Re: [LARTC] Network configuration
Hi, There is an anti-spoofing issue that you haven't mentioned and may well have to contend with. Some Linux distro's, certainly Redhat, when installed with default settings will engage the anti-spoofing mechnism. This prevents any interface from being used as a default route other than the one declared in the routing table called main. You need to echo 0 /proc/sys/net/ipv4/conf/eth3/rp_filter to turn off the anti-spoofing for that interface. Using iptables you can manually put back some of the anti-spoofing mechanism. See Rusty Russell's unreliable guide to iptables Regards Mike. Paul Lewis wrote: Hi, Apologies for the cross-posting; I'm not sure whether this is a firewall or routing issue, or both! I have four network cards, detailed below. eth0 and eth3 connect to my ISPs, and eth1 and eth2 connect to local networks. I want to route all traffic from eth2 to eth0, and from eth1 to eth3. However, I am having a few problems with this. eth0 ip: 192.168.100.253/24 gw: 192.168.100.254 (ISP) eth1 ip: 192.168.3.253/22 gw: 192.168.20.253 (eth3) eth2 ip: 192.168.7.253/22 gw: 192.168.100.253 (eth0) eth3 ip: 192.168.20.253/24 gw: 192.168.20.254 (ISP) I have tried setting up routing using these commands: echo ISP_1 /etc/iproute2/rt_tables echo ISP_2 /etc/iproute2/rt_tables ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1 ip route add default via 192.168.100.253 table ISP_1 ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2 ip route add default via 192.168.20.253 table ISP_2 ip rule add from 192.168.7.253 table ISP_1 ip rule add from 192.168.3.253 table ISP_2 However, this yielded no success. I have also tried a simple iptables forwarding configuration (without the routing config above): iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT # default policy iptables -P FORWARD DROP Again, with no success. I do have a reasonably complex firewall in place, but no other rules in the FORWARD section of the firewall. I have a number of open ports under INPUT for other services the machine provides, and nothing under OUTPUT. In the NAT section, I have no rules in OUTPUT, a couple of MASQUERADING rules under POSTROUTING, and hundreds of rules under PREROUTING (accepting or denying machines based on their MAC). I've had a few thoughts on this; do I need to have four default gateways configured; one for each network card? And do I need more (or any) forwarding rules in the firewall? I've been struggling with this problem for some time now, and it's really starting to annoy me. I would really appreciate any feedback people could send me. Many thanks, Paul --- Paul Lewis ([EMAIL PROTECTED]) Part II Student Department Of Materials University Of Oxford ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Fwd: Inbound and outbound traffic problem
Hi, There is another way to do this, but I doubt that it is anymore elegant than what you have right now. I have just completed this same task and I can say that if I could have used your method - overlaying another subnet -I would have done so since it's a cleaner solution in my view. I used iptables to mark the packets of the flows that where generated by the server ( WWW). I created a second routing table with it's own default route. I created an ip rule which looks for a mark on the packets and directs those packets to the new routing table. Keep in mind, for this to work correctly you need to be using NAT or Masquerade on at least one of your ISP ports. Regards Mike Janis Daniel Bistevins wrote: sorry if I can't explain correctly what my problem is. What I need is to route traffic originated inside my lan by one ISP, and traffic coming from another ISP (mostly requests to machines inside the lan)back by the same ISP. The way I've found is by creating two diferent networks inside my lan. Those machines running services have two IP's on its NICs. That way I can route depending the source of the packets. I have a snapshot of my drawing, so you can figure this out. http://www.iglobal.com.ar/~janis/snap.xpm http://www.iglobal.com.ar/%7Ejanis/snap.xpm -- Forwarded message -- From: Janis Daniel Bistevins [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Date: Dec 19, 2005 12:05 PM Subject: Inbound and outbound traffic problem To: lartc@mailman.ds9a.nl mailto:lartc@mailman.ds9a.nl +---+ ++ ISP A | | | |-| | ++| | +--+ | ROUTER |NET C | www | | LINUX || | | | NET D +---+ ++ISP B | | | || | ++ | | ++ Hi! I need that requests to www arriving from net ISP A returns by the same route, but connections initiated from www go out by net ISP B. The only way I have discovered so far is creating two differents networks (NET C and NET D) So, www have a route to ISP A by NET C and a default route by NET D . On the Linux Router evereything coming from NET D is routed by NET B and everything coming from NET C is routed by NET A This is accomplished by creating logical interfaces on www and on the Linux Router. Is there another way to do this? Thanks in advance. Regards. -- Janis Bistevins Belief is 9/10 of YOUR reality -- Janis Bistevins Belief is 9/10 of YOUR reality ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Regards Mike. Michael Davidson Barone Budge Dominick Email: [EMAIL PROTECTED] Office: +27 11 532 8380 BBD : +27 11 532 8300 Fax:+27 11 532 8400 Mobile: +27 82 650 5707 Home: +27 11 452 4423 This e-mail is confidential and subject to the disclaimer published at http://www.bbd.co.za ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Marking packets by mac addr using tc filter u32 match?
Hi, Forgive me if I point out the obvious. Remember that ARP isn't an IP protocol it's a peer protocol to IP. In the tc filters shown below the protocol is IP and the negative offset works on a IP packet but I suspect that an ARP packet isn't accessible with this technique. If I ubstitute IP for ARP in the filter statement it isn't accepted. Regards Mike D. Kristiadi Himawan wrote: it's should be 0x0806 0x ? or you have the example how to catch that kind of traffic gypsy wrote: Kristiadi Himawan wrote: It's also match to this kind of traffic ? 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17 No. The 'match u16 0x0800 0x' says to ignore ARP. Lee Sanders wrote: You haven't done a search on past posts... the u32 can be used to match any bit in the ip header. Before the ip header, there is a frame header. In that frame header you can find the src and dst mac address. You can trick the u32 filter in using the frame header if you use negative offsets. Decimal Offset Description -14:DST MAC, 6 bytes -8: SRC MAC, 6 bytes -2: Eth PROTO, 2 bytes, eg. ETH_P_IP 0: Protocol header (IP Header) Where is the Eth Proto Code (from linux/include/linux/if_ether.h): ETH_P_IP= IP = match u16 0x0800 Where your MAC = M0M1M2M3M4M5 Egress (match Dst MAC): ... match u16 0x 0x at -2 match u32 0xM2M3M4M5 0x at -12 match u16 0xM0M1 0x at -14 Ingress (match Src MAC): ... match u16 0x 0x at -2 match u16 0xM4M5 0x at -4 match u32 0xM0M1M2M3 0x at -8 The below is simplistic but it works to demonstrate the above. tc qdisc add dev ppp0 root handle 1:0 htb default 20 tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10 tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10 # My Laptop tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800 0x at -2 match u16 0xM4M5 0x at -4 match u32 0xM0M1M2M3 0x at -8 flowid 1:10 # My Desktop tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 0x0800 0x at -2 match u16 0xM4M5 0x at -4 match u32 0xM0M1M2M3 0x at -8 flowid 1:20 # change the MAC's of course. tc -s -d class show dev ppp0 tc -s -d qdisc show dev ppp0 tc -s -d filter show dev ppp0 There you have it. :L ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Regards Mike. Michael Davidson Barone Budge Dominick Email: [EMAIL PROTECTED] Office: +27 11 532 8380 BBD : +27 11 532 8300 Fax:+27 11 532 8400 Mobile: +27 82 650 5707 Home: +27 11 452 4423 This e-mail is confidential and subject to the disclaimer published at http://www.bbd.co.za ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Wrong src addr is pkts
Hi I have a FW dual homed to the Internet via a leased line and most recently by a ADSL line. I have SQUID running on the FW which I want to direct to the ADSL line as well as other traffic from my LAN. After reading the LARTC Howto and the on-line book by Matthew ?? I have my LAN-Internet traffic sorted but the SQUID traffic is a problem. This is my config on a test machine: Chain OUTPUT (policy ACCEPT 47542 packets, 4771K bytes) pkts bytes target prot opt in out source destination 458 44858 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:80:443 MARK set 0x1d # ip rule ls 0: from all lookup local 2000: from all fwmark 0x1d iif lo lookup table2 32766: from all lookup main 32767: from all lookup default # ]# ip route ls table 2 192.168.10.16/28 dev eth1 proto kernel scope link src 192.168.10.30 10.1.1.0/24 dev eth2 proto kernel scope link src 10.1.1.254 10.3.0.0/23 dev eth0 proto kernel scope link src 10.3.1.224 default via 10.1.1.59 dev eth2 src 10.1.1.254 Eth0 is the leased line, eth2 is the ADSL line and eth1 my internal LAN. My default route in the main table points to the leased line. With the above config I find that the output of squid is routed to the ADSL line as desired, however, the problem is that the source address in the packets is that of my LL interface. Is there a way to fix this? I've read a lot on the web but I find that I'm now going in circles so any help would be appreciated. Regards Mike.D. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Cannot get htb prio working together.
Hi Many thanks. Filtering at sub-qdisc and the correct use of the tc filter show command was where I was coming short, I'm flying now. Thanks again, Mike D. Jody Shumaker wrote: Michael Davidson wrote: Hi, I've tried the multi tier filtering as suggested, but It didn't do the trick unfortunately. The filters were accepted at the command line but when but when I do tc -s -d filter show dev eth0 the only filters displayed are those with root as the parent. Below is my current script. That's because that command defaults to showing the root unless you tell it what to look at. tc -s -d filter show dev eth0 parent 20: A simple tc filter help lists that. - Jody -- Regards Mike. Michael Davidson Barone Budge Dominick Email: [EMAIL PROTECTED] Office: +27 11 532 8380 BBD : +27 11 532 8300 Fax:+27 11 532 8400 Mobile: +27 82 650 5707 Home: +27 11 452 4423 This e-mail is confidential and subject to the disclaimer published at http://www.bbd.co.za ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Cannot get htb prio working together.
Hi, I've tried the multi tier filtering as suggested, but It didn't do the trick unfortunately. The filters were accepted at the command line but when but when I do tc -s -d filter show dev eth0 the only filters displayed are those with root as the parent. Below is my current script. tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 120kbit tc class add dev eth0 parent 1:1 classid 1:20 htb rate 30kbit ceil 120kbit tc qdisc add dev eth0 parent 1:20 handle 20: prio # #Note: With a prio qdisc the class ID's of 20:1 to 3 are automatically provided # tc qdisc add dev eth0 parent 20:1 handle 201: sfq tc qdisc add dev eth0 parent 20:2 handle 202: sfq tc qdisc add dev eth0 parent 20:3 handle 203: sfq tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 22 0x flowid 1:20 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 23 0x flowid 1:20 tc filter add dev eth0 parent 20:0 protocol ip prio 1 u32 match ip dport 22 0x flowid 20:1 tc filter add dev eth0 parent 20:0 protocol ip prio 1 u32 match ip dport 23 0x flowid 20:3 Regards Mike. Toby wrote: Jody Shumaker wrote: tc filter add ... parent 1:0 ... match ip dport 22 0x flowid 1:20 tc filter add ... parent 1:0 ... match ip dport 23 0x flowid 1:20 tc filter add ... parent 1:20 ... match ip dport 22 0x flowid 20:1 tc filter add ... parent 1:20 ... match ip dport 23 0x flowid 20:3 you mean 20: here The last two filters need to have 20: as parent, if you want to keep each filter inside a single qdisc. Toby -- Regards Mike. Michael Davidson Barone Budge Dominick Email: [EMAIL PROTECTED] Office: +27 11 532 8380 BBD : +27 11 532 8300 Fax:+27 11 532 8400 Mobile: +27 82 650 5707 Home: +27 11 452 4423 This e-mail is confidential and subject to the disclaimer published at http://www.bbd.co.za ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Cannot get htb prio working together.
Hi, I've failed miserably in my endeavours so far and I'm at the point where help would be much appreciated. I want to have 3 bandwidth limited classes on my Internet interface. In each of those classes I want 3 prioritization bands, and then use tc filters to place the traffic into the correct class and priority. The problem is that the traffic doesn't get classified at all, it just seems to go through the root queue untouched. This is the minimal config I've been testing with: tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 120kbit tc class add dev eth0 parent 1:1 classid 1:20 htb rate 30kbit ceil 120kbit tc qdisc add dev eth0 parent 1:20 handle 20: prio #Note: With a prio qdisc the class ID's of nn:1 to 3 are automatically provided tc qdisc add dev eth0 parent 20:1 handle 201: sfq tc qdisc add dev eth0 parent 20:2 handle 202: sfq tc qdisc add dev eth0 parent 20:3 handle 203: sfq tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 22 0x flowid 20:1 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 23 0x flowid 20:3 A tc filter show displays the filters and so on and one can see the hits successes when testing with, say, Telnet, but the counters on the respective queue/flowid don't increment. Only counters on the root queue show activity. :- filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 20:3 (rule hit 82 success 31) match 0017/ at 20 (success 31 ) qdisc sfq 201: parent 20:3 limit 128p quantum 1514b flows 128/1024 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 I've tried changing the filter parent for the prio qdisc i.e 20, but a tc filter show doesn't even display the filter and as you might expect only the root queue counter shows activity. The os is Fedora Core 4 with an out the box server installation. Linux version 2.6.11-1.1369_FC4 Thanks in advance Mike D. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc