipt -P FORWARD DROP") the router won't forward any packets. What amI doing wrong ? Thank you in advance, Sorin Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage!
Re: [LARTC] masquerade and mac problem
On Sat, 4 Sep 2004 05:19:39 -0700 (PDT), Sorin Capra wrote $ipt -t filter -N computer1 /dev/null 21 $ipt -t filter -N computer2 /dev/null 21 $ipt -t filter -N computer3 /dev/null 21 $ipt -t filter -N computer4 /dev/null 21 $ipt -t filter -N computer5 /dev/null 21 $ipt -A FORWARD -s 192.168.10.2 -j computer1 $ipt -A FORWARD -s 192.168.10.3 -j computer2 $ipt -A FORWARD -s 192.168.10.4 -j computer3 $ipt -A FORWARD -s 192.168.10.5 -j computer4 $ipt -A FORWARD -s 192.168.10.6 -j computer5 $ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT $ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT $ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT $ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT $ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT $ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE #$ipt -P FORWARD DROP Use mac source match in chain PREROUTING of nat table. Additionalny tests will be working for first packets of connections (less load). Thank you in advance, Sorin Bests, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] traffic queueing and ipsec vpn
hi alexis, please do -- i'd like to see just how far off i am :-) i've been just playing arounfd with racoon instead of freeswan -- totally different animal ... cheers charles On Sat, 2004-09-04 at 16:39, Alexis wrote: Thanks again, this is _really_ enough info, ill do a lab and test this, I think this is the best way to realize how this work. Best regards. -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: Sábado, 04 de Septiembre de 2004 5:15 Para: LARTC list Asunto: RE: [LARTC] traffic queueing and ipsec vpn hi alexis, its been a while since i did this modification to the kptd. the diagram assumes that this a linux box doing a vpn tunnel(s). lets assume that eth0 is facing the lan and eth1 is facing the internet and that eth1 has one or more ipsec interfaces. a packet from the lan comes in on eth0 and is destined to lan via an ipsec tunnel. i *believe* that before the routing decision is made, the ipsec process changes the interface to the appropriate ipsecX interface name. the packet, as it is not destined for this local machine, pass thru FORWARD, POSTROUTING, and then EGRESS. ipsec encrypts the packet and the new esp packet is repassed thru POSTROUTING and EGRESS and is dequeued to the hardware. if i am not mistaken, meta data from the unencrypted packet is preserved, that is, that you may mark the packet in POSTROUTING and then use that mark to make an QOS EGRESS decision on the ESP packet. i'll have to check this again, but i don't have a bunch of time at the moment. now, assume an esp packet arrives on eth1 addressed to this box because it is at the end of the tunnel. the esp packet passes PREROUTING, INGRESS, and passes INPUT as it addressed for this machine. after INPUT, ipsec decrypts the packet and it is passed thru PREROUTING, INGRESS, FORWARD (as it is destined now for a machine on the lan), POSTROUTING, EGRESS and dequeued to the hardware. cheers chalres On Fri, 2004-09-03 at 22:16, Alexis wrote: Thank you very much for the quick answer. Let me ask you a question about it so I can save time, analyzing this ascii I can see after qos ingress and before input routing a statement that says if dst ip via ipsec put on ipsecX interface Ok, this is my basic schema LAN |ethX| linuxbox |ethZ| IPSEC VPN This means, all the LAN traffic that reaches the linuxbox is forwarded from ethX to ethZ and then via ipsec reaches its destination. As ive never configured an ipsec vpn using linux yet (only used cisco and nortel) my question is. if dst ip via ipsec put on ipsecX interface this means that ill have an ipsecX interface and I need to set the queues in this interface? Or I need to set up my queues on ethZ? Thanks in advance. Ps: ill configure ipsec vpn using kernel 2.6 -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: Viernes, 03 de Septiembre de 2004 16:32 Para: Alexis; LARTC list Asunto: Re: [LARTC] traffic queueing and ipsec vpn hi alexis, i -- THINK -- that this is how it happens. cheers charles On Fri, 2004-09-03 at 20:12, Alexis wrote: Hi all, ive been reading lartc howto, im new about traffic shaping/police. As far as red (chapter 9 complete) i saw that first the packet passes at the ingress qdisc, then it passes to the ip stack if the packet is directed to the box or its forwarded (is my case), then it falls to the egress classifier/s. Now, i understand if i have an ipsec vpn at the outside interface, the egress classifiers will act before the packet leave the kernel and enter to the vpn tunnel, is this correct? Here's my situation , i have a headquarter box that is a database (to call it with a name) and then a lot of branches that send queries to this database and based on the results, the branches send packets to other branches trough some established IPSEC tunnels. So, hq is the route database, and the branches send voice traffic to other branches. Now i have to set traffic shaping and manage the bandwith for senialization and for voice flows (rtp flows). So i need to be shure that i can classify the packets at the outside interface before them enters to the vpn tunnel. is this correct? Thanks in advance. -- Alexis ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] masquerade and mac problem
