[LARTC] Drop packets using tc ?
I have a linux bridge in an embedded system with limited tools. I want to drop these packets from flowing across the bridge, NETBEUI - TCP port 135-139 UDP port 137-139 TCP/UDP port 445 Also all broadcast and multicast. Is there a way to accomplish it using 'tc' ? If the packets cannot be dropped, I will be happy enough if it can be classified and put to some lowest priority. [ I don't have ebtables. 'iptables' is there but since it's a bridge, it's probably useless. I do have 'tc'. ] Regards. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB_HYSTERESIS
"Flechsenhaar, Jon J" wrote: > > All: > > I have been told that HTB_HYSTERESIS might have some effect on rate > calculations. This file is usually in > /usr/src/linux/net/sched/sch_htb.c. If I change this file I have to > re-compile. I am not quite sure how to do this. > > Can someone list the steps necessary to re-compile or point me to a doc > that explains how to do so. Thanks. > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 cd /usr/src/linux make modules make modules_install ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Two outbound internet links, using one network interface
PREROUTING chain is not traversed by local traffic, but OUTPUT chain does. What about this script? - IPT=/sbin/iptables PORT_LIST="22 53" for PORT in $PORT_LIST do $IPT -t mangle -A PREROUTING -p tcp --dport $PORT -s -j MARK --set-mark 4 $IPT -t mangle -A OUTPUT -p tcp --dport $PORT -s -j MARK --set-mark 4 done iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ip route add 192.168.10.0/24 dev eth0 table 4 ip route add default via 192.168.10.1 table 4 ip rule add fwmark 4 table 4 Paolo Malfatti CiDiS Camiri _ Charla con tus amigos en lĂnea mediante MSN Messenger: http://messenger.latam.msn.com/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB_HYSTERESIS
All: I have been told that HTB_HYSTERESIS might have some effect on rate calculations. This file is usually in /usr/src/linux/net/sched/sch_htb.c. If I change this file I have to re-compile. I am not quite sure how to do this. Can someone list the steps necessary to re-compile or point me to a doc that explains how to do so. Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Two outbound internet links, using one network interface
Dashamir Hoxha wrote: Using VLANs, you can separate the networks on the link level instead. This is the same (in software) as using 2 different LAN ports (in hardware). Thanks for the suggestion. I am trying it, and it seems very easy to be used. However the problem is that it is not working. I am doing it like this: # /sbin/modprobe 8021q # /sbin/vconfig add eth0 2 # /sbin/ip link set eth0.2 up # /sbin/ip addr add 192.168.10.2/24 dev eth0.2 When I try: `ping 192.168.10.1` it says "Destination Host Unreachable". Both IPs are connected to the same switch. Does anybody know what can be wrong? Dashamir ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc You need a switch with 802.1q vlan support (cisco for example). The network card need to be pluged in a switch port in "trunk" mode, and the providers each in its access switch port in specified vlan (like 2). ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Multicst routing problem
I want to send a multicast packet to multiple gre tunnel, but the packet only went to where the routing table configured to. ex. when use ip route add 224.0.0.0/4 via gre0 then the packet go to gre0 when use ip route add 224.0.0.0/4 via gre1 then the packet go to gre1 when use ip route add 224.0.0.0/4 nexthop via gre1 nexthop via gre0 then the packet go to either gre or gre1 randomly, but not both ( is it for load balance ? ) how to configure the routing table let the packet go to both of gre tunnels ? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Two outbound internet links, using one network interface
Using VLANs, you can separate the networks on the link level instead. This is the same (in software) as using 2 different LAN ports (in hardware). Thanks for the suggestion. I am trying it, and it seems very easy to be used. However the problem is that it is not working. I am doing it like this: # /sbin/modprobe 8021q # /sbin/vconfig add eth0 2 # /sbin/ip link set eth0.2 up # /sbin/ip addr add 192.168.10.2/24 dev eth0.2 When I try: `ping 192.168.10.1` it says "Destination Host Unreachable". Both IPs are connected to the same switch. Does anybody know what can be wrong? Dashamir ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Two outbound internet links, using one network interface
Radu Oprisan wrote: Radu Oprisan wrote: Dashamir Hoxha wrote: Dashamir Hoxha wrote: Hi, I am trying to categorize the network traffic and to send it out across two different providers. For this I mark the packets in the firewall (in the PREROUTING chain of table mangle), and then use another routing table for the marked packets, which has a different gateway from the main routing table. Basicaly I am following the cookbook example in this page: http://linux-ip.net/html/adv-multi-internet.html with some small changes and modifications. The most important difference is that I am trying to use just one external network interface, which is connected through a hub/switch to both of the ISP links. I add two different IPs to this interface, corresponding to each providers network. Then the masquerading is done with a rule like this: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 205.254.211.179 For the traffic that is generated in the LAN behind the box, it works, but for the traffic that is generated in the localhost (routing box), it does not work. Indeed, it cannot possibly work for the localhost with a setup like this (with only one external interface). As it can be seen in this document: http://www.faqs.org/docs/iptables/traversingoftables.html (Table 3-2. Source local host) routing decision happens before the packet enters the chains of the iptables (the chain PREROUTING is not tranversed in this case). This is not a big problem (it is not so important that the traffic of the routing box be categorized as well), but trying to solve it, I came up with another solution, which seems simpler.The idea is to use something like this: - IPT=/sbin/iptables PORT_LIST="22 53" GATEWAY1=192.168.10.1 GATEWAY2=192.168.100.1 for PORT in $PORT_LIST do $IPT -t nat -A POSTROUTING -o eth0 \ -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 done $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 - I have not tested it yet but I don't see why it should not work. for PORT in $PORT_LIST do $IPT -t mangle -A PREROUTING -i eth_clients \ -p tcp --dport $PORT -j MARK --set-mark 0x01 done $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT --to-source $GATEWAY2 $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 I'm sorry Ok, it may work like this, I have to try it. By the way, instead of $GATEWAY1 and $GATEWAY2 above, $IP1 and $IP2 must be used instead; it was a mistake. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Two outbound internet links, using one network interface
Radu Oprisan wrote: Dashamir Hoxha wrote: Dashamir Hoxha wrote: Hi, I am trying to categorize the network traffic and to send it out across two different providers. For this I mark the packets in the firewall (in the PREROUTING chain of table mangle), and then use another routing table for the marked packets, which has a different gateway from the main routing table. Basicaly I am following the cookbook example in this page: http://linux-ip.net/html/adv-multi-internet.html with some small changes and modifications. The most important difference is that I am trying to use just one external network interface, which is connected through a hub/switch to both of the ISP links. I add two different IPs to this interface, corresponding to each providers network. Then the masquerading is done with a rule like this: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 205.254.211.179 For the traffic that is generated in the LAN behind the box, it works, but for the traffic that is generated in the localhost (routing box), it does not work. Indeed, it cannot possibly work for the localhost with a setup like this (with only one external interface). As it can be seen in this document: http://www.faqs.org/docs/iptables/traversingoftables.html (Table 3-2. Source local host) routing decision happens before the packet enters the chains of the iptables (the chain PREROUTING is not tranversed in this case). This is not a big problem (it is not so important that the traffic of the routing box be categorized as well), but trying to solve it, I came up with another solution, which seems simpler.The idea is to use something like this: - IPT=/sbin/iptables PORT_LIST="22 53" GATEWAY1=192.168.10.1 GATEWAY2=192.168.100.1 for PORT in $PORT_LIST do $IPT -t nat -A POSTROUTING -o eth0 \ -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 done $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 - I have not tested it yet but I don't see why it should not work. for PORT in $PORT_LIST do $IPT -t mangle -A PREROUTING -i eth_clients \ -p tcp --dport $PORT -j MARK --set-mark 0x01 done $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT --to-source $GATEWAY2 $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 I'm sorry ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Two outbound internet links, using one network interface
Dashamir Hoxha wrote: Dashamir Hoxha wrote: Hi, I am trying to categorize the network traffic and to send it out across two different providers. For this I mark the packets in the firewall (in the PREROUTING chain of table mangle), and then use another routing table for the marked packets, which has a different gateway from the main routing table. Basicaly I am following the cookbook example in this page: http://linux-ip.net/html/adv-multi-internet.html with some small changes and modifications. The most important difference is that I am trying to use just one external network interface, which is connected through a hub/switch to both of the ISP links. I add two different IPs to this interface, corresponding to each providers network. Then the masquerading is done with a rule like this: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 205.254.211.179 For the traffic that is generated in the LAN behind the box, it works, but for the traffic that is generated in the localhost (routing box), it does not work. Indeed, it cannot possibly work for the localhost with a setup like this (with only one external interface). As it can be seen in this document: http://www.faqs.org/docs/iptables/traversingoftables.html (Table 3-2. Source local host) routing decision happens before the packet enters the chains of the iptables (the chain PREROUTING is not tranversed in this case). This is not a big problem (it is not so important that the traffic of the routing box be categorized as well), but trying to solve it, I came up with another solution, which seems simpler.The idea is to use something like this: - IPT=/sbin/iptables PORT_LIST="22 53" GATEWAY1=192.168.10.1 GATEWAY2=192.168.100.1 for PORT in $PORT_LIST do $IPT -t nat -A POSTROUTING -o eth0 \ -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 done $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 - I have not tested it yet but I don't see why it should not work. for PORT in $PORT_LIST do $IPT -t nat -A PREROUTING -i eth_clients \ -p tcp --dport $PORT -j MARK --set-mark 0x01 done $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT --to-source $GATEWAY2 $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 From the testing and meditation that I have done up to now, I have arrived at the conclusion that this is not a solution for the problem of traffic categorization. The reason is that POSTROUTING happens after the routing decision is taken, so the route that is chosen is not affected by the source IP of the packet. Am I right? Also, I have seen somewhere that using two IPs on the same interface may be risky (may have security implications), but I don't see what they can be. If somebody has any idea of them and how to avoid them, please let me know. E.g. I have heard about "IP spoofing" but I don't understand what it is. Regards, Dashamir ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
