Re: [LARTC] How to fight with encrypted p2p
On Dec 10, 2007 4:09 PM, Mario Antonio Garcia <[EMAIL PROTECTED]> wrote: > Thanks for sharing. No problem > > Just one question, how are you implementing the daily limit? two ways of detecting them: 1st is the /etc/ppp/ip-up.local which executes the script to check usage against the radius db and shape them on authentication, Once they logged in , I dont want to kick everone off every few hours to check usage, I have a "nice" cron job running every 3 hours, to check every single user against the db and if they reached their quotas ,they get shaped while being online., Radius stores all info about the nas in the db, so makes it quite strait forward. Also nicely added is our reselling guys who maintain the clients get a report everytime of users who exceeded the limit and can be aware of which clients is the problem if they phone to complain, Also nice is that usually the infected pc's gets knocked off first to save alot of bandwidth Sew > > Regards, > > Mario Antonio > > > - Original Message - > From: "the sew" <[EMAIL PROTECTED]> > To: "Andrew Beverley" <[EMAIL PROTECTED]> > Cc: lartc@mailman.ds9a.nl > Sent: Monday, December 10, 2007 8:37:07 AM (GMT-0500) America/New_York > Subject: Re: [LARTC] How to fight with encrypted p2p > > Hi, > > We had similiar problem with p2p, used ipp2p and L7filter together > before and worked well until clients( mostly clever ones) started > getting around it with encryption. We have about 700 wireless clients > hitting our network and our network was taking big knocks with guys > using couple of gigs day on entry level packages. > > Was going to use Ipoque, but was quite pricy for us, Only solutions > for us to use a daily limit of eg 500MB, then they get slowed down to > slower speeds, This worked like a charm > > Out of interest we used freeradius / pptpd|pppd with some custom perl > scripts and tc rules > > Sew > > On Dec 3, 2007 9:33 PM, Andrew Beverley <[EMAIL PROTECTED]> wrote: > > > I believe "fighting" is the wrong approach. Badly shaping the wrong > > > traffic is just as bad, if not worse IMO. An ISP in my neck of the > > > woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a > > > result of their P2P fight. Needless to say we no longer use them, and > > > we encourage clients, friends, and colleagues not to as well. I don't > > > use P2P but I do use ssh, imaps, sftp, and https daily. Screwing with > > > these services is not useful. > > > > Using the rules in the example previously given specifically steers well > > clear > > of these services. > > > > > Limiting your rules to specific ports is > > > pretty useless. This has been done before, and it failed miserably. > > > > Agreed. > > > > > For me, if P2P does not belong at all, for instance on a corporate > > > network, then a default deny on the outbound works much better. We then > > > only allow specific connections on a case by case basis. > > > > I have seen this work very well on corporate networks, and would > > recommend this > > approach where possible. Unfortunately though, on a normal home user > > network, > > there are so many different possibilities that this isn't very practical. > > > > > For instances > > > where I am not able to block p2p, I define specific rules for high and > > > low priority, and leave everything else in the default. If the end user > > > wants to use the bulk of his or her bandwidth for P2P, so be it. Of > > > course in this case bandwidth accounting is far more useful. > > > > Again, this depends on the circumstances. If you only have 2Mbit/s to share > > between 100 users then each user cannot have their own 'share' of the > > connection. Equally, people downloading in a responsible way are lumped > > into the > > same category as p2p users, which is not fair. Bandwidth accounting is a > > possibility, and something I haven't investigated. > > > > For those who want to fairly share bandwidth beween users, I would > > recommend the > > ESFQ patches. These allow bandwidth sharing to be done on an IP address > > basis, > > rather than per connection. This prevents the hundreds of p2p connections > > from > > drowning out single downloads. > > > > > I would also encourage your users to use software that is or can be well > > > behaved. Software that allows you set a proper TOS for instance. If > > > possible work with the end users. > > > I have persona
Re: [LARTC] How to fight with encrypted p2p
Hi, We had similiar problem with p2p, used ipp2p and L7filter together before and worked well until clients( mostly clever ones) started getting around it with encryption. We have about 700 wireless clients hitting our network and our network was taking big knocks with guys using couple of gigs day on entry level packages. Was going to use Ipoque, but was quite pricy for us, Only solutions for us to use a daily limit of eg 500MB, then they get slowed down to slower speeds, This worked like a charm Out of interest we used freeradius / pptpd|pppd with some custom perl scripts and tc rules Sew On Dec 3, 2007 9:33 PM, Andrew Beverley <[EMAIL PROTECTED]> wrote: > > I believe "fighting" is the wrong approach. Badly shaping the wrong > > traffic is just as bad, if not worse IMO. An ISP in my neck of the > > woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a > > result of their P2P fight. Needless to say we no longer use them, and > > we encourage clients, friends, and colleagues not to as well. I don't > > use P2P but I do use ssh, imaps, sftp, and https daily. Screwing with > > these services is not useful. > > Using the rules in the example previously given specifically steers well clear > of these services. > > > Limiting your rules to specific ports is > > pretty useless. This has been done before, and it failed miserably. > > Agreed. > > > For me, if P2P does not belong at all, for instance on a corporate > > network, then a default deny on the outbound works much better. We then > > only allow specific connections on a case by case basis. > > I have seen this work very well on corporate networks, and would > recommend this > approach where possible. Unfortunately though, on a normal home user network, > there are so many different possibilities that this isn't very practical. > > > For instances > > where I am not able to block p2p, I define specific rules for high and > > low priority, and leave everything else in the default. If the end user > > wants to use the bulk of his or her bandwidth for P2P, so be it. Of > > course in this case bandwidth accounting is far more useful. > > Again, this depends on the circumstances. If you only have 2Mbit/s to share > between 100 users then each user cannot have their own 'share' of the > connection. Equally, people downloading in a responsible way are lumped > into the > same category as p2p users, which is not fair. Bandwidth accounting is a > possibility, and something I haven't investigated. > > For those who want to fairly share bandwidth beween users, I would > recommend the > ESFQ patches. These allow bandwidth sharing to be done on an IP address basis, > rather than per connection. This prevents the hundreds of p2p connections from > drowning out single downloads. > > > I would also encourage your users to use software that is or can be well > > behaved. Software that allows you set a proper TOS for instance. If > > possible work with the end users. > > I have personally found that the best solutions are not tech solutions. > > Having a well defined Acceptable Use Policy, plus a constructive > > dialogue with my users has been far more effective than any shaping > > routine I/we could come up with. > > Agreed. However, in a situation where you have a lot of users coming > and going, > it is not easy to educate the many hundreds of users. > > I guess it all boils down to your own situation. Traffic shaping on a > corporate > network or on a network where your users are static can be done using > the above > techniques. However, sharing a small connection between hundreds of regularly > changing users is difficult, and I have found the 'blunt' rules previously > described to work very well with no complaints. > > > Regards, > > Andy Beverley > > > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ADSL channel boding or Load balancing
+---+ +-+ ++ | ...245.18 +-+ ...77.1 | +---+ | ...0.x +-+ ...0.1| |COLO +-+ 101.x | ++ | ...245.19 +-+ ...78.1 | +---+ +---+ +-+ > > (Slight clean up.) > > > Where are you doing your NATing to the world? Are you NATing on your > PPtP tunnels or on the COLO system? Currently I'm natting on 0.1 ( -o ppp+ -j MASQUERADE ) , This was setup by default as I did not want 0.x to be routed. I've however taken off the natting, and added a route for 0.20/32 dev ppp62 nexthop dev ppp32 ( the 2 vpn interfaces) at COLO and obviously same nexthop routes at 0.1 for 101.x testing from 0.20, I scp a tar file over to 101.20 , still goes via one line at time, the route cache which I disabled, just reroute it the whole time( about every 5 sec) via the diffrent uplink, but not to our result we want I use sysstat to check the speeds and tcpdump verified I its from 0.20 -> 101.20 ssh > > If you are doing your NATing on the COLO system and you add two routes > to your internal network via the two PPtP tunnels, you should be able to > equal cost multipath route across both PPtP tunnels to achieve increased > bandwidth. The key part is that both tunnels have to appear to the > world as a single external IP. I understand now very clearly the key part. My problem must be the tunnel, im sure im messing up, the equal cost multipath routing , am I using the right utitily? , still iproute2 right, or is iptables gonna play big part here as well? S ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ADSL channel boding or Load balancing
Hi Grant, You were right, the usb modem mehtod was just a way for me to see how usb modems works in linux, u basicly add new firmware and load the driver and it sees your usb modem also as a ethernet device and u use pppd with that :-) Im trying your option below to get increased upload, but no luck yet from your ascii , mine looks similar ++ ++ ++ | ...245.18 +-| ...77.1 | +--+ | ...0.x +-+ ...0.1 | | COLO +-+ 101.x | ++ + ...245.19 +-| ...78.1 | +--+ |+ ++ the background how I got this setup is that 245.18 and 19 has pppoe into my ISP, then I made a pptp tunnel to COLO on 2 diffrent ips and got my new ips which is 245.18 Ptp 77.1 and 245.19 Ptp 78.1. All this works fine, I've even add multiple routes to 101.x via dev ppp0 nexthop dev ppp1, but this just load balances the links, not increase uploads Is it possible at all to route all upload via both links at the same time, maybe disable the cached routes, let it just change routes the whole time? Thanks agian for your help Sew ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ADSL channel boding or Load balancing
Hi Grant, Thanks for all the info, I like your SDSL option with the ospf, exactly what I would like Our situation is quite simple, Our ISP is telkom, one main Provider for our Country, they will not touch anything other than the standard services they provide. No SDSL, only ADSL. with standard pppoe. I guess i'm bit stuck there. I could do it to our co-location like u suggest, but that will add more costs to line rental where lines here is quite pricey. That would be a last resort for me I've seen the bonding in action,but havent seen the configs as they kept it quite secret as its a "new" thing. Looks like I'm gonna have to try this route on my own. I could not find much info on this. I will give it a try with 2 x USB modems and tell pppd to use multilinking and see if I can attach the device as one, I'm sure downloads will be speed to a single dsl only, but upload should be double. I think I might get a bit stuck as they might do the bonding to a co-location like you said and just resell it, will give it a #!/bin/bash anyway Thanks again for your info Sew . On 10/11/07, Grant Taylor <[EMAIL PROTECTED]> wrote: > On 10/11/07 11:18, Grant Taylor wrote: > > Another option you could look in to if you have access to a system > > with high speed (read OC-1 or better) internet access somewhere is > > tunnels. That is create an IP in IP or GRE tunnel from your external > > IP to a co-located system and then load balance across the tunnels > > and NAT at the co-located system. > > I would recommend that you not use an encrypting tunnel to reach the > Co-Located box as you are dealing with traffic that is going to go > across the internet at large any way, just let it go out. However if > you want to take this idea to connect multiple sites together, you > obviously would want to consider encrypting VPNs. > > > > Grant. . . . > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ADSL channel boding or Load balancing
Hi There, We currently using iproute2 for load balancing. However we need more upload speed as we load balance over 3 dsl lines. I've been looking for a way to combine the upload speed to more faster. Found a site called www.upstreaminter.net where these guys bond the adsl channels to improve uploads, Since downloading is problem as its need to know the ip address of the downloader they use VPN to their existing infrastruture to improve download speeds to a single IP. Im not interested in doing that though, Our company uses alot of mail to our smarthost and the upload is only 256k on the 4Mbit Line These guys talking about using USB modems , some researching says your ISP must support MLPPP , Anyone with any expierencing bonding adsl modems with a standard kernel and distro? Most nix's come with RP-PPPOE, will this work? Thanks Sew ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Unnumbered GRE tunnel
Hi' I'm using few ways to achieve a ip tunnel
option 1
ppp over ssh
option 2
ipip:
modprobe ipip
iptunnel add tundev mode ipip remote ${REMOTEIP}
ifconfig tundev $IP
or u can use gre like your email above,
hope it helps
Sew
On 9/23/07, Pullus Cuetlachtli <[EMAIL PROTECTED]> wrote:
> Hi!
> Can I create the unnumbered GRE tunnel with iproute2 utility?
> Can someone provide me a link/howto/example_config how to do it?
> The topology is one tunnel between two linux boxes:
> -- eth1-|__|-eth0 <-> eth0-|__|-eth1 --
>
> I'm trying now with:
> ip tu add tun1 mode gre local loc.IP remote rem.IP ttl 255 dev eth0
> ip addr add tun1 0.0.0.0
> ip link set tun1 up
>
> but it doesn't succeed..
> Thanks in advance for any help!
> --
> WBR Sagi Sh
>
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Fwd: How to block Yahoo , MSN messanger and Kazza with IPTABLES
iptables has some powerfull rules u can use to block msn and yahoo and p2p software I would use a transpert proxy with squid and ipp2p ( http://www.ipp2p.org ) which is a extension module for iptables which can block p2p which is very difficult to track for example iptables -A FORWARD -m ipp2p --ipp2p -j DROP hope it helps Sew On 11/9/06, Indunil Jayasooriya <[EMAIL PROTECTED]> wrote: Hi, I want to block Yahoo Messenger, MSN messanger and Kazza with IPTABLES as my local network users always go there. How Can I do it? I am not runnig iptables as a script nor have I put anything in my rc.local. But instaed, I input the commands and save it by using the below cmmand /etc/init.d/iptables save and I restart it /etc/init.d/iptables restart My box runs on Cent OS 4.4. Help needed. -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Two uplinks, two networks and policy routing help requested
I'm not much of a expert, but I would try some of the following I would try src routing ip rule add fwmark 1 table network1 ip route add default via 128.61.111.242/241(depending on gateway) table network1 iptables -t mangle -A PREROUTING -s 128.61.110.0/24 -j MARK --set-mark 1 ip rule add fwmark 2 table network2 ip route add default via 199.77.254.106/105 table network2 iptables -t mangle -A PREROUTING -s 143.215.204.0/27 -j MARK --set-mark 2 this is just some samples, u can alot more in dept with src routing, but I would try this first u can also do dynamic routing with ospf and set your links costs if u want to set priorities on links etc, otherwise go big with BGP routing Like I said, im no expert , hope it helps Sew On 11/6/06, John Douglass <[EMAIL PROTECTED]> wrote: I am hoping that someone with more experience and knowledge than I can assist me in finding a solution ;) We have a RedHat AS4 box with 5 interfaces. Two interfaces serve two different networks and two interfaces connect to two different uplinks. The fifth interface is our management interface. Since a picture is worth a thousand words I attempted to come up with a diagram: http://studpup74.googlepages.com/networkproblem (I did not want to post this image to the list :) If anyone with this experience has a few moments to assist us, I would be very grateful. Let me know if you need additional information. - John Douglass, Georgia Tech ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] src routing and fwmark
Hi,I've got 2 lines from two diffrent ISP's, one is a leased line and another a DSL line,I route certain ips over the DSL line for faster access and would like email to go over the leased line as it has a static ip and is our sending mailserver ip I would like to send mail to the same ips that is routed over DSL via the leased line, otherwise my server gets blacklisted with the DSL ipmy routing table164.148.0.0/14 dev ppp0 scope link196.0.0.0/8 dev ppp0 scope linkdefault via 196.34.17.1 dev eth0 proto zebra equalizeIf I send mail to a ip on 196.0.0.0/8 on port 25 it must go via 196.34.17.1my other routing tables:200 dmz201 pppip rule add fwmark 25 table dmzip route add default via 196.34.17.1 table dmziptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARk --set-mark 25I can see the packets get matched but still goes via ppp0, is there anyway to overcome this?Thanks Sew ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] sangoma cards in linux
Hi There, we only have a /29 internet routable network from our ISP and a Cisco 1601 router with serial interface doing all the routing. I was thinking of replacing that cisco with a linux box with a sangoma card, also using quagga with ospf on for my internel networks has anyone have expierence with this? thanks Sew ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: icmp latency question
Glad I could have been some entertainment, Thanks for clearing that
up. Sorry about the stupid question, at least I know now
Sew
On 4/30/06, Sebastian Bork <[EMAIL PROTECTED]> wrote:
the sew wrote:
> Our company's main line is quite busy the whole day and my shaping is
> working perfect, however even if I give icmp priority the pings still
> jump around quite a bit.
>
> We do have a backup line which hardly get used only if the main line
> drops. I've set ip rule to route all icmp through that and now the
> pings are perfect.
>
> Will this make a difference for the game players etc, with this low
> ping? or does the lagg on the game get effected by the throughput?
Sorry, I don't want to offend you, but your mail has been the cause for
the first good laugh of the day.
To get good results for online gaming, the roundtrip time of the packets
to and from the game servers needs to be good, and it should be fairly
constant, without sudden increases in the "lag time". To test this RTT,
most people use ping, as ICMP echo requests/replies are the perfect tool
for measuring this.
What you did was not to improve the RTT of the packets in the data
stream to and from game servers, but to falsify the results of RTT tests
done with ICMP. Now your measurements look perfect, without any change
to the real lag your gamers will experience.
You should not take "you need a good ping for gaming" literally. Really,
games do *not* use ICMP to connect to the servers. ;o)
I begin to doubt the wisdom of including rules for ICMP priorisation in
the many tc examples out there. Really, it does not make sense to send
out the packets used to test the average and best/worst case RTT of a
network as fast as the link allows at the cost of letting other traffic
wait, because then the result of a ping will have nothing to do with
what the sender of that ping wanted to know.
Just my € 0.02,
Sebi
--
Sebastian Bork <[EMAIL PROTECTED]> ("`-''-/").___..--''"`-._
`6_ 6 ) `-. ( ).`-.__.`)
Untere Karlsstr. 16, 34117 Kassel (_Y_.)' ._ ) `._ `. ``-..-`
Cellular phone: +49 163 6780023 _..`--'_..-_/ /--'_.' ,'
_(il),-'' (li),' ((!.-' **meow**
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] icmp latency question
Hi, Our company's main line is quite busy the whole day and my shaping is working perfect, however even if I give icmp priority the pings still jump around quite a bit. We do have a backup line which hardly get used only if the main line drops. I've set ip rule to route all icmp through that and now the pings are perfect. Will this make a difference for the game players etc, with this low ping? or does the lagg on the game get effected by the throughput? Thanks Sew ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: pppoe question
ah thanks so much!! Sew On 4/20/06, Alessandro Ren <[EMAIL PROTECTED]> wrote: > > Yes, edit the script adsl-connect problably in in /sbin and remove > the route del command, better, just comment it out. > I had the same poblem and that solved it. > > []s. > > the sew wrote: > > Hi THere, > > > > sorry if this is a stupid question or does not belong to this forum. > > > > I've set my DEFROUTE=no in my ifcfg-ppp0 and when I bring the ppp0 > > up, it deletes my old default load balance routes which I do not want, > > as I just want the interface to be up, but not touching my default > > routes > > > > any advice > > > > Thanks > > > > SEW > > ___ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -- > __ > *Alessandro Ren* > /*OpServices*/ > /*Luciana de Abreu, 471 - Sala 403*/ > /*Porto Alegre, RS - CEP 90570-060*/ > > *(* phone 55(51)3061-3588 > *4*fax 55(51)3061-3588 > *Q* mobile 55(51)8151-8212 > *:* email [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > __ > > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] pppoe question
Hi THere, sorry if this is a stupid question or does not belong to this forum. I've set my DEFROUTE=no in my ifcfg-ppp0 and when I bring the ppp0 up, it deletes my old default load balance routes which I do not want, as I just want the interface to be up, but not touching my default routes any advice Thanks SEW ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Class C network 223.255.255.x
Nothing wrong with the official, my backbone is expanding quite alot and we adding quite alot of businesses with cables in building, and we use pppoe and radus to asign ip addresses, just looking for a block of addresses that most companies will never use. SewOn 4/12/06, Erik Slagter <[EMAIL PROTECTED]> wrote: On Wed, 2006-04-12 at 14:52 +0200, the sew wrote:> Most networks are using either 10.x.x.x or 172.x.x.x or 192.168.x.x ,> but was curious If I can use the range 223.255.255.x for my backbone> routing, this looks like a nice block to use as most ppl don't use > this, specially if you build quite a big intranet>> what about the whole 223.x.x.x block, will this be used on the> internet?These are valid routable ip adresses, so you'd better not use them for your own purposes.What is wrong with the official private ranges?___LARTC mailing listLARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Class C network 223.255.255.x
Hi, Most networks are using either 10.x.x.x or 172.x.x.x or 192.168.x.x , but was curious If I can use the range 223.255.255.x for my backbone routing, this looks like a nice block to use as most ppl don't use this, specially if you build quite a big intranet what about the whole 223.x.x.x block, will this be used on the internet? sorry if its a stupid questions Thanks Sew ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing packges by destination port
hi, I have similiar setup, but I load balance my proxy, 2 ways I would try with iproute2 off the top of my head 1) ip rule add from x.x.x.x table out1 ip route add default dev eth1 table out where x.x.x.x is the ip of your transparent ip 2) I would do what you did with port 80 just the other way around have a default route of eth1 and have a "iptables -t mangle -A PREROUTING ! -p tcp --dport 80 -j MARK etc" rule where u mark everyhing except port 80 through eth0 ( check the NOT in the iptables command) hope this helps Sew On 2/8/06, Nataniel Klug <[EMAIL PROTECTED]> wrote: Hello all,After many time reading a lot of stuff I am quite confident using LARTCto route my trafic. I am still working on QoS (by package type and so on)but it will stay in my studing class for a long time... ;) So lets go to my question... I mounted a router that makes my conectionsthroug 2 external interfaces.Its working fine and my default gateway for entire network behind it(nated) is the link at interface eth0. All traffic going to port 80 is maked as 0x1 and I route it to a tablethat makes its default route trhough link2 (eth3).My problem begins when I try to use transparent proxy (squid) with this rule:iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -jREDIRECT --to-ports 3128If I make this rule my routing tables begins to scramble all my traffic and makes it going ALL through only 1 link (eth0). There is anyway to usetransparent squid with multiple routing tables and marking packages?PS.: What is this error "Icmp checksum is wrong" Att,Nataniel Klug___LARTC mailing listLARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] failover routing
sounds good, do your run ripv2 with zebra or quagga?, your idea sounds exactly what I have in mind. Mind explaining a bit more technical and sharing some usefull bits in your config?ThanksSew On 2/7/06, comp.techs <[EMAIL PROTECTED]> wrote: Hi, our network has a hand full of 2k servers that use silent rip. We use 2 Linux gateways with separate isp's. Each gateway does a ' default-originate' to advertise its default route in ripv2 (with on having a different metric). The main gateway has a ping script written in shell that will ping the gateway, determine if its up or down; With either result it checks its history of the last 3 intervals, and will only stop rip if or start rip if there is/was 3 concurrent ups or downs. I have been running this for 2 years with no problems. I hope this helps ___LARTC mailing listLARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] classifying packets and ports
Hi,I've been working for a big corporate company as junior system engineer and getting nicely to understand HTB/iproute2/iptables etc,The ordinary users(about 500 users), can pop / smtp / skype out on the network, but I can't ssh out, cause they blocked the ports. Thought of being clever, I let my home linux listen on port 443 or 110 for ssh connection, but it wont connect, I even test it using telnet and it show up ssh, but it wont connect with my ssh client, but normal pop and https works. How do they block my ssh connection on port 443, but normal https work? Do they use TOS with iptables?,, bit of a brain teaser for meThanksSew ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