On Sat, 4 Sep 2004 08:21:21 -0700 (PDT), Sorin Capra wrote Thank you for the quick reply It works now , but I still have one question : why didn't it work before (in FORWARD) ? It should have worked , shouldn't it ? 1) Have you tried to do: iptables -t filter -L -nv and check if counters are non-zero for rules with mac source matches? 2) In kernel source I have found something like this (net/ipv4/netfilter/ipt_mac.c file): static int ipt_mac_checkentry(const char *tablename, const struct ipt_ip *ip, void *matchinfo, unsigned int matchsize, unsigned int hook_mask) { /* FORWARD isn't always valid, but it's nice to be able to do --RR */ if (hook_mask ~((1 NF_IP_PRE_ROUTING) | (1 NF_IP_LOCAL_IN) | (1 NF_IP_FORWARD))) { printk(ipt_mac: only valid for PRE_ROUTING, LOCAL_IN or FORWARD.\n); return 0; } if (matchsize != IPT_ALIGN(sizeof(struct ipt_mac_info))) return 0; return 1; } Maybe during traversing filter/FORWARD hook mac field in skb structure is not valid, because packet is beeing forwarded between two ifaces. Bests, Sorin Bests, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] masquerade and mac problem
Hi, I recommend you to use the following script: #!/bin/sh # Deleting all existing rules in all chains # and theleting user created chains iptables -t nat -F iptables -t filter -F iptables -t mangle -F iptables -t nat -X iptables -t filter -X iptables -t mangle -X # Setting the default policy to DROP, so those packets which are not # ACCEPT-ed are dropped at the end iptables -P FORWARD DROP # Masquerading iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Allowing outgoing packets from specific users with correct mac # addresses. # Add same line for each client with proper ip and mac addresses iptables -A FORWARD -s 192.168.10.2 -m mac --mac-source\ 00:11:22:33:44:55 -j ACCEPT # Allowing all incomming packets which belongs to a clients # connection iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT --- You should consider the INPUT and OUTPUT chains on your router, and to set them proper rules regarding your needs. Also you'll need connection tracking support from the kernel. The 'ip_conntrack' and similar modules will be useful if you don't have connection tracking support compilled into the kernel itself. I hope this will help!!! Regards: Ilia Lindov Sorin Capra wrote: Hello guys I don't know if this thing has been posted before (if it was , please forgive me). I have 7 computers at home and I want all of them to have access to the internet. In order to do that , I set up a linux router (2 network cards) as a usual router (eth0 : 82.77.69.75 - internet connection ; eth1 : 192.168.10.1 - local network) . The other computers have ips ranging from 192.168.10.2 to 192.168.10.8 . The linux router masquerades the other computers. The problem I have is that I want to do the masquerading based on mac AND the ip not only on the ip (so if I change the ip on a computer and use another ip from another computer which is down , the masquerading process shouldn't work) What I came up with is this : - #!/bin/sh ipt=/usr/sbin/iptables $ipt -F $ipt -F -t nat $ipt -t filter -N computer1 /dev/null 21 $ipt -t filter -N computer2 /dev/null 21 $ipt -t filter -N computer3 /dev/null 21 $ipt -t filter -N computer4 /dev/null 21 $ipt -t filter -N computer5 /dev/null 21 $ipt -A FORWARD -s 192.168.10.2 -j computer1 $ipt -A FORWARD -s 192.168.10.3 -j computer2 $ipt -A FORWARD -s 192.168.10.4 -j computer3 $ipt -A FORWARD -s 192.168.10.5 -j computer4 $ipt -A FORWARD -s 192.168.10.6 -j computer5 $ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT $ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT $ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT $ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT $ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT $ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE #$ipt -P FORWARD DROP If I uncomment the last line (#$ipt -P FORWARD DROP) the router won't forward any packets. What am I doing wrong ? Thank you in advance, Sorin ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/