[LARTC] ipsec for linux 2.4 eventually made easy?!
hi there, I just wanted to share a recent discovery I did on how to setup a secure VPN implementation for linux 2.4.x (I'm using 2.4.20 but it should be working, as far as documentation states, for > 2.4.18) without using FreeS/WAN. The tool (ipsec_tunnel: http://ringstrom.mine.nu/ipsec_tunnel/, by Tobias Ringström) is a kernel module based on ipip and ip_gre. It uses CyptoAPI to carry out actual encryption, as in the 2.5 implementation. Installation and setup are a matter of few seconds: get CrypotAPI (http://www.kernel.org/pub/linux/kernel/crypto/v2.4/cryptoapi-0.1.0.tar.gz), untar and compile as modules: tar xvfz cryptoapi-0.1.0.tar.gz cd cryptoapi-0.1.0 make modules KDIR=/path/to/running/kernel make modules_install modprobe cryptoapi modprobe cipher-3des modprobe digest-sha1 Get ipsec_tunnel (http://ringstrom.mine.nu/ipsec_tunnel/download/ipsec_tunnel-0.9.tar.gz) tar xvfz ipsec_tunnel-0.9.tar.gz cd ipsec_tunnel-0.9 ./configure (it will ask you the path to cryptoapi source and to you running kernel) make make install modprobe ipsec_tunnel create an encryption key and an autenthication key: mkdir /etc/ipsec chmod 500 /etc/ipsec ipsecadm key create 3des --file=/etc/ipsec/demo.ciph.key ipsecadm key create sha1 --file=/etc/ipsec/demo.auth.key copy them in the remote host (with scp) scp /etc/ipsec/* [EMAIL PROTECTED]:/etc/ipsec/ Now the actual setup (clearly explained in the ipsec_tunnel documentation): A) Local host (change 172.16.0.1 with our public IP; 192.168.122.1 will be the address of the host in the VPN) ipsecadm sa add --spi=0x1000 --dst=172.16.0.1 --src=172.16.0.2 \ --cipher=3des-cbc --cipher-keyfile=/etc/ipsec/demo.ciph.key \ --digest=sha1 --digest-keyfile=/etc/ipsec/demo.auth.key --duplex ipsecadm tunnel add ipsec1 --local=172.16.0.1 --remote=172.16.0.2 ifconfig ipsec1 192.168.122.1 up route add -net 192.168.122.0/24 dev ipsec1 B) Remote host (change 172.16.0.2 with it's public ip; 192.128.122.2 will be the addres in the VPN) psecadm sa add --spi=0x1000 --dst=172.16.0.2 --src=172.16.0.1 \ --cipher=3des-cbc --cipher-keyfile=/etc/ipsec/demo.ciph.key \ --digest=sha1 --digest-keyfile=/etc/ipsec/demo.auth.key --duplex ipsecadm tunnel add ipsec1 --local=172.16.0.2 --remote=172.16.0.1 ifconfig ipsec1 192.168.122.2 up route add -net 192.168.122.0/24 dev ipsec1 You have now your secure VPN up and running. I think it's quite cool. What do you think? Shouldn't this get into LARTC? I believe it definitely should! Best regards, Andrea Rossato ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] ECN and ipitables: a political issue
Andrea Rossato wrote: Being able to discriminate between good and bad guys it is possible through a filtering rule, iptables -A POSTROUTING -t mangle -p tcp -d bad.guy.com -j ECN --ecn-tcp-remove. Now, the problem is the rule seems not to be working and I cannot connect to those hosts unless turning ecn off (echo 0 > /proc/sys/net/ipv4/tcp_ecn), the wrong solution. I suspect I'm getting something wrong. (just for documentation) i was not getting anything wrong: there was a bug in checksum recalculation after application of the ECN target. Patrick McHardy promprly posted a patch in netfilter-devel mailing list. (the patch is attached to the present message) Now the rule is working just fine!! (should I submit a patch proposal to LARTC to document the issue?) andrea --- net/ipv4/netfilter/ipt_ECN.c.orig 2002-12-09 23:14:20.0 +0100 +++ net/ipv4/netfilter/ipt_ECN.c2002-12-09 23:13:27.0 +0100 @@ -88,8 +88,8 @@ } if (diffs[0] != *tcpflags) { - diffs[0] = htons(diffs[0]) ^ 0x; - diffs[1] = htons(*tcpflags); + diffs[0] = diffs[0] ^ 0x; + diffs[1] = *tcpflags; tcph->check = csum_fold(csum_partial((char *)diffs, sizeof(diffs), tcph->check^0x));
Re: [LARTC] How to limit bandwidth by port?
DOWNLINK=220 UPLINK=125 DEV=ppp0 tc qdisc add dev $DEV root handle 1: htb default 10 tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6 tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \ ceil $[UPLINK}kbit burst 6k prio 1 tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[3*$UPLINK/10]kbit\ ceil $[9*$UPLINK/10]kbit burst 6k prio 2 tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip dport 8080 0x flowid 1:20 traffic to dport 80 will get 3/10 of bandwith (with possibility to borrow up to 9/10) andrea David Coello wrote: Hi again I am making all the test and probes i cann´t imagine but i begin to think it´s imposible to limit bandwidth by port. Anybody could put me a code example that makes this please? Thanks and regards David Coello ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tbf : rate and effective speed (newbie)
Paolo Poletti wrote: # tc qdisc add dev eth0 root tbf rate 10kbit latency 50ms burst 1000 Then i've tried to transfer a big (20 Mbyte) file onto my lan, using ftp and the client (ncftp) is saying that the average transfer speed is 39.71 kB ( around 400 kbit). What i'm missing ? you are shaping outgoing traffic: so if you want to give it a try you must upload! to shape incoming traffic you need either ingress qdisc or IMQ : have a look at LARTC. you are downloading at 300kbit, by the way: 39.71*8 bye andrea ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] ECN and ipitables: a political issue
Hi there! I recently discovered that the linux kernel support Explicit Congestion Notification and that a fully ecn enabled network would have virtually no dropped packets. Enabling that feature is a way to respect the infrastructure we use, and servers, routers or firewalls not complying with regularly approved standard like rfc 793 and 3168 are dammaging all of us, in a way not very different from that of spammers. Being able to discriminate between good and bad guys it is possible through a filtering rule, iptables -A POSTROUTING -t mangle -p tcp -d bad.guy.com -j ECN --ecn-tcp-remove. Many thanks to the guys who wrote the kernel support and the target! This is not a solution of the problem, but at least gives you the power to send an email the the system/network administrators and put that rule in our ILLEGAL_HOST_AND_NETS_VIOLATING_RFC793 chain. Many of those hosts simply do not have access to their routers' or firewalls' configuration. Now, the problem is the rule seems not to be working and I cannot connect to those hosts unless turning ecn off (echo 0 > /proc/sys/net/ipv4/tcp_ecn), the wrong solution. I suspect I'm getting something wrong. Miciej Soltysiak had a similar probelm with an illegal box in his network. Did you find a solution? Please help. If I will solve this problem I promise that I will submit a patch proposal to the LARTC's mantainers. That's the best I can do to make people aware of this issue. Thanks a lot. Andrea ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Filter question...
Victor Dario Martinez wrote: # tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 match ip dst 4.3.2.1/32 flowid 10:1 RTNETLINK answers: Invalid argument shouldn't it be tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 4.3.2.1/32 flowid 10:1 ^^ andrea ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wiered network problem
Petru Paler wrote: http://www.tux.org/lkml/#s14-2 yes indeed! that was too difficult for me to think to ... thanx a lot. Andrea ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wiered network problem
Hi! during the last few days I started experiencing wierd network problems: there are web sites that seem not to be responding to my syn packets to port 80 (so the connection times out). What's wierd is that the very same sites are establishing connection with a vmware virtual machine, masqueraded on the internet by the machine not receiving syn/ack back. I thought of firewall problems, but since this does not apply to forwarded traffic and for the great majority of web sites even for internally genereted traffic, that strikes me as particularly stange. www.kerneltrap.org is one of affected sites. I have a vpn masqueraded by e remote router to the internet, and even if I route the traffic through it the virtual machine can connect but the real one cannot. the virtual machine is running the same os, linux :) this is something I cannot understand! No major configuration changes I can think could be the cause took place in the near past, except the fact that I upgraded to 2.4.20 the real box whereas the virtual one is 2.4.18. Any idea of where should I start looking from? thank you very much. andrea ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB and IP tables
have a look at this: at the end there is a script using htb marking packets with iptables http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/ I don't know if it is working with red hat (i don't know which options red hat ships it's kernel with. If you use 2.4.20 you need a patch only for IMQ - needed in the script for ingress traffic controlling). andrea James Ma wrote: > Hi, All, > > Does anyone have working scripts using HTB for QoS but IPtables for > filtering? I want to learn how to put them together. Do the scripts > working on Redhat? > > > Thanks in advance, > > James ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] traffic shaping and gre tunnels
Andrea Rossato wrote: 4. How can I set up a filter for shaping (in ppp0) encapsulated traffic? for istance, if I want ssh to vpn0 to have maximum priority either within the tunnel and also within the traffic passing trough ppp0, how can achivie that? I cannot find documentation on u32 that I can use to work that out... I did it the hard way: dumped packets to find out... I post this with the hope tha it can be useful to others. I need to shape internally encapsulated traffic (a gre tunnel) in order to give interactivity maximum priority in my adsl uplink connection but treating bulk vpn traffic as usual bulk traffic. To achieve that I need to match encapsulated packets. Following you will find some tested examples that can help you understand how to do - I needed something like this last night. :) Question: I cannot match anything with nexthdr (neither assuming ip herders are 24 bytes long). Way? I'm using linux-2.4.20-rc4 and tc binary from htb3.6-020525 Regards, Andrea A gre encapsulated ip packet: |<20 bytes ip header>||<4 bytes gre header >||<20 bytes ip header>||| Matching exsamples: #match tos 0x10 Minimum Delay tc filter add dev ppp0 parent 1:0 prio 10 u32 \ match ip protocol 47 0xff \ match u16 0x10 00ff at 24 \ flowid 1:50 #match ICMP (ip protocol 1) tc filter add dev ppp0 parent 1:0 prio 10 u32 \ match ip protocol 47 0xff \ match u16 0x01 00ff at 32 \ flowid 1:50 #match dport 22 (ssh) tc filter add dev ppp0 parent 1:0 prio 10 u32 \ match ip protocol 47 0xff \ match u16 0x06 00ff at 32 \ # match ip protocol 6 (tcp) match u16 0x0016 at 46 \ # match dport 22 (ssh) flowid 1:50 #match dest address tc filter add dev ppp0 parent 1:0 prio 10 u32 \ match ip protocol 47 0xff \ match u16 0x01 00ff at 32 \ # match ip protocol 1 (icmp) match u32 0xac100201 at 40 \ # match ip addr 172.16.02.01 flowid 1:50 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] traffic shaping and gre tunnels
Hi! Thanks to LARTC I was able to set up this configuration: - ppp0 (adsl connection) to the internet - vpn0 connection to a remote router with a gre tunnel I'm doing shaping traffic out of ppp0 with HTB: Minimum delay (tos 0x10), icmp and ACK packets get maximun priority and all available bandwitdh, file sharing gets 3/10 of bandwidth (ceiil 9/10) and the rest 6/10 of bandwidth (ceil 9/10). I can get good result even with eavy loads. Now, I would very much like to know, if someone can help: 1. gre tunnel traffic is not shaped internally when it gets to ppp0, right? So if I want to shape it I need to use a qdisc for vpn0. 2. if 1 is correct, I need to set a txqueuelen for vpn0, otherwise I would not get any effect, right? (default is txqueuelen:0) 3. In order to set priority, in ppp0, for all tunnel traffic, I need to use a filter with the u32 selector? will somthing like 'match ip protocol 47' be fine? 4. How can I set up a filter for shaping (in ppp0) encapsulated traffic? for istance, if I want ssh to vpn0 to have maximum priority either within the tunnel and also within the traffic passing trough ppp0, how can achivie that? I cannot find documentation on u32 that I can use to work that out... Thank you very much. Andrea ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/