[LARTC] 3 internet connexions - Problem with my script
Hi, I have a problem with my script. I have a debian with a kernel 2.6.8 patched with patch-2.6.8-ja1.diff of nano.txt site. I have 3 internet connections : - eth1 : - ip : 192.168.8.75 - gw : 192.168.8.73 - eth2 : - ip : 192.168.1.200 - gw : 192.168.1.2 - eth3 : - ip : 192.168.2.200 - gw : 192.168.2.1 and my eth0 for local network (ip : 192.168.212.235) My Load_Balancing.sh script : IFI="eth0" IPI="192.168.212.235" NMI="24" IFE2="eth1" IPE2="196.200.8.75" NWE2="196.200.8.0" NME2="29" BRD2="196.200.8.255" GWE2="196.200.8.73" IFE1="eth2" IPE1="192.168.1.200" NWE1="192.168.1.0" NME1="24" BRD1="192.168.1.255" GWE1="192.168.1.2" IFE3="eth3" IPE3="192.168.2.200" NWE3="192.168.2.0" NME3="24" BRD3="192.168.2.255" GWE3="192.168.2.1" # Configuration de l'interface de Loopback ip link set lo up ip addr add 127.0.0.1/8 brd + dev lo # Configuration de l'interface interne ip link set $IFI up ip addr add $IPI/$NMI brd + dev $IFI ip rule add prio 50 table main ip route del default table main # Configuration de la premiere connexion Internet ip link set $IFE1 up ip addr flush dev $IFE1 ip addr add $IPE1/$NME1 brd $BRD1 dev $IFE1 # Configuration de la deuxieme connexion Internet ip link set $IFE2 up ip addr flush dev $IFE2 ip addr add $IPE2/$NME2 brd $BRD2 dev $IFE2 # Configuration de la troisieme connexion Internet ip link set $IFE3 up ip addr flush dev $IFE3 ip addr add $IPE3/$NME3 brd $BRD3 dev $IFE3 ip rule add prio 222 table 222 ip route add default scope global \ nexthop via $GWE1 dev $IFE1 weight 1 \ nexthop via $GWE2 dev $IFE2 weight 4 \ nexthop via $GWE3 dev $IFE3 weight 1 ip rule add prio 201 from $NWE1/$NME1 table 201 ip route add default via $GWE1 dev $IFE1 src $IPE1 proto static table 201 ip route append prohibit default table 201 metric 1 proto static ip rule add prio 202 from $NWE2/$NME2 table 202 ip route add default via $GWE2 dev $IFE2 src $IPE2 proto static table 202 ip route append prohibit default table 202 metric 1 proto static ip rule add prio 203 from $NWE3/$NME3 table 203 ip route add default via $GWE3 dev $IFE3 src $IPE3 proto static table 203 ip route append prohibit default table 203 metric 1 proto static And my firewall.sh script for nat : IFI="eth0" IPI="192.168.212.235" NWI="192.168.212.0" NMI="24" IFE2="eth1" IPE2="196.200.8.75" NWE2="196.200.8.0" NME2="29" BRD2="196.200.8.255" GWE2="196.200.8.73" IFE1="eth2" IPE1="192.168.1.200" NWE1="192.168.1.0" NME1="24" BRD1="192.168.1.255" GWE1="192.168.1.2" IFE3="eth3" IPE3="192.168.2.200" NWE3="192.168.2.0" NME3="24" BRD3="192.168.2.255" GWE3="192.168.2.1" echo 1 /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o $IFE1 -s $NWI/$NMI -j MASQUERADE iptables -t nat -A POSTROUTING -o $IFE2 -s $NWI/$NMI -j MASQUERADE iptables -t nat -A POSTROUTING -o $IFE3 -s $NWI/$NMI -j MASQUERADE iptables -t filter -N keep_state iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A keep_state -j RETURN iptables -t nat -N keep_state iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A keep_state -j RETURN iptables -t nat -A PREROUTING -j keep_state iptables -t nat -A POSTROUTING -j keep_state iptables -t nat -A OUTPUT -j keep_state iptables -t filter -A INPUT -j keep_state iptables -t filter -A FORWARD -j keep_state iptables -t filter -A OUTPUT -j keep_state I have 30 pc under this gateway. The only website used by PC is http://example.google.fr My BIG problem is all PC use just one interface of this gateway (eth2) and I haven't load balancing between connections. Someone can help me? Thanks ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] tc on a PDA
hello, i have a 5500 iPaq with familiar 0.8.2 on it and i don't know how to install a traffic shaper tool on it. I installed iproute2 package i found on familiar site and for that i have the tc and ip commands, but when trying to add a qdisc, as a dummy example, i get the next answer: tc qdisc add dev wlan0 root cbq bandwidth 100Mbit avpkt 100 RTNETLINK answers: Invalid argument do i have to install some other packages, recompile the kernel or something else? thans in advance, Marius Corici ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] 3 internet connexions - Problem with my script
Jeremy SALMON wrote: Hi, I have a problem with my script. I have a debian with a kernel 2.6.8 patched with patch-2.6.8-ja1.diff of nano.txt site. I have 3 internet connections : The following disagrees with the script. Double check your IP addresses. - eth1 : - ip : 192.168.8.75 - gw : 192.168.8.73 - eth2 : - ip : 192.168.1.200 - gw : 192.168.1.2 - eth3 : - ip : 192.168.2.200 - gw : 192.168.2.1 and my eth0 for local network (ip : 192.168.212.235) --==snip==-- ip rule add prio 222 table 222 ip route add default scope global \ nexthop via $GWE1 dev $IFE1 weight 1 \ nexthop via $GWE2 dev $IFE2 weight 4 \ Set the above to 2 and if that does not work well enough then devise a round robin method that favors IFE2 more than 1 to 1 but less than 4. iptables -t nat -A POSTROUTING -o $IFE3 -s $NWI/$NMI -j MASQUERADE If possible, use SNAT rather than MASQUERADE. -- gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc on a PDA
Marius Corici wrote: hello, i have a 5500 iPaq with familiar 0.8.2 on it and i don't know how to install a traffic shaper tool on it. I installed iproute2 package i found on familiar site and for that i have the tc and ip commands, but when trying to add a qdisc, as a dummy example, i get the next answer: tc qdisc add dev wlan0 root cbq bandwidth 100Mbit avpkt 100 RTNETLINK answers: Invalid argument This suggests no cbq, so you probably need to recompile the kernel. If you had to install iproute2 then almost certainly the kernel was not built for QoS. do i have to install some other packages, recompile the kernel or something else? thans in advance, Marius Corici Curiosity: What makes you think shaping is needed on a PDA? -- gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Help? Router/Bandwidth throttle needed.
The webpage was helpful in some ways, but I think it is a step too advanced for me at this time. I guess what I want to know is if the 'plan' I have is sound? I want to put a linux box between my cable modem and my lan. It'll go from the cablemodem into eth0 then from eth1 to the LAN. I just want to do complete passthrough (with packets intact) if possible from one side to the other. This machine doesn't have to do NAT or anything. Then I want to throttle the bandwidth through that box intelligently (I kind of know how to do that from the Advanced Routing Howto. I've done it on the other three servers to throttle the bandwidth down). Once all that is working, I'll deal with using iptables to firewall. If this plan is sound, I guess I need to know the vague steps involved to accomplish the routing. The throttling I can figure out myself. -Michael -Original Message- From: gypsy [mailto:[EMAIL PROTECTED] Sent: Monday, June 20, 2005 10:09 PM To: lartc@mailman.ds9a.nl Cc: ICI Support Subject: Re: [LARTC] Help? Router/Bandwidth throttle needed. ICI Support wrote: I hope this list is still active. I'm an experienced Linux Sysadmin, but I haven't done much in the way of routing. Due to a decision made by my higherups, I need to jam a computer between my ISP and my LAN to do bandwidth throttling. My current setup: 1 Crappy Cable Modem (7Mb/768Kb connection) with a static IP. 4 servers (all have static, routable IPs) - One of which is running NAT/DHCP (2 NICs) for 6 workstations (All using DHCP) I have 1 spare routable IP. My current setup has the cable modem plugged directly into my LAN. But it ends up this modem doesn't do intelligent traffic/bandwidth management. I need a way to throttle and poll usage through the modem such that neither uploads nor downloads will ever use the full capacity (and thus dominate the router). Currently, the best I can do, is to throttle some of those 4 servers, but that doesn't help me with the workstations. So I figured I'd need to jam a machine between the modem and the LAN to work as a 'gatekeeper' to control the bidirectional traffic (and I could use it for a firewall too). Can someone help me on how I need to set this up? I have a spare box I could easily put two NICs into, if needed, to make it the gatekeeper. - Michael Yacht CTO Ideal Conditions, Inc. 5329 Beeler Street, #2 Pittsburgh, PA 15217 v: 412-325-1375 Michael, I have exactly your setup except that I have 2 internet connections and (at long last) neither is crappy. http://yesican.chsoft.biz/lartc The top part of that describes my setup. Stop when you get to Now we have 2 providers. Short description: eth0 points to the internal servers which have external IPs and I shape the traffic going out on that interface. eth1 points to the internet and I shape the traffic going out on that. In order to answer for the 4 internal machines, proxyarp is employed. Each of the 4 internal machines has a firewall, but these are a LOT quieter since I put a firewall on this computer grin. You may also want to ftp andthatsjazz.org/pub/lartc -- gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Help: NIST Net or NetEm ?
Hi, I want to study the multi-path TCP behavior (single TCP connection over multi-paths), and I am setting up the test bed. I have two machines, each with two network cards. I have directly connected two eth0, and I am trying to figure out how connect two eth1 to control the properties of this connection, so that I can study the TCP on multiple different paths (different in terms of latency, bandwidth, etc). I know two possible choices: 1. Use NIST Net. Put a third machine as a gateway between two eth1, install NIST Net on this machine so as to control the property of this path, and use TEQL at end nodes to send packets to both paths. Questions: How to configure TEQL when there is a gateway (I only found examples with two direct connections)? Furthermore, can NIST Net be bound to only eth1 of an end computer so that I don't even need a gateway machine? 2. Use NetEm. I just learned about it from the mailing list today. It seems that NetEm can be bound to one interface (eth1 in this case), so I don't need a third computer to control the path properties. Is it true? Which method is better? Is there any method? Thanks a lot, -Ji ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] block p2p: ARES
I did a small test with the new ares version. It seems they have switched their protocol and it is not detected at the moment. Lets see how difficult the new ares protocol is and how fast we can integrate this into ipp2p. Klaus :: L i n u XK i D :: wrote: Hi I'm trying to setup a LAN router with P2P filter but the problem is that can't catch Ares. There is a way to DROP ares p2p packets ? I've tried with last ipp2p snapshot without sucess... I've Kernel 2.4.28 iptables 1.3.0 Various Patches from patch-o-matic-ng-20040621 iproute2-ss020116 IMQ Patch Esfq Patch Julian (route) Patch Debian Woody This is my MANGLE table... Chain PREROUTING (policy ACCEPT 8557K packets, 2822M bytes) pkts bytes target prot opt in out source destination 85574 24M p2ptraffic all -- * * 0.0.0.0/0 0.0.0.0/0 . Chain p2ptraffic (1 references) pkts bytes target prot opt in out source destination 11860 1620K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --ipp2p CONNMARK set 0xa 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --bit CONNMARK set 0xa 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --apple CONNMARK set 0xa 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --winmx CONNMARK set 0xa 157 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --soul CONNMARK set 0xa 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --ares . 54029 13M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0xa CONNMARK restore But... ARES Packet are not bloked at the momment 0 0 DROP ipp2p v0.7.4 --ares :-( Somebody haves sucessfull blocking ARES ? regards... Andres. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Question: TEQL via gateway
Yesterday I posted a question, but I guess too much detail is provided that no one would bother to read, so I rephrase the question and hopefully some one may be willing to read. Sorry to spam. I am using TEQL on two computers, each with two network interfaces. The two eth0 are connected directly, and the two eth1 are connected via a gateway (a linux machine). The problem is that when I send packets through teql0 to the other machine (ping -I teql0), the packets can't go through eth1 and all packets go via eth0. But I can send packets via eth1 directly (ping -I eth1). What's wrong? P.S. I put eth1 and teql0 on one computer, and the gateway interface on the same side into one subnet. I only found TEQL configuration for two direct links. My routing tables are attached below. Thanks a lot, -Ji Node 1: - eth0: 16.119.144.21 - eth1: 16.119.144.33 - teql0: 16.119.144.34 Destination Gateway Genmask Flags Metric RefUse Iface 16.119.144.66 * 255.255.255.255 UH0 00 teql0 16.119.144.32 * 255.255.255.255 UH0 00 eth1 16.119.144.64 16.119.144.32 255.255.255.252 UG0 00 eth1 16.119.144.0* 255.255.254.0 U 0 00 eth0 16.119.144.0* 255.255.254.0 U 0 00 eth1 16.119.144.0* 255.255.254.0 U 0 00 teql0 169.254.0.0 * 255.255.0.0 U 0 00 eth1 default 16.119.144.10.0.0.0 UG0 00 eth0 Node 2: - eth0: 16.119.144.27 - eth1: 16.119.144.65 - teql0: 16.119.144.66 Destination Gateway Genmask Flags Metric RefUse Iface 16.119.144.64 0.0.0.0 255.255.255.255 UH0 00 eth1 16.119.144.34 0.0.0.0 255.255.255.255 UH0 00 teql0 16.119.144.32 16.119.144.64 255.255.255.252 UG0 00 eth1 16.119.144.00.0.0.0 255.255.254.0 U 0 00 eth0 16.119.144.00.0.0.0 255.255.254.0 U 0 00 eth1 16.119.144.00.0.0.0 255.255.254.0 U 0 00 teql0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 00 eth1 0.0.0.0 16.119.144.10.0.0.0 UG0 00 eth0 Gateway: - eth0: 16.119.144.32 - eth1: 16.119.144.64 Destination Gateway Genmask Flags Metric RefUse Iface 16.119.144.64 0.0.0.0 255.255.255.252 U 0 00 eth1 16.119.144.32 0.0.0.0 255.255.255.252 U 0 00 eth0 16.119.144.00.0.0.0 255.255.254.0 U 0 00 eth1 16.119.144.00.0.0.0 255.255.254.0 U 0 00 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 16.119.144.10.0.0.0 UG0 00 eth0 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Help? Router/Bandwidth throttle needed.
The webpage was helpful in some ways, but I think it is a step too advanced for me at this time. I guess what I want to know is if the 'plan' I have is sound? I want to put a linux box between my cable modem and my lan. It'll go from the cablemodem into eth0 then from eth1 to the LAN. I just want to do complete passthrough (with packets intact) if possible from one side to the other. This machine doesn't have to do NAT or anything. Then I want to throttle the bandwidth through that box intelligently (I kind of know how to do that from the Advanced Routing Howto. I've done it on the other three servers to throttle the bandwidth down). Once all that is working, I'll deal with using iptables to firewall. If this plan is sound, I guess I need to know the vague steps involved to accomplish the routing. The throttling I can figure out myself. -Michael Michael, You're on the right list. Your plan is very doable. A solution would be ---- | cable|-| linux || LAN | |modem | | bridge|--- | w/QoS | - Just so happens I have a HOWTO on my website. You'll need to tweak the shaping for your own needs. For your servers you could do a total max limit (so users still always get some bandwidth) and implement SFQ (fairness queuing) so that if multiple servers are getting hit, they divide the bandwidth up as fairly as possible. Using src and dest IP the servers could be isolated. Then you could lump all other traffic together. Or my preference is to create another class for say port 80, or any other apps, that is above the default (bulk traffic). Here's the HOWTO http://www.burnpc.com/website.nsf/all/3a64a6369757819686256f960068ad75!OpenDocument HTH, -Ron ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Q: Routing the Same IP simultaneously on different computers ?
Hmm, interesting question with a meriod of answers, some more complex than others. One point of contention though is that I have never seen a router that would forward the traffic on internally to a system on the LAN with the external globally rout able IP of the router. All the routers that have the concept of a DMZ host in them redirect the traffic to a system on the internal LAN with an IP on the internal subnet. This latter approach is the direction that I will go, if you do want the former let me know and I'll chew on it for a while. I would initially attempt to use a standard basic NATing firewall (no frills or sanity checks here). iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t filter -F INPUT iptables -t filter -F FORWARD iptables -t filter -F OUTPUT iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -t nat -F POSTROUTING # eth0 will be the internet connection # eth1 will be the LAN connection. iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT # # If you have any services that you want to be port forwarded to systems other than the DMZ server # you will need to list them here. # # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination $IP_of_other_system # # This is the line that I'm not sure about and would have to test as I'm not sure it will do what I think. # iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -j DNAT --to-destination $IP_of_DMZ_server iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This is completely untested code so test it at your own risk. This is what I would try out of the gate though. Grant. . . . John Wigley wrote: Hi, I've asked this elsewhere and received hints but no one seems to have a concrete explanation :- What I am looking to do is to be able to configure a Linux based router to be able to share THE SAME SINGLE Public IP address between the linux router and a single computer on the lan acting as the DMZ host (NOT normal NAT IP sharing !). So basically you have a linux router with two network ports, WAN and LAN. The router takes the single ISP assigned public IP address for it's WAN interface and then uses a non routable subnet for the LAN port. There are a number of machines on the LAN segment and the linux router is performing NAT for them so that they have internet connectivity - so far this is a standard normal setup. Now what I want to do is to simultaneously assign that SAME PUBLIC IP address onto one of the LAN computers so that it for all intents and purposes is a DMZ host. Before anyone says that this is mad and that it can't be done, it can be done perfectly well and all WESTELL ADSL / Ethernet routers have this functionality along with some no name Far Eastern origin broadband routers based on a Conexant OEM reference design. Having thought long and hard about how to do this but not knowing NetFilter at all, I realised that the way this must be done is for the router to perform a standard NAT function with the added functions of tracking all outgoing connections from the DMZ host and entering those into the NAT table as well, so that it doesn't try to do a Port Address Translation on top of an existing outgoing connection from the DMZ host. For incoming connections, if the incoming packet has a reference in the NAT table then it is directed to the originating LAN machine and if not is passed through unmodified to the DMZ host. I have spent much time googling and reading list postings but cannot find any reference on how to do this under linux, my guess is that Proxy ARP needs to be enabled on the LAN interface and then a 1:1 POST NAT mapping set to remap all the packets for the DMZ host back to the original public IP address but after that I'm stuck. This is an incredibly useful feature which I've used on the Westell routers for some time, but now want to move to a Linux based router to be able to do QOS, as it allows all the benefits of NAT for sharing a single IP address but also the benefits of a routed connection for NAT unaware applications like IPSEC AH, and some VOIP implementations. Any advice on setting this up would be much appreciated, Thanks, John Wigley ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Question: TEQL via gateway
I think this has to do with an age old issue (problem or feature, you decide). Linux (and most other unicies and other OSs in general) will pick the first interface on a subnet to use as the source interface to send the traffic out. I think, this is more akin to what bonding is designed to answer. I question are you wanting to really have the 2nd leg of the teql link be via a different path or were you just doing that to test to see if you were really sending traffic out both interfaces? If you can have a direct cross over cable on both interfaces and you are wanting more aggregate bandwidth take a look at bonding, I think it will serve you better. Disclaimer, I have not worked with teql or bonding my self directly and this is based on what reading I have done, that being more on bonding than teql. Grant. . . . Li, Ji wrote: Yesterday I posted a question, but I guess too much detail is provided that no one would bother to read, so I rephrase the question and hopefully some one may be willing to read. Sorry to spam. I am using TEQL on two computers, each with two network interfaces. The two eth0 are connected directly, and the two eth1 are connected via a gateway (a linux machine). The problem is that when I send packets through teql0 to the other machine (ping -I teql0), the packets can't go through eth1 and all packets go via eth0. But I can send packets via eth1 directly (ping -I eth1). What's wrong? P.S. I put eth1 and teql0 on one computer, and the gateway interface on the same side into one subnet. I only found TEQL configuration for two direct links. My routing tables are attached below. Thanks a lot, -Ji ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] dropping tokens
Hello, For a test purpose, I want to drop tokens with determined probabilities in an HTB structure. But I do not know how I could do this, in fact due to being newbie. I d appreciate if anyone could help and suggest sth. Thanks, FDuzova ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Question: TEQL via gateway
Yes, I really need two physical links to do my job. Also, when I connect two eth0 and eth1 directly, TEQL does send half of the packets to each link. It only doesn't work when I put a gateway between eth1. It seems that the way TEQL works is that it tries to put packets to both interfaces. However, if one interface is not working, then it just sends all packets to the other. When I ping -I teql0 IP_of_teql0_of_the other_end, eth1 broadcasts ARP for the MAC address of the destination, and because the IP is in another subnet, it can't get any answer, although I have specify the gateway for that IP. So TEQL sends all packets to eth0. Don't know what's wrong. -Ji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Taylor, Grant Sent: Wednesday, June 22, 2005 3:01 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Question: TEQL via gateway I think this has to do with an age old issue (problem or feature, you decide). Linux (and most other unicies and other OSs in general) will pick the first interface on a subnet to use as the source interface to send the traffic out. I think, this is more akin to what bonding is designed to answer. I question are you wanting to really have the 2nd leg of the teql link be via a different path or were you just doing that to test to see if you were really sending traffic out both interfaces? If you can have a direct cross over cable on both interfaces and you are wanting more aggregate bandwidth take a look at bonding, I think it will serve you better. Disclaimer, I have not worked with teql or bonding my self directly and this is based on what reading I have done, that being more on bonding than teql. Grant. . . . Li, Ji wrote: Yesterday I posted a question, but I guess too much detail is provided that no one would bother to read, so I rephrase the question and hopefully some one may be willing to read. Sorry to spam. I am using TEQL on two computers, each with two network interfaces. The two eth0 are connected directly, and the two eth1 are connected via a gateway (a linux machine). The problem is that when I send packets through teql0 to the other machine (ping -I teql0), the packets can't go through eth1 and all packets go via eth0. But I can send packets via eth1 directly (ping -I eth1). What's wrong? P.S. I put eth1 and teql0 on one computer, and the gateway interface on the same side into one subnet. I only found TEQL configuration for two direct links. My routing tables are attached below. Thanks a lot, -Ji ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Q: Routing the Same IP simultaneously on different computers ?
Matt this is a very interesting idea, along the lines of a solution that I did not want to try to get strait in my head. The question that I run in to is how does the system handle returning (outbound) internet traffic from systems not in the DMZ? The way that I read and understand your idea I can't tell how the returning traffic will not be sent to the DMZ. Other than that I think this idea is a very good one. The idea that comes to my mind, but sadly will not work as I know it, is to use EBTables to bridge the internet and LAN interface and use the EBTables brouting table BROUTING chain to decide if the traffic should be bridged or not based on a connection tracking state, i.e. if the traffic is not related to any outbound LAN traffic then bridge the traffic over to the DMZ server, if it is related DROP the traffic in the BROUTING table which causes it to be routed. You would obviously need to have at least an aliased interface on the LAN interface to do the routing with. But I don't know of any match extension for EBTables that will test based on whether or not the NetFilter Connection Tracking code has seen the traffic or not. However I think this would be a useful match extension, and guessing I don't think it would be hard to write though I am not qualified to do so or really speculate. Grant. . . . Matthew Lowe wrote: There's only one reason I could possibly see someone wanting to do this. That is to fool server software on the DMZ into using the public IP address. For example, say the server was sending out the local IP address to the clients to initate further connections. If the server software is not firewall friendly it may not check for the external IP and rather would send the internal IP. Other than that, I can't see any reason to do this. Anyway, here's the dilema. You cannot change the destination IP address of a packet prior to routing. If that IP address you're sending to is the same IP address that is assigned to one of the interfaces on the router then your packet will not be sent out the LAN interface. This is because when traversing the route tables, the first table, local, will match the packet. This problem seems rather complex at first. Assuming you don't change the local table at all you can accomplish what you want to do by adding in a second linux router. Basically you would run NAT and DMZ just like a normal network with private IPs. The DMZ would be assigned a space holder ip address, like 192.168.0.10. The second linux router would forward all traffic, except traffic that matched 192.168.0.10, for this traffic it would translate the IP address to the public IP address. This functionality can be condensed into one machine by adding two interfaces to the machine and building a bridge between the intefaces. By looping the LAN interface through this bride, you can then perform the DNAT as the traffic passes through the bridge. This requires the br-nf patch for 2.4 kernels (not required for 2.6). There is however a simpler solution. It didn't occur to me at first because I've never done it, and never had a need to. Anyway, you need to make two extra routing tables in /etc/iproute2/rt_tables. Call them local2 and dmz. You need to delete the public ip route from the local table and move it to the local2 table. Then you need to add a rule to the other table that looks like this: ip route add 2.2.2.2 dev eth1 table dmz 2.2.2.2 is your public ip, and eth1 is your lan interface. Change them for your setup. Now you need to add the rules to lookup these tables in the correct order. ip rule add from all lookup local2 ip rule add fwmark 1 lookup dmz This will send any traffic with the public IP out over your lan interface _IF_ it is marked with the value 1. Otherwise it will operate just like normal. Now you should setup your NAT settings for the network. Set it up without anything speical for the DMZ. Do it as if there was no DMZ and you were just performing SNAT for the entire private network. Then, add the rule to mark traffic you want to go to the dmz. iptables -t mangle -A PREROUTING -d 2.2.2.2 -j MARK --set-mark 1 Pretty simple eh? I've never tested it, but in theory it should work. Hope that helps, - Matt ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Help? Router/Bandwidth throttle needed.
I want to thank everyone so much for their help, especially Peter Surda who was invaluable as we traded email all day long. I've got the bridge working, got good queuing going. Now I'll work on the firewall (which I can do myself.. hehe) You guys are awesome. If this works well I'll be back in a month or so as we add a second cable modem to the pool and you can help me figure out how to get some cool routing done ;) -Mike ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Help? Router/Bandwidth throttle needed.
ICI Support wrote: The webpage was helpful in some ways, but I think it is a step too advanced for me at this time. I don't wish to be rude, but if you cannot get what you want from rc.proxyarp then you need to hire someone with the expertise to do this for you. I guess what I want to know is if the 'plan' I have is sound? It is a sound plan. Actually, I cannot think of any alternate; that's why I did it this way. So I'd call it the ONLY plan. I want to put a linux box between my cable modem and my lan. It'll go from the cablemodem into eth0 then from eth1 to the LAN. The only difference between what you describe and rc.proxyarp is that the interfaces are switched. You might like to know that rc.proxyarp runs on an AMD K6 233 CPU with 192Mb RAM, 6Gb (IIRC) HD and 3 NICs; the point is that it does not take a lot of horsepower. eth0 connects to a 5 port switch, and the 4 computers with external IPs connect to that switch. I just want to do complete passthrough (with packets intact) if possible from one side to the other. This machine doesn't have to do NAT or anything. That's exactly what rc.proxyarp accomplishes. -- gypsy Then I want to throttle the bandwidth through that box intelligently (I kind of know how to do that from the Advanced Routing Howto. I've done it on the other three servers to throttle the bandwidth down). Once all that is working, I'll deal with using iptables to firewall. If this plan is sound, I guess I need to know the vague steps involved to accomplish the routing. The throttling I can figure out myself. -Michael -Original Message- From: gypsy [mailto:[EMAIL PROTECTED] Sent: Monday, June 20, 2005 10:09 PM To: lartc@mailman.ds9a.nl Cc: ICI Support Subject: Re: [LARTC] Help? Router/Bandwidth throttle needed. ICI Support wrote: I hope this list is still active. I'm an experienced Linux Sysadmin, but I haven't done much in the way of routing. Due to a decision made by my higherups, I need to jam a computer between my ISP and my LAN to do bandwidth throttling. My current setup: 1 Crappy Cable Modem (7Mb/768Kb connection) with a static IP. 4 servers (all have static, routable IPs) - One of which is running NAT/DHCP (2 NICs) for 6 workstations (All using DHCP) I have 1 spare routable IP. My current setup has the cable modem plugged directly into my LAN. But it ends up this modem doesn't do intelligent traffic/bandwidth management. I need a way to throttle and poll usage through the modem such that neither uploads nor downloads will ever use the full capacity (and thus dominate the router). Currently, the best I can do, is to throttle some of those 4 servers, but that doesn't help me with the workstations. So I figured I'd need to jam a machine between the modem and the LAN to work as a 'gatekeeper' to control the bidirectional traffic (and I could use it for a firewall too). Can someone help me on how I need to set this up? I have a spare box I could easily put two NICs into, if needed, to make it the gatekeeper. - Michael Yacht CTO Ideal Conditions, Inc. 5329 Beeler Street, #2 Pittsburgh, PA 15217 v: 412-325-1375 Michael, I have exactly your setup except that I have 2 internet connections and (at long last) neither is crappy. http://yesican.chsoft.biz/lartc The top part of that describes my setup. Stop when you get to Now we have 2 providers. Short description: eth0 points to the internal servers which have external IPs and I shape the traffic going out on that interface. eth1 points to the internet and I shape the traffic going out on that. In order to answer for the 4 internal machines, proxyarp is employed. Each of the 4 internal machines has a firewall, but these are a LOT quieter since I put a firewall on this computer grin. You may also want to ftp andthatsjazz.org/pub/lartc -- gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Q: Routing the Same IP simultaneously on different computers ?
Yes, you are right. After I posted that message, I realized I left out some parts that are probably not obvious enough to be left out. Packets originating at the DMZ going out will be routed correctly. No addtional work needs to be done to fix that. However, the return packets on those connections need to be identified and MARKed with value 1. It's important to take note that almost all packets are going to be MARKed already, since it is after all the DMZ. The real problem is connections originating from the router. The return packets on these connections will get forwarded to the DMZ. Now this may not be a problem at all, if you you don't want your router to be accessed from the outside world. In fact, we can take a page from software developers around the world and call this a feature. The device operates transparently by default :P The work around for this is rather complex and requires an additional interface on the private network side (using 192.168.0.24 in this example) as well as a kernel patch. The general idea is this, first we add a rule to the OUTPUT chain. iptables -t mangle -A OUTPUT -j MARK --set-mark 2 All localy generated traffic will have a MARK of value 2. Now we must create another routing table called looper. Add the correct rule to lookup the table. ip rule add fwmark 2 lookup looper. We then take advantage of iproute's dummy nat. ip rule add nat 192.168.0.24 fwmark 2 (Since we push rules on to the top of the rule list, we have to do it in this order.) In the looper table we need to put two routes. First the network route for the internal network, and second the default gateway. There is one very important item in these routes, and that is, we are specifying our new interface (eth2). ip route add 192.168.0.0/24 dev eth2 src 192.168.0.24 table looper ip route add default via 192.168.0.1 dev eth2 table looper That's it for the routing and firewall rules. Now you need to rebuild the kernel, after patching it with the send-to-self patch. This patch will allow you to talk from 192.168.0.24 to 192.168.0.1 over the wire instead of internally through the kernel. I'm not 100% sure that you need to send the packet out over the wire. The deciding factor is whether or not the packet will pass through the POSTROUTING chain. If it does, it may be possible to eliminate the second interface all together. If you decide to eliminate the interface and give it a try, keep in mind you need to change the mark on the packet. This will do: # Uncomment only if you are not using a third interface #iptables -t mangle -A PREROUTING -m mark --mark 2 -j MARK --set-mark 0 Load up the new kernel. Add two lines to your firewall script: echo 1 /proc/sys/net/ipv4/conf/eth1/loop echo 1 /proc/sys/net/ipv4/conf/eth2/loop And there you have it. Wow, what a mess. I guess it could be worse... it could look like my routing setup :P One more thing, on the DMZ client you have to specify the gateway as 192.168.0.1 and add a route into the routing table for 192.168.0.0/24. You might also have to make a few exceptions in the firewall if you have rules to prevent spoofing. I hope that covers it all, Matt - Original Message - From: Taylor, Grant [EMAIL PROTECTED] Date: Wednesday, June 22, 2005 5:33 pm Subject: Re: [LARTC] Q: Routing the Same IP simultaneously on different computers ? Matt this is a very interesting idea, along the lines of a solution that I did not want to try to get strait in my head. The question that I run in to is how does the system handle returning (outbound) internet traffic from systems not in the DMZ? The way that I read and understand your idea I can't tell how the returning traffic will not be sent to the DMZ. Other than that I think this idea is a very good one. The idea that comes to my mind, but sadly will not work as I know it, is to use EBTables to bridge the internet and LAN interface and use the EBTables brouting table BROUTING chain to decide if the traffic should be bridged or not based on a connection tracking state, i.e. if the traffic is not related to any outbound LAN traffic then bridge the traffic over to the DMZ server, if it is related DROP the traffic in the BROUTING table which causes it to be routed. You would obviously need to have at least an aliased interface on the LAN interface to do the routing with. But I don't know of any match extension for EBTables that will test based on whether or not the NetFilter Connection Tracking code has seen the traffic or not. However I think this would be a useful match extension, and guessing I don't think it would be hard to write though I am not qualified to do so or really speculate. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc