Re: [LARTC] IPSec tunnel mode, through a IPIP tunnel
small info to add: I am using a 2.4 kernel (RH-9) and the packets currently are going through IPSec, then getting routed through eth0 directly (but I want them to go through tunl0) Prasad Prasad wrote: Hello Gurus, I am a small problem with routing and here are the details. Interfaces on my server: * ipsec0 - 172.19.58.94 * tunl0 - 172.19.58.94 * eth0 - 172.19.58.94 Now, the problem is that there is another host 172.19.58.200. All communication to 172.19.58.200 should be through tunl0, and all the data should be secured using IPSec (tunnel mode - because there are more machines on my network and 172.19.58.94 is the gateway through which they access 172.19.58.200). How can this be achived??? Here is what I did: 1. Default route for 172.19.58.200 is ipsec0 route add -host 172.19.58.200 dev ipsec0 2. Mark all packets after being routed through ipsec0 iptables -t mangle -A POSTROUTING -o ipsec0 -j mark --set-mark 1 3. Create a routing rule and add the new rule ip rule add fwmark 1 table tunnel 4. Create routing entries for table 'tunnel' ip route add 172.19.58.200 dev tunl0 Well, all this assumes that once the packet enters the ipsec tunnel, after encapsulation the packets are routed afresh based on the routing tables. Could the gurus help me fix this!!! Thanks, Prasad ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] IPSec tunnel mode, through a IPIP tunnel
Hello Gurus, I am a small problem with routing and here are the details. Interfaces on my server: * ipsec0 - 172.19.58.94 * tunl0 - 172.19.58.94 * eth0 - 172.19.58.94 Now, the problem is that there is another host 172.19.58.200. All communication to 172.19.58.200 should be through tunl0, and all the data should be secured using IPSec (tunnel mode - because there are more machines on my network and 172.19.58.94 is the gateway through which they access 172.19.58.200). How can this be achived??? Here is what I did: 1. Default route for 172.19.58.200 is ipsec0 route add -host 172.19.58.200 dev ipsec0 2. Mark all packets after being routed through ipsec0 iptables -t mangle -A POSTROUTING -o ipsec0 -j mark --set-mark 1 3. Create a routing rule and add the new rule ip rule add fwmark 1 table tunnel 4. Create routing entries for table 'tunnel' ip route add 172.19.58.200 dev tunl0 Well, all this assumes that once the packet enters the ipsec tunnel, after encapsulation the packets are routed afresh based on the routing tables. Could the gurus help me fix this!!! Thanks, Prasad ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] bandwidth limitation help
Hi, I am new to the mailing list so I'm not sure if anybody reads these, but here goes nothing. I recently read: Linux Advanced Routing & Traffic Control HOWTO and have been trying to test my applications using bandwidth limitation. All the examples described in the HOWTO do not simulate the conditions I need to test my software. What I would like is for my bandwidth limitation to empty my UDP buffer at a given rate. I have tried using a simple TBF to do this, but all that happens is that my application floods the TBF buffer at link speed and the TBF buffer quickly overflows and drops packets. I want the packets to actually stay in the UDP buffer and be emptied at a given rate without modifying my application. I don't know if any of you are familiar with netem, but it can be used in conjuction with tc to add delay to a link. Surprisingly, packets delayed by netem appear to remain in the UDP buffer until it is time for them to be sent. I would like this same behavior of keeping the packets in the UDP buffer, but with bandwidth limitation on the rate at which the buffer empties, not just packet delay. Has anybody ever done anything like this or can point me to some resources? Thank you, Ted P. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] linux transparent bridge running squid and dansguardian
On Monday 24 July 2006 16:33, William Bohannan wrote: > Thanks or the quick reply. Although I have had no success, I have been > trying all day using both physdev and ebtables, neither of which I can get > working :( Please help - below is what I am currently using. > Try this, it is a one-line simple modified version of your first post script. If this proof of concept works, then add all the others iptables rules that you whant. iptables -F iptables -t nat -F iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 -- Luciano ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routed network + web-cache
Nataniel, www.balabit.com/downloads/tproxy/linux-2.6/ patch squid, kernel and iptables !! Sds. Alexandre J Correa Onda Internet / OPinguim.net Webhosting www.ondainternet.com.br www.opinguim.net Adorean Alexandru Raul wrote: Nataniel Klug wrote: Hello all, I have a small ISP and I work all my clients networks over a routed network (now I am using 201.35.16.0/24 and 200.140.222.128/25 for my clients). The gateway server of the ISP is capable of running a web-cache (only http) using squid but I dont want that my clients go to the internet with the proxy/cache IP. Like when they enter in this site www.meuip.com.br it shows only the proxy/gw server ip and not the client ip. There is some way to make this happens? Att, Nataniel Klug ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc Yelow. From what i kow about squid it can't be done. You are stuck, becouse the proxy makes the request not the client thus you have proxy server ip. Some pages user a TCP header to recognise the ip behind the proxy server (X_FORWARDED_FOR i belive..) Good luck, Adorean Alexandru Raul ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routed network + web-cache
On Tuesday 25 July 2006 07:54, Nataniel Klug wrote: > Hello all, > > I have a small ISP and I work all my clients networks over a routed > network (now I am using 201.35.16.0/24 and 200.140.222.128/25 for my > clients). > > The gateway server of the ISP is capable of running a web-cache > (only http) using squid but I dont want that my clients go to the > internet with the proxy/cache IP. Like when they enter in this site > www.meuip.com.br it shows only the proxy/gw server ip and not the client > ip. > > There is some way to make this happens? yes, but you'll need a patched kernel, couse squid will need to bind non-local addresses. See the squid FAQ about this, and folow de link in there: http://www.squid-cache.org/Doc/FAQ/FAQ-7.html#ss7.13 -- Luciano ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] problem in Route add using netlink
VijayaLakshmi Seshadri wrote: Hi all Iam trying to implement "route add " using netlink. The changes are not reflected in the routing table. I have given my code and screen shots of the routing tables. Can anybody tell me is there any mistake iam making in defining the fields . or any other mistake iam commiting thanxs viji CODE // #include #include #include #include #include #include #include #include #include #include #define BUFSIZE 192 struct route_info{ u_int dstAddr; u_int srcAddr; u_int gateWay; charifName[IF_NAMESIZE]; }; void fillRoute (struct route_info *rinfo, const char* dstAddr, const char* srcAddr, const char* gateway, const char* ifName) { /* Convert from the standrad numbers and dots notation to binary data */ inet_aton("192.168.51.0", (struct in_addr *)&rinfo->dstAddr); inet_aton("192.168.51.90", (struct in_addr *)&rinfo->gateWay); } int addAttr (struct nlmsghdr *nlhdr, int maxlen, int type, void *data, int alen) { struct rtattr *rta; int len = RTA_LENGTH(alen); if (NLMSG_ALIGN(nlhdr->nlmsg_len) + len > maxlen) return -1; rta = (struct rtattr*)((char *)nlhdr + NLMSG_ALIGN(nlhdr->nlmsg_len)); rta->rta_type = type; rta->rta_len = len; memcpy(RTA_DATA(rta), data, alen); nlhdr->nlmsg_len = NLMSG_ALIGN(nlhdr->nlmsg_len) + len; return 0; } int main() { struct nlmsghdr *nlMsg; struct rtmsg *rtMsg; char dstAddr[30] ; char srcAddr[30] ; char gateway[30] ; char ifName[30]; char msgBuf[BUFSIZE]; struct route_info rinfo; int sock, len, msgSeq = 0; int val, i; /* Create Socket */ if((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) perror("Socket Creation: "); /* Initialize the buffer */ memset(msgBuf, 0, BUFSIZE); /* point the header and the msg structure pointers into the buffer */ nlMsg = (struct nlmsghdr *)msgBuf; rtMsg = (struct rtmsg *)NLMSG_DATA(nlMsg); /* Fill in the nlmsg header*/ nlMsg->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); // Length ofmessage. nlMsg->nlmsg_type = RTM_NEWROUTE; // Get the routes from kernel routing table . nlMsg->nlmsg_flags = NLM_F_CREATE ; // The message is a request for dump. nlMsg->nlmsg_seq = msgSeq++; // Sequence of the message packet. nlMsg->nlmsg_pid = getpid(); // PID of process sending the request. rtMsg->rtm_family = AF_INET; rtMsg->rtm_table = RT_TABLE_UNSPEC; rtMsg->rtm_dst_len = 16; rtMsg->rtm_src_len = 16; rtMsg->rtm_scope = RT_SCOPE_UNIVERSE; rtMsg->rtm_type = RTN_UNICAST; rtMsg->rtm_protocol = RTPROT_UNSPEC; rtMsg->rtm_flags = RTM_F_NOTIFY; fillRoute (&rinfo, dstAddr, srcAddr, gateway, ifName); addAttr (nlMsg, BUFSIZE, RTA_DST, &rinfo.dstAddr, 4); addAttr (nlMsg, BUFSIZE, RTA_GATEWAY, &rinfo.gateWay, 4); /* Send the request */ if((val = send(sock, nlMsg, nlMsg->nlmsg_len,0 )) < 0){ printf("Write To Socket Failed...\n"); return -1; } printf (" No of Bytes sent %d \n", val); printf (" Value that is sent \n " ); for (i =0 ; i < val ; i ++) printf ("%u", msgBuf[i]); printf ("\n"); close(sock); return 0; } // OUTPUT [EMAIL PROTECTED] netlink_addroute.c -o addroute [EMAIL PROTECTED] ./addroute No of Bytes sent 44 Value that is sent 44000240044294967239880021616101008010429496723242949672085108050429496723242949672085190 // SCREEN SHOTS *Routing table before execution of program* Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.51.0* 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 00 lo default embedded0.0.0.0 UG0 0 0 eth0 *Routing table after the execution of program *Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.51.0* 255.255.255.0 U 0 0 0 eth0 169.254.0.0
Re: [LARTC] Routed network + web-cache
Nataniel Klug wrote: Hello all, I have a small ISP and I work all my clients networks over a routed network (now I am using 201.35.16.0/24 and 200.140.222.128/25 for my clients). The gateway server of the ISP is capable of running a web-cache (only http) using squid but I dont want that my clients go to the internet with the proxy/cache IP. Like when they enter in this site www.meuip.com.br it shows only the proxy/gw server ip and not the client ip. There is some way to make this happens? Att, Nataniel Klug ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc Yelow. From what i kow about squid it can't be done. You are stuck, becouse the proxy makes the request not the client thus you have proxy server ip. Some pages user a TCP header to recognise the ip behind the proxy server (X_FORWARDED_FOR i belive..) Good luck, Adorean Alexandru Raul ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] problem in Route add using netlink
Hi all Iam trying to implement "route add " using netlink. The changes are not reflected in the routing table. I have given my code and screen shots of the routing tables. Can anybody tell me is there any mistake iam making in defining the fields . or any other mistake iam commiting thanxs viji CODE // #include #include #include #include #include #include #include #include #include #include #define BUFSIZE 192struct route_info{ u_int dstAddr; u_int srcAddr; u_int gateWay; char ifName[IF_NAMESIZE];}; void fillRoute (struct route_info *rinfo, const char* dstAddr, const char* srcAddr, const char* gateway, const char* ifName){ /* Convert from the standrad numbers and dots notation to binary data */ inet_aton("192.168.51.0", (struct in_addr *)&rinfo->dstAddr); inet_aton("192.168.51.90", (struct in_addr *)&rinfo->gateWay);} int addAttr (struct nlmsghdr *nlhdr, int maxlen, int type, void *data, int alen){ struct rtattr *rta; int len = RTA_LENGTH(alen); if (NLMSG_ALIGN(nlhdr->nlmsg_len) + len > maxlen) return -1; rta = (struct rtattr*)((char *)nlhdr + NLMSG_ALIGN(nlhdr->nlmsg_len)); rta->rta_type = type; rta->rta_len = len; memcpy(RTA_DATA(rta), data, alen); nlhdr->nlmsg_len = NLMSG_ALIGN(nlhdr->nlmsg_len) + len; return 0;} int main(){ struct nlmsghdr *nlMsg; struct rtmsg *rtMsg; char dstAddr[30] ; char srcAddr[30] ; char gateway[30] ; char ifName[30]; char msgBuf[BUFSIZE]; struct route_info rinfo; int sock, len, msgSeq = 0; int val, i; /* Create Socket */ if((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) perror("Socket Creation: "); /* Initialize the buffer */ memset(msgBuf, 0, BUFSIZE); /* point the header and the msg structure pointers into the buffer */ nlMsg = (struct nlmsghdr *)msgBuf; rtMsg = (struct rtmsg *)NLMSG_DATA(nlMsg); /* Fill in the nlmsg header*/ nlMsg->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); // Length ofmessage. nlMsg->nlmsg_type = RTM_NEWROUTE; // Get the routes from kernel routing table . nlMsg->nlmsg_flags = NLM_F_CREATE ; // The message is a request for dump. nlMsg->nlmsg_seq = msgSeq++; // Sequence of the message packet. nlMsg->nlmsg_pid = getpid(); // PID of process sending the request. rtMsg->rtm_family = AF_INET; rtMsg->rtm_table = RT_TABLE_UNSPEC; rtMsg->rtm_dst_len = 16; rtMsg->rtm_src_len = 16; rtMsg->rtm_scope = RT_SCOPE_UNIVERSE; rtMsg->rtm_type = RTN_UNICAST; rtMsg->rtm_protocol = RTPROT_UNSPEC; rtMsg->rtm_flags = RTM_F_NOTIFY; fillRoute (&rinfo, dstAddr, srcAddr, gateway, ifName); addAttr (nlMsg, BUFSIZE, RTA_DST, &rinfo.dstAddr, 4); addAttr (nlMsg, BUFSIZE, RTA_GATEWAY, &rinfo.gateWay, 4); /* Send the request */ if((val = send(sock, nlMsg, nlMsg->nlmsg_len,0 )) < 0){ printf("Write To Socket Failed...\n"); return -1; } printf (" No of Bytes sent %d \n", val); printf (" Value that is sent \n " ); for (i =0 ; i < val ; i ++) printf ("%u", msgBuf[i]); printf ("\n"); close(sock);return 0;} // OUTPUT [EMAIL PROTECTED] netlink_addroute.c -o addroute [EMAIL PROTECTED] ./addroute No of Bytes sent 44 Value that is sent 44000240044294967239880021616101008010429496723242949672085108050429496723242949672085190 // SCREEN SHOTS Routing table before execution of program Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.51.0 * 255.255.255.0 U 0 0 0 eth0169.254.0.0 * 255.255.0.0 U 0 0 0 eth0127.0.0.0 * 255.0.0.0 U 0 0 0 lodefault embedded 0.0.0.0 UG 0 0 0 eth0 Routing table after the execution of programKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.51.0 * 255.255.255.0 U 0 0 0 eth0169.254.0.0 * 255.255.0.0 U 0 0 0 eth0127.0.0.0 * 255.0.0.0 U
[LARTC] Routed network + web-cache
Hello all, I have a small ISP and I work all my clients networks over a routed network (now I am using 201.35.16.0/24 and 200.140.222.128/25 for my clients). The gateway server of the ISP is capable of running a web-cache (only http) using squid but I dont want that my clients go to the internet with the proxy/cache IP. Like when they enter in this site www.meuip.com.br it shows only the proxy/gw server ip and not the client ip. There is some way to make this happens? Att, Nataniel Klug ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc