RE: [LARTC] limiting p2p
Hi Michal. Now I'm testing ipt_ipp2p netfilter 3rd module You can reach it at: http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html At the momment I've not problems with it. (It's works well) But I haven't tested ipt_ipp2p module strongly with a large LAN regards Andres. -> ok ;) I have done the same some times ago ;) -> -> But I'm interesting what is wrong with ipt_p2p or someting, that -> icmp works bad when using ipt_p2p... Anybody known ?!? -> Have anybody run ipt_p2p with no problems ? -> -> best... -> -- -> michal ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] SQUID + HTB
Sounds very good ! I will try that patch, and next, I will drink one or two beers and mail you (and lartc list) Regards Andress -> -Mensaje original- -> De: [EMAIL PROTECTED] -> [mailto:[EMAIL PROTECTED] nombre de Marin Stavrev -> Enviado el: Sabado, 15 de Noviembre de 2003 01:45 p.m. -> Para: [EMAIL PROTECTED] -> CC: [EMAIL PROTECTED] -> Asunto: [LARTC] SQUID + HTB -> -> -> Hi. -> -> You will probably benefit from this SQUID patch. It can be -> used to mark, -> and then classify packets generated by the SQUID caching engine based on -> wheather they are served from the cache (HIT) or being retrieved now -> (MISS). -> More info on: http://www.it-academy.bg/zph/ -> You can do this when TC and SQUID are on the same machine or on different -> PCs in your LAN/WAN/MAN. -> -> M. Stavrev -> -> -> -> ___ -> LARTC mailing list / [EMAIL PROTECTED] -> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] VoIP
Hi, what I need to make VoIP inside from my LAN to outsite Internet ? I have a Linux router with - kernel 2.4.20 - iptables 1,2,8 (with Patch-o-Magic. H323) eth0 is connected to ISP eth1 is connected to LAN I've SNAT next rule in order to share my internet connection: iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -j SNAT --to-source 200.69.54.124 and, of course "/proc/sys/net/ipv4/ip_forwarding = 1" I need other netfilter patch ? REgards Andres. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] limiting p2p
Hi List ! I'm trying excelent module ipt_p2p from Filipe Almeida in a Linux Box with several connections, in order to block p2p traffic with next rule: iptables -L -t filter -m ipt_p2p -j DROP And results was that the traffic have been reduced from 1,3 mb to 0,85 mb !!! Excelent !! how ever, I've noted that after two days running, that Linux Box (RH 7,2 updated - Kernel 2.4.22 - iptables 1.2.8 with String and ConnMark modules, Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, eth1 and eth2), begins to drop others packets and a simple ping look like this: # ping 192.168.210.3(by example) PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of data. 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted Next, the only way to fix this was making a REBOOT. I've heared similar problems (not with ipt_p2p), and some one say that next could be works: (in a cron job) echo -n "Unloading modules.." rmmod -a lsmod |grep "ipt_\|ip_\|iptable" |cut -f1 -d\ |xargs rmmod 2>/dev/null &&\ echo "Done!" || echo "failed!" and some other suggest that I could try a: "iptables clear" and regenerate IP Tables >From Man: > ping sendto: operation not permitted sendto(2) system call failed with errno EPERM, operation not permitted => reason is in the local firewall rules, chain OUTPUT. Otherwise the sendto(2) would have succeeded, and the error would come in an ICMP error packet. Have you a clue of this ? Thank you. Best Regards. Andres. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] New in the list
SALUDOS DESDE ARGENTINA, VICENTE! Andres. -> -Mensaje original- -> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] -> nombre de Vicent Roca Daniel -> Enviado el: Miercoles, 29 de Octubre de 2003 03:49 p.m. -> Para: [EMAIL PROTECTED] -> Asunto: [LARTC] New in the list -> -> -> Hi people! ;-) -> I'm new in the list. -> Name: Vicent Roca -> Country: Spain -> -> see you. -> bye. -> Adeu -> -> ___ -> LARTC mailing list / [EMAIL PROTECTED] -> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] dynamic bandwidth
Ok, Martin... Thank you, and see my post I have done some ESFQ testings... but results are not satisfactory... eSFQ seems work like SFQ... :-( regards andres -> -Mensaje original- -> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] -> nombre de Rio Martin -> Enviado el: Domingo, 26 de Octubre de 2003 11:30 p.m. -> Para: [EMAIL PROTECTED] -> Asunto: Re: [LARTC] dynamic bandwidth -> -> -> On Friday 24 October 2003 22:51, Ivo Vachkov wrote: -> > ThE PhP_KiD wrote: -> > > I have a linux router with eth0 (ADSL ISP connection), and -> > > eth1 (LAN, 10 hosts). -> > > I want to all hosts get equal bandwidth, but the problem -> > > is that ADSL connection bandwidth is very variable. -> > > How can I do to get a fairness bandwidth policy to upload -> > > and download from LAN hosts ? -> > > I think that I can't use HTB because it works with a -> > > fixed bandwidth. -> > > I must use ESFQ ? -> > I think SFQ is the rght solution if want to share bandwidth -> between host -> > > Also, how must I do if I want to privilege a particular -> > > host over others LAN hosts ? -> > CBQ or priority queueing -> > > Thank you very much ! -> > > Andres. -> -> The main problem for situation like this, is in the bandwidth -> alocated to -> parent class which is unpredictable because ADSL burstable. -> According to previous post to this list, there were no solutions -> for this. -> I am also looking somekind of trick to solve this one. -> -> Regards, -> Rio Martin. -> -> -> ___ -> LARTC mailing list / [EMAIL PROTECTED] -> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] esfq testing !
Hi, I'm have a linux router like this: ADSL modem-->(eth0) Linux Router (eth1)<--->LAN (6 hosts) Since I want to apply fairness to 6 hosts LAN, I have compiled kernel 2.4.20-8 with patch esfq 0.2 (and iproute2 with patch esfq too.) Next, I run folow script: #!/usr/bin TC="/sbin/tc" $TC qdisc del dev eth1 root 2> /dev/null > /dev/null $TC qdisc add dev eth1 root handle 1:0 esfq perturb 0 hash dst $TC class show dev eth1 $TC qdisc show dev eth1 $TC filter show dev eth1 And it shows me: qdisc esfq 1: quantum 1514b hash: dst Next, I make test from server to LAN hosts, and put iptraf in order to make measures. when I do: # nohup ping 192.168.1.3 -f & (a LAN HOST) # nohup ping 192.168.1.6 -f & (other LAN HOST) iptraf shows me equal bandwidth to that hosts. but if I repeat pings for one of that hosts: # nohup ping 192.168.1.6 -f & (other LAN HOST) # nohup ping 192.168.1.6 -f & (other LAN HOST) # nohup ping 192.168.1.6 -f & (other LAN HOST) iptraf shows me that 192.168.1.6 get more bandwidth that 192.168.1.3 Then seems ESFQ behaviour is like SFQ... what is wrong I have ESFQ compiled like module. Also I've tried put ESFQ inside a HTB class but ESFQ behaviour is equal like above example. Where is the problem ? Thank you !!! Mac ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] dynamic bandwidth
Hi, -> > I must use ESFQ ? -> -> I think SFQ is the rght solution if want to share bandwidth between host Why not eSFQ (SFQ enhanced) ? eSFQ haves filter traffic Fairness by host (src / dst), or by classic SFQ behaviour -> > Also, how must I do if I want to privilege a particular -> > host over others LAN hosts ? -> -> CBQ or priority queueing Can I use HTB instead CBQ ? How? Thank you very much. Andres. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] dynamic bandwidth
Hi, I have a linux router with eth0 (ADSL ISP connection), and eth1 (LAN, 10 hosts). I want to all hosts get equal bandwidth, but the problem is that ADSL connection bandwidth is very variable. How can I do to get a fairness bandwidth policy to upload and download from LAN hosts ? I think that I can't use HTB because it works with a fixed bandwidth. I must use ESFQ ? Also, how must I do if I want to privilege a particular host over others LAN hosts ? Thank you very much ! Andres. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] esfq
hi, I want to try esfq in order to make a load balance in my linux router, (both, lan side and interent side) I want that all hosts of my lan haves the same bandwidth avaible. Since linux router are connected to an ISP which privide a variable bandwidth, I think that can't use HTB. Also, in this situation, how can I do to priorize some LAN hosts from others ? Thanks you very much in advance. Andres. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] voip
Hi, I have a linux router: INTERNET<--- eth0 LINUX router eth1 --> LAN ---> host1 ---> host2 ---> ... ---> VoIP device. Linux router haves: - kernel 2.4.20, - iptables 1.2.8 - patchs h323 netfilter - other patchs. I want to connect to a with my VoIP device, to a friend that haves ADSL connection, and VoIP device. Him can to connect to other users with ADSL and VoIP, but not with me. My linux haves severals publics IPs over eth0. One of them are full forwarded to VoIP devide: iptbles -A PREROUTING -t nat -s aa.aa.aa.aa -j DNAT --to-destination bb.bb.bb.bb iptables -A POSTROUTING -t nat -s bb.bb.bb.bb -j SNAT --to-source aa.aa.aa.aa where aa.aa.aa.aa = public ip publica linux router dedicated to VoIP device and bb.bb.bb.bb = VoIP privete ip inside LAN VoIP device can be pinged from internet but I can to connect with my friend that haves her voip device with ADSL connection. which is the problem ? thankyou ! mac ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Priorize web traffic
Hi, I've a LAN with a linux router, and I manage that linux from internet with SSH I want to priorize web traffic on LAN, and ssh from internet. Linux router haves: - kernel 2.4.20, with - HTB - PRIO - Ingress - SFQ - and so on... - iptables 1.2.8 - RH 7.2 - eth0: internet interface - eth1: LAN interface. Can anybody give a clue, or start point in order to make a script to get above priorize rules ? Thank you in advance ! regards mac -> -Mensaje original- -> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] -> nombre de Andy Furniss -> Enviado el: Lunes, 15 de Septiembre de 2003 08:08 a.m. -> Para: David Fisher -> CC: [EMAIL PROTECTED] -> Asunto: Re: [LARTC] New Kernel 2.4.21 - missing IMQ Netfilter target -> -> -> On Sunday 14 September 2003 12:49 am, David Fisher wrote: -> > On Sun, 14 Sep 2003 01:39, Michal Jursa wrote: -> > > This (IMQ target) option is in the submenu under 'Packet mangle' -> > > option...so you have to enable packet mangling first... -> > > -> > > Mike -> > -> > No, I have packet mangling enabled but it's definitely not -> there. Might -> > there be some other prerequisite I've missed? -> -> A total guess - but you may need CONFIG_EXPERIMENTAL. -> -> Andy. -> ___ -> LARTC mailing list / [EMAIL PROTECTED] -> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] RE: firewall
I forget next data: Kernel 2.4.20 iptables 1.2.8 iproute (last stable) RH72 :-) -> -> Hi. -> -> I'm trying to enable a firewall on my linux router. -> -> eth0 router: Internet Connection -> eth1 router: LAN connection -> -> I want allow to my LAN users: browse web pages, -> and send and recieve email, and nothing more, because -> this router is connected to a VSAT connection, and -> upload bandwidth is very small. -> -> Also, I need to manage Linux router from a Internet -> host via ssh and ftp. -> -> Is ok next configuracion ? -> -> Thank you very much. -> ... mac -> -> -> iptables -A OUTPUT -p tcp --dport 80 -o eth0 -j ACCEPT -> iptables -A OUTPUT -p tcp --dport 25 -o eth0 -j ACCEPT -> iptables -A OUTPUT -p tcp --dport 110 -o eth0 -j ACCEPT -> iptables -A OUTPUT -p tcp --dport 22 -o eth0 -j ACCEPT -> iptables -A OUTPUT -p tcp --dport 21 -o eth0 -j ACCEPT -> iptables -A OUTPUT -p tcp --dport 20 -o eth0 -j ACCEPT -> iptables -A OUTPUT -p tcp --dport 53 -o eth0 -j ACCEPT -> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -> -> -> # Protección contra Syn-flood (inundación mediante Syn): -> iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT -> -> #Furtivo buscando puertos (port scanner): -> iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m -> limit --limit 1/s -j ACCEPT -> -> #Ping de la muerte: -> iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit -> --limit 1/s -j ACCEPT -> -> -> # iptables -A OUTPUT -m state --state NEW -i ! ppp0 -j ACCEPT -> iptables -A OUTPUT -j DROP -> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] firewall
Hi. I'm trying to enable a firewall on my linux router. eth0 router: Internet Connection eth1 router: LAN connection I want allow to my LAN users: browse web pages, and send and recieve email, and nothing more, because this router is connected to a VSAT connection, and upload bandwidth is very small. Also, I need to manage Linux router from a Internet host via ssh and ftp. Is ok next configuracion ? Thank you very much. ... mac iptables -A OUTPUT -p tcp --dport 80 -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp --dport 25 -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp --dport 110 -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -o eth0 -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Protección contra Syn-flood (inundación mediante Syn): iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT #Furtivo buscando puertos (port scanner): iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #Ping de la muerte: iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # iptables -A OUTPUT -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A OUTPUT -j DROP ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Compile error "iproute2"
Hi, I've same problem like you. My linux box is: - kernel 2.4.22 - RH 7.2 - iproute2-2.4.7-now-ss010824 and the same problem appear with: - iproute2-2.4.7-now-ss020116-try.tar Since I need esfq, I will try with kernel 2.4.18 What do you mean with this ? -> vim include-glibc/netinet/in.h -> .,$s/linux\/in.h/\/usr\/include\/linux\/in.h Regards. Mac -> -Mensaje original- -> De: [EMAIL PROTECTED] -> [mailto:[EMAIL PROTECTED] nombre de Nickola Kolev -> Enviado el: Martes, 02 de Septiembre de 2003 06:41 p.m. -> Para: [EMAIL PROTECTED] -> Asunto: Re: [LARTC] Compile error "iproute2" -> -> -> Hello, -> -> For example you can try patching iproute2: -> -> vim include-glibc/netinet/in.h -> .,$s/linux\/in.h/\/usr\/include\/linux\/in.h -> -> I'm not that "in" those things, but it seems that some distros have -> /usr/include/linux linked to the kernel source tree and others -> dont. I had a -> similar situation recently, and I resolved it this way. -> -> Hope this helps. -> -> On Tue, 02 Sep 2003 17:41:13 -0300 -> Matнas Lуpez Bergero <[EMAIL PROTECTED]> wrote: -> -> : I have a very similar problem with the same iproute2 and htb version, -> : but with linux 2.4.22 vanilla, not rc2. -> : -> : /usr/src/linux/include/linux/in.h:140: field `gr_group' has -> incomplete type -> : /usr/src/linux/include/linux/in.h:141: confused by earlier errors, -> : bailing out -> : make[1]: *** [ll_map.o] Error 1 -> : make[1]: Leaving directory `/opt/iproute2/lib' -> : make: *** [all] Error 2 -> -> [ cut ] -> -> -- -> Със здраве, -> Никола -> _ -> -> "Engineering does not require science. Science helps a lot but -> people built perfectly good brick walls long before they knew -> why cement works." -Alan Cox -> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] (ot) PPPoe Server
Hi ! (sorry for this offtopic!) I'm trying to make up a PPPoE server with roarpenguin. In order to do it, I've folow next steps: http://listas.conectiva.com.br/listas/linuxisp-br/arquivo/2003/06/msg00025.html Thats proccess are OK. But, when I try to connect with a PPPoE client (RASPPPoE under win 98), I get next error: /var/log/messages Aug 2 21:12:38 localhost pppoe-server[4685]: Session 2 created for client 00:00:e8:98:c2:8e (192.168.101.32) on eth1 using Service-Name '' Aug 2 21:12:38 localhost pppd[4685]: Plugin /etc/ppp/plugins/rp-pppoe.so loaded. Aug 2 21:12:38 localhost pppd[4685]: RP-PPPoE plugin version 3.4 compiled against pppd 2.4.2b3 Aug 2 21:12:38 localhost pppd[4685]: pppd 2.4.2b3 started by root, uid 0 Aug 2 21:12:38 localhost pppd[4685]: Using interface ppp5 Aug 2 21:12:38 localhost pppd[4685]: Connect: ppp5 <--> eth1 Aug 2 21:12:38 localhost pppd[4685]: Couldn't increase MTU to 1500 Aug 2 21:12:38 localhost pppd[4685]: Couldn't increase MRU to 1500 Aug 2 21:13:08 localhost pppd[4685]: Terminating on signal 15. I've tried to put eth1 with 1492 MTU, but error persist again and again... Kernel 2.4.21 pppd 2.4.2b3 (from CVS) rp-pppoe-server 3.4 RAM 256 Mbytes Eth0, eth1, eth2: Via Technologies Help ME !!! THANK YOU!! and sorry for this offtopic Mac ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] DNAT rare problem...
Hi! I've the next network: inet | | | 20.5.90.194/26 | 20.5.90.195/26 - |eth0 | | | | internet gateway | | | |eth1 | - | 192.168.100.254/24 | 192.168.210.254/24 | +--+-++ ||| | 192.168.100.1/24 | 192.168.210.1 | |||192.168.210.2 -- ++ ++ | eth0 | | host 1 | | host 2 | | SENDMAIL | ++ ++ -- The internet gateway is a linux 2.4.21 with iptables 1.2.8 On eth0, it haves two IPs public: 20.5.90.194/26 20.5.90.195/26 Since I can't to route last public IPs, and I need to run a Sendmail server that can be visible from internet, I have maked a DNAT rule, (and some SNAT rules too, in order to provide internet access to LAN) # iptables -L -t nat -n give me the next: Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0200.5.90.195 to:192.168.100.1 ACCEPT all -- 192.168.100.10.0.0.0/0 ACCEPT all -- 192.168.210.10.0.0.0/0 ACCEPT all -- 192.168.210.20.0.0.0/0 DROP all -- 0.0.0.0/00.0.0.0/0 Chain POSTROUTING (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0192.168.100.0/24 SNAT all -- 192.168.100.10.0.0.0/0 to:20.5.90.195 SNAT all -- 192.168.210.10.0.0.0/0 to:20.5.90.194 SNAT all -- 192.168.210.20.0.0.0/0 to:20.5.90.194 Chain OUTPUT (policy ACCEPT) target prot opt source destination >From Internet (wan site), I can reach without problems the Sendmail server host, making ping to 20.5.90.195, and open port 25. >From Lan side (hosts 192.168.102.1 or 192.168.102.2), I can ping to 20.5.90.195 but I can't to open port 25... (but sometimes, I can do it !!) What happen Thank you very very much in advance. Mac ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/