Re: [LARTC] Router dropping packets? - SOLVED
John Philips wrote: Guys, I called my DSL provider and it turns out they limit the number of simultaneous "flows" you can have. I guess that means active TCP connections. But you saw problems with icmp, but as Corey said you may have Qos problems aswell Their limit is 1500 concurrent flows, and when the tech looked at it we had 1450 active. Ewww that's horrible - I can eat 2k conntracks all by myself. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Router dropping packets? - SOLVED
Guys, I called my DSL provider and it turns out they limit the number of simultaneous "flows" you can have. I guess that means active TCP connections. Their limit is 1500 concurrent flows, and when the tech looked at it we had 1450 active. I presume all these flows are from P2P users, so I'm going to try using the connlimit iptables extension to prevent individual users from having more than 50 or so connections. --- John Philips <[EMAIL PROTECTED]> wrote: > Hey guys, > > I have several Linux routers in place at high-usage > locations (student apartment complexes). I'm having > trouble with some of the routers which use 6Mbit DSL > lines as their Internet feed. The routers use PPPoE > and perform NAT. > > During peak usage periods, the routers are dropping > alot of packets. I'm lead to believe this is > because > there are too many active connections. > > For example, when I ping the WAN IP address of one > of > the routers from a remote location, I may start > getting replies immediately. But during peak > periods, > the first several pings usually time out and then > they > just start responding. Sometimes they start > responding on the 4th ping, sometimes the 12th, > etc., > it's pretty random. > > I searched the web and tried increasing my gc_cache > settings, but it didn't make a difference. > > echo 512 > > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 2048 > > /proc/sys/net/ipv4/neigh/default/gc_thresh2 > echo 4096 > > /proc/sys/net/ipv4/neigh/default/gc_thresh3 > > The other notable difference is that the conntrack > tables are much larger than normal. > > `wc -l /proc/net/ip_conntrack` returns >19000 on the > routers experiencing packet loss while virtually all > of the other routers (not having this issue) have > less > than 5000 entries in ip_conntrack. I tried > increasing > ip_conntrack_max in /proc, setting it to 65536 - > didn't make a difference. > > Are there any other /proc settings I should change > to > improve performance? Any tips on analyzing the > ip_conntrack data to find oddities? > > FYI I'm using kernel 2.4.25. I'd rather not upgrade > to 2.6 since doing so in the past has introduced > more > problems! > > Thanks. > > > > > > > No need to miss a message. Get email on-the-go > with Yahoo! Mail for Mobile. Get started. > http://mobile.yahoo.com/mail > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Don't get soaked. Take a quick peek at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Router dropping packets?
John Philips wrote: > Hey guys, > > I have several Linux routers in place at high-usage > locations (student apartment complexes). I'm having > trouble with some of the routers which use 6Mbit DSL > lines as their Internet feed. The routers use PPPoE > and perform NAT. > > During peak usage periods, the routers are dropping > alot of packets. I'm lead to believe this is because > there are too many active connections. Besides what you wrote in the rest of your mail, do you have any other reason to believe this? Based on the information you've given, I would suspect you're just seeing the normal (albeit ugly) effects of saturating a DSL line. Are your Linux routers doing any traffic shaping? When you're having these problems, what is the bandwidth going over the DSL? Don't forget to look at both upstream and downstream rates. -Corey ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Router dropping packets?
Hi Do you block P2P traffic in your routers?, you might use module ipp2p, How many RAM do you have in your routers Linux?. Assure that MTU is configured for lower 1500 in your networks cards, in many cases 1492. On 3/5/07, John Philips <[EMAIL PROTECTED]> wrote: Hey guys, I have several Linux routers in place at high-usage locations (student apartment complexes). I'm having trouble with some of the routers which use 6Mbit DSL lines as their Internet feed. The routers use PPPoE and perform NAT. During peak usage periods, the routers are dropping alot of packets. I'm lead to believe this is because there are too many active connections. For example, when I ping the WAN IP address of one of the routers from a remote location, I may start getting replies immediately. But during peak periods, the first several pings usually time out and then they just start responding. Sometimes they start responding on the 4th ping, sometimes the 12th, etc., it's pretty random. I searched the web and tried increasing my gc_cache settings, but it didn't make a difference. echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 The other notable difference is that the conntrack tables are much larger than normal. `wc -l /proc/net/ip_conntrack` returns >19000 on the routers experiencing packet loss while virtually all of the other routers (not having this issue) have less than 5000 entries in ip_conntrack. I tried increasing ip_conntrack_max in /proc, setting it to 65536 - didn't make a difference. Are there any other /proc settings I should change to improve performance? Any tips on analyzing the ip_conntrack data to find oddities? FYI I'm using kernel 2.4.25. I'd rather not upgrade to 2.6 since doing so in the past has introduced more problems! Thanks. No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- "The network is the computer" ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Router dropping packets?
Hey guys, I have several Linux routers in place at high-usage locations (student apartment complexes). I'm having trouble with some of the routers which use 6Mbit DSL lines as their Internet feed. The routers use PPPoE and perform NAT. During peak usage periods, the routers are dropping alot of packets. I'm lead to believe this is because there are too many active connections. For example, when I ping the WAN IP address of one of the routers from a remote location, I may start getting replies immediately. But during peak periods, the first several pings usually time out and then they just start responding. Sometimes they start responding on the 4th ping, sometimes the 12th, etc., it's pretty random. I searched the web and tried increasing my gc_cache settings, but it didn't make a difference. echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 The other notable difference is that the conntrack tables are much larger than normal. `wc -l /proc/net/ip_conntrack` returns >19000 on the routers experiencing packet loss while virtually all of the other routers (not having this issue) have less than 5000 entries in ip_conntrack. I tried increasing ip_conntrack_max in /proc, setting it to 65536 - didn't make a difference. Are there any other /proc settings I should change to improve performance? Any tips on analyzing the ip_conntrack data to find oddities? FYI I'm using kernel 2.4.25. I'd rather not upgrade to 2.6 since doing so in the past has introduced more problems! Thanks. No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Router stops forwarding packets when MAC Address changes
Here's one that makes me scratch my head. I have a layout like this: 172.16.0.0/16 1.2.3.48/28 172.16.n.n (fictional public IP range) internal hosts | <+-+--++--+-->to the Internet ||| | Internal|| | Host Firewall Outside eth1eth0 Router 172.16.16.99 172.16.16.3 1.2.3.50 1.2.3.49 I want to use my own MAC addresses on all the firewall NICs. This way, I should be able to swap firewall systems without disturbing the ARP caches on the outside router or internal hosts. I do it like this: ifdown eth1 ifconfig eth1 hw ether 17:20:16:01:60:03 ifup eth1 Similarly for eth0. >From my internal host, ping 1.2.3.49. This works before switching MAC Addresses and fails after doing it. The internal host can ping the firewall at 172.16.16.3. The firewall can ping 1.2.3.49. But that firewall will not forward anything after giving its NICs my made-up MAC Addresses. When I put the MAC Addresses back to their "real" values, the firewll forwards again. >From the internal host, arp -a shows what it is supposed to show. The firewall is running 2.4.27 from kernel.org. I am using 3Com 3C905B NICs. /proc/sys/net/ipv4/ip_forward is 1. What am I missing? Why does changing MAC Addresses mess up forwarding? Thanks - Greg Scott ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] router problem
Hi all i have big problem,I am newbie and my english is bad,but i know you can help solve my problem. I have box with gentoo,I live in latvia and i have 2 ISP: One isp gives me ip range from 62.85.71.1-62.85.71.15 (62.85.71.1 is gateway) but there is only latvian trafik - no other countries (link is 2 mbit Asinhronus dsl) and other isp who gives me one ip from dhcp adn there ios no trafik limitations (link is 512kbit Asinhronus dsl).I have local net connected to this linux box who haves ip range 10.10.10.11-10.10.10.19 gw is 10.10.10.1 on my linux box.On this linux box running (mail,dns,web,counter strike server).On local net are more p2p programms,downloaders,e.t.c.When people from "outside" playing on my server hi have extreme lags caused by link owerloading and large packet loss.But my priority is cs trafik. I need to priorize this trafik(i know cs have many litle packets) but i need to priorize my cs server.And i need your help.I try wondersharper but without results. With this script i start my box now:(is this correct?) INET_IFACE=eth0 INET_NET=62.85.71.0/28 INET_GW=62.85.71.1 INET_IP=62.85.71.10 INET_BCAST_ADRESS=62.85.71.15 INET_MASK=255.255.255.240 DSL_IFACE=eth2 DSL_NET=81.198.4.0/28 DSL_GW=81.198.4.1 DSL_IP=81.198.7.159 DSL_BCAST_ADRESS=81.198.7.255 DSL_MASK=255.255.252.0 LAN_IFACE=eth1 LAN_IP=10.10.10.0 LAN_NET=10.10.10.0/24 LAN_MASK=255.255.255.0 LAN_BCAST=10.10.10.255 INET_IP1=62.85.71.2 INET_IP2=62.85.71.3 INET_IP3=62.85.71.4 INET_IP4=62.85.71.5 INET_IP5=62.85.71.6 INET_IP6=62.85.71.7 INET_IP7=62.85.71.8 INET_IP8=62.85.71.9 INET_IP9=62.85.71.11 LAN_IP1=10.10.10.11/32 LAN_IP2=10.10.10.12/32 LAN_IP3=10.10.10.13/32 LAN_IP4=10.10.10.14/32 LAN_IP5=10.10.10.15/32 LAN_IP6=10.10.10.16/32 LAN_IP7=10.10.10.17/32 LAN_IP8=10.10.10.18/32 LAN_IP9=10.10.10.19/32 IP=ip IPT=iptables IR=route IFC=ifconfig echo "1" > /proc/sys/net/ipv4/ip_forward $IFC eth0:1 $INET_IP1 broadcast $INET_BCAST_ADRESS netmask $INET_MASK $IFC eth0:2 $INET_IP2 broadcast $INET_BCAST_ADRESS netmask $INET_MASK $IFC eth0:3 $INET_IP3 broadcast $INET_BCAST_ADRESS netmask $INET_MASK $IFC eth0:4 $INET_IP4 broadcast $INET_BCAST_ADRESS netmask $INET_MASK $IFC eth0:5 $INET_IP5 broadcast $INET_BCAST_ADRESS netmask $INET_MASK $IFC eth0:6 $INET_IP6 broadcast $INET_BCAST_ADRESS netmask $INET_MASK $IFC eth0:7 $INET_IP7 broadcast $INET_BCAST_ADRESS netmask $INET_MASK $IFC eth0:8 $INET_IP8 broadcast $INET_BCAST_ADRESS netmask $INET_MASK $IFC eth0:9 $INET_IP9 broadcast $INET_BCAST_ADRESS netmask $INET_MASK ip route flush table main ip route flush table 1 ip route flush table 2 ip route add 62.85.71.0/28 dev eth0 src 62.85.71.10 ip route add 10.10.10.0/24 dev eth1 src 10.10.10.1 ip route add 81.198.4.0/28 dev eth2 src 81.198.7.159 ip route add 127.0.0.0/8 dev lo ip route add default via 81.198.4.1 ip route add 62.85.71.0/28 dev eth0 src 62.85.71.10 table 1 ip route add 10.10.10.0/24 dev eth1 src 10.10.10.1 table 1 ip route add 81.198.4.0/23 dev eth2 src 81.198.7.159 table 1 ip route add 127.0.0.0/8 dev lo ip route add default via 62.85.71.1 table 1 ip route add 62.85.71.0/28 dev eth0 src 62.85.71.10 table 2 ip route add 10.10.10.0/24 dev eth1 src 10.10.10.1 table 2 ip route add 81.198.4.0/28 dev eth2 src 81.198.7.159 table 2 ip route add 127.0.0.0/8 dev lo table 2 ip route add default via 81.198.4.1 table 2 ip rule add from 62.85.71.2 table 1 ip rule add from 62.85.71.3 table 1 ip rule add from 62.85.71.4 table 1 ip rule add from 62.85.71.5 table 1 ip rule add from 62.88.71.6 table 1 ip rule add from 62.85.71.7 table 1 ip rule add from 62.85.71.8 table 1 ip rule add from 62.85.71.9 table 1 ip rule add from 62.85.71.10 table 1 ip rule add from 62.85.71.11 table 1 ip rule add from 81.198.7.159 table 2 $IPT -t mangle -F $IPT -A OUTPUT -t mangle -p udp --sport 27015 -j TOS --set-tos Maximize-Throughput $IPT -A OUTPUT -t mangle -p udp --dport 27015 -j TOS --set-tos Maximize-Throughput $IPT -t nat -F $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP1 -j SNAT --to $INET_IP1 $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP2 -j SNAT --to $INET_IP2 $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP3 -j SNAT --to $INET_IP3 $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP4 -j SNAT --to $INET_IP4 $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP5 -j SNAT --to $INET_IP5 $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP6 -j SNAT --to $INET_IP6 $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP7 -j SNAT --to $INET_IP7 $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP8 -j SNAT --to $INET_IP8 $IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP9 -j SNAT --to $INET_IP9 $IPT -t nat -A POSTROUTING -o $DSL_IFACE -j SNAT --to $DSL_IP for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done $IPT -A FORWARD -i eth1 -s ! $LAN_NET -j DROP for LIST in `cat /etc/init.d/Scripts/data/lv_iplist`; do ip route add to $LIST via 62.85.71.1 done /etc/init.d/Scripts/data/lv_iplist contains data of my country i subnets (example 81.19
Re: [LARTC] Router serving several inet ips
Hi Carlos, The iptables after '#' is what i tried.. but it did not work, it gave me this message: debian:/etc/init.d# sh nat.sh Warning: weird character in interface `eth1:0' (No aliases, :, ! or *). Warning: weird character in interface `eth1:0' (No aliases, :, ! or *). iptables v1.2.7a: multiple -j flags not allowed #iptables -t nat -A POSTROUTING -o eth1:0 #iptables -A FORWARD -i eth0 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED #iptables -A FORWARD -i eth1:0 -j ACCEPT -m state --state ESTABLISHED,RELATED -j MASQUERADE You need to fix those 3 lines just like the error messages say. Iptables uses the real interface (eth1) not the aliased one. and you can't combine two -j flags ACCEPT and MASQUERADE. I assume the -j MASQUERADE option is a mistake and should belong elsewhere. -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Router serving several inet ips
Hi all, i have a router with debian 3.0 kernel 2.4.20, working with htb quite well, limiting bandwidth and doing port and ip priorizations. Now i want to server more than 1 internet ip, later i will do priorizations on each ip.. but.. i canĀ“t manage yet the first thing. The idea is that it works as a "dhcp server", assigning the ips.. but the traffic must go through the linux box (so i can priorize and limit bandwidth). i have set up the second internet ip with ipalias in eth1:0, and it is active, i get ping from internet.. no problem.. but it does not work fine when i try to assign it to a private ip The idea is assigning 192.168.0.3 to eth1:0 (no natting, .. just the entire ip) The iptables after '#' is what i tried.. but it did not work, it gave me this message: debian:/etc/init.d# sh nat.sh Warning: weird character in interface `eth1:0' (No aliases, :, ! or *). Warning: weird character in interface `eth1:0' (No aliases, :, ! or *). iptables v1.2.7a: multiple -j flags not allowed Thanks in advance, Carlos The script, below.. #!/bin/sh echo "AthoS LaN Generando iptables..." > /dev/tty12 #limpiamos las tablas de iptables iptables -F iptables -t nat -F iptables -t filter -F #eth1 sera la interfaz de internet iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE #eth0 la interfaz de la red local iptables --append FORWARD --in-interface eth0 -j ACCEPT #iptables -t nat -F PREROUTING #iptables -t nat -P PREROUTING ACCEPT #iptables -t nat -F POSTROUTING #iptables -t nat -P POSTROUTING ACCEPT #iptables -t nat -A POSTROUTING -o eth1:0 #iptables -A FORWARD -i eth0 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED #iptables -A FORWARD -i eth1:0 -j ACCEPT -m state --state ESTABLISHED,RELATED -j MASQUERADE #activamos el forward echo 1 > /proc/sys/net/ipv4/ip_forward #reglas para enrutado de paketes... #1.- redirecciona las peticiones del puerto 21 a mi pc iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168 .0.2:21 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Router for giving more than 1 ip
: Hi i have a debian box working as a router.. it works quite well, now i : want to give more than 1 ip.. is it possible to do it? You want to host more than one IP on your box? Easily done. # ip addr add eth1 $SECONDARY_OUTSIDE_IP/32 : some of them must be an open ip.. i mean.. all ports opened is it : possible? how should i do it? Sure, it's possible*. Note, though, that in this command, you have not specified a destination address on these DNAT commands, so you'll need to change them. : iptables -t nat -A PREROUTING \ : -i eth1 -p tcp --dport 110 -j DNAT --to 192.168.0.16:25 This should be something more like this: iptables -t nat -A PREROUTING -j DNAT --to 192.168.0.16:25 \ -i eth1 -p tcp --dport 110 -s 0/0 -d $PRIMARY_OUTSIDE_IP : iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE If you wish to have more control over the source address of these packets, you can use "-j SNAT --to $PRIMARY_OUTSIDE_IP". [ many DNAT commands snipped ] * in order to open all ports to a given internal IP, try the following: iptables -t nat -A PREROUTING -j DNAT --to $GAPING_SECURITY_HOLE \ -i eth1 -s 0/0 -d $SECONDARY_OUTSIDE_IP That should do it! Be forewarned, that application layer protocols which embed network layer information in their messages will be confusedconsider the usual NAT problems with FTP. Best of luck, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Router for giving more than 1 ip
Hi i have a debian box working as a router.. it works quite well, now i want to give more than 1 ip.. is it possible to do it? some of them must be an open ip.. i mean.. all ports opened is it possible? how should i do it? Here is my nat.sh script just in case someone wants it.. (comments r in spanish.. and not right) Thanks in advance, #!/bin/sh echo "AthoS LaN Generando iptables..." > /dev/tty12 #limpiamos las tablas de iptables iptables -F iptables -t nat -F iptables -t filter -F #eth1 sera la interfaz de internet iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE #eth0 la interfaz de la red local iptables --append FORWARD --in-interface eth0 -j ACCEPT #activamos el forward echo 1 > /proc/sys/net/ipv4/ip_forward #reglas para enrutado de paketes... #1.- redirecciona las peticiones del puerto 21 a mi pc iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168.0.16:21 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 192.168.0.16:143 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 993 -j DNAT --to 192.168.0.16:993 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 995 -j DNAT --to 192.168.0.16:995 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 192.168.0.16:110 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1 -j DNAT -- to 192.168.0.16:1 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.16:80 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to 192.168.0.16:8000 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8000 -j DNAT --to 192.168.0.16:8000 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8001 -j DNAT --to 192.168.0.16:8001 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8001 -j DNAT --to 192.168.0.16:8001 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport -j DNAT --to 192.168.0.13: iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5556 -j DNAT --to 192.168.0.13:5556 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j DNAT --to 192.168.0.16:53 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to 192.168.0.16:53 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 23 -j DNAT --to 192.168.0.16:23 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 23 -j DNAT --to 192.168.0.16:23 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 192.168.0.16:25 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 192.168.0.16:110 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3306 -j DNAT --to 192.168.0.16:3306 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 192.168.0.16:143 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 143 -j DNAT --to 192.168.0.16:143 #2.- redirecciona los dccs a mi pc iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4502:4510 -j DNAT --to 192.168.0.13:4502-4510 #3.- puertos para el msn (para enviar) iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6891:6899 -j DNAT --to 192.168.0.13:6891-6899 #4.- puertos para el emule iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5800 -j DNAT --to 192.168.0.165:5800 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1433 -j DNAT --to 192.168.0.165:1433 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4500 -j DNAT --to 192.168.0.13:4500 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5900 -j DNAT --to 192.168.0.165:5900 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6900 -j DNAT --to 192.168.0.166:6900 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2593 -j DNAT --to 192.168.0.165:2593 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4501 -j DNAT --to 192.168.0.166:4501 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4000 -j DNAT --to 192.168.0.166:4000 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7000 -j DNAT --to 192.168.0.166:7000 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6901 -j DNAT --to 192.168.0.113:6901 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4661 -j DNAT --to 192.168.0.13:4661 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4662 -j DNAT --to 192.168.0.13:4662 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6699 -j DNAT --to 192.168.0.13:6699 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7751 -j DNAT --to 192.168.0.13:7751 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 6257 -j DNAT --to 192.168.0.13:6257 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4668 -j DNAT --to 192.168.0.62:4668 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7373 -j DNAT --to 192.168.0.8:7373 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7372 -j DNAT --to 192.168.0.8:7372 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -j DNAT --to 192.168.0.8:20 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7373 -j DNAT --to 192.168.0.8:7373 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4666 -j DNAT --to 192.168.0.8:4666 i
[LARTC] Router for giving more than 1 ip
Hi i have a debian box working as a router.. it works quite well, now i want to give more than 1 ip.. is it possible to do it? some of them must be an open ip.. i mean.. all ports opened is it possible? how should i do it? Here is my nat.sh script just in case someone wants it.. (comments r in spanish.. and not right) Thanks in advance, #!/bin/sh echo "AthoS LaN Generando iptables..." > /dev/tty12 #limpiamos las tablas de iptables iptables -F iptables -t nat -F iptables -t filter -F #eth1 sera la interfaz de internet iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE #eth0 la interfaz de la red local iptables --append FORWARD --in-interface eth0 -j ACCEPT #activamos el forward echo 1 > /proc/sys/net/ipv4/ip_forward #reglas para enrutado de paketes... #1.- redirecciona las peticiones del puerto 21 a mi pc iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168.0.16:21 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 192.168.0.16:143 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 993 -j DNAT --to 192.168.0.16:993 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 995 -j DNAT --to 192.168.0.16:995 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 192.168.0.16:110 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1 -j DNAT -- to 192.168.0.16:1 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.16:80 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to 192.168.0.16:8000 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8000 -j DNAT --to 192.168.0.16:8000 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8001 -j DNAT --to 192.168.0.16:8001 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8001 -j DNAT --to 192.168.0.16:8001 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport -j DNAT --to 192.168.0.13: iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5556 -j DNAT --to 192.168.0.13:5556 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j DNAT --to 192.168.0.16:53 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to 192.168.0.16:53 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 23 -j DNAT --to 192.168.0.16:23 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 23 -j DNAT --to 192.168.0.16:23 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 192.168.0.16:25 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 192.168.0.16:110 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3306 -j DNAT --to 192.168.0.16:3306 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 192.168.0.16:143 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 143 -j DNAT --to 192.168.0.16:143 #2.- redirecciona los dccs a mi pc iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4502:4510 -j DNAT --to 192.168.0.13:4502-4510 #3.- puertos para el msn (para enviar) iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6891:6899 -j DNAT --to 192.168.0.13:6891-6899 #4.- puertos para el emule iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5800 -j DNAT --to 192.168.0.165:5800 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1433 -j DNAT --to 192.168.0.165:1433 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4500 -j DNAT --to 192.168.0.13:4500 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5900 -j DNAT --to 192.168.0.165:5900 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6900 -j DNAT --to 192.168.0.166:6900 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2593 -j DNAT --to 192.168.0.165:2593 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4501 -j DNAT --to 192.168.0.166:4501 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4000 -j DNAT --to 192.168.0.166:4000 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7000 -j DNAT --to 192.168.0.166:7000 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6901 -j DNAT --to 192.168.0.113:6901 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4661 -j DNAT --to 192.168.0.13:4661 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4662 -j DNAT --to 192.168.0.13:4662 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6699 -j DNAT --to 192.168.0.13:6699 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7751 -j DNAT --to 192.168.0.13:7751 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 6257 -j DNAT --to 192.168.0.13:6257 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4668 -j DNAT --to 192.168.0.62:4668 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7373 -j DNAT --to 192.168.0.8:7373 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7372 -j DNAT --to 192.168.0.8:7372 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -j DNAT --to 192.168.0.8:20 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7373 -j DNAT --to 192.168.0.8:7373 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4666 -j DNAT --to 192.168.0.8:4666 i
[LARTC] Router for the two diffent networks
Hi folks, I have the Linux (Slackware 8.1) router and I use it to replace hardware router ( for example CISCO). This router is for only external IP addresses: I got 6 IPs from my ISP and of course to use them I made router on Linux box. My scheme is: Internet connection form radio modem | eth0 - | Linux box| - | eth1 | switch| || - -- | FW1 | | FW2| - -- || Local network All network connections use ext IPS except local network. Everything works just fine. So my question is can I put two extra network cards to my Linux box and use the same PC as router for the second Internet connecton? Or do I have to use second one Linux box for it? eth0 and eth1 routing between first ISP IPs and eth2 and eht3 is routing between second one IPSP IPs? Thank you in advance Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Router
On Friday 22 November 2002 10:33 am, Stef Coene wrote: > On Friday 22 November 2002 16:08, Rimas wrote: > > Hi guys, > > > > I'm asking the same question again (it's very urgent for me). > > > > How to build a router on Linux box? > > > > I have a Linux box (Redhat 7.3) with two network cards. > > eth0 is connection to my wireless ISP and eth1 to my FWs. > > I want to route eth0<-->eht1. Both NIC have real Internet IP as well like > > FWs. > > I need no NAT (no needs to hide my real IP, because it have to be seen from > > Internet). > > Do I have to use ip route or iptables or combination of it. > If the box is up and running with 2 nic's configured, try this : > > echo 1 > /proc/sys/net/ipv4/ip_forward > > Stef > Just to enable routing (without any firewall stuff) the above command would be sufficient. To make it permanent, add the following to /etc/sysctl.conf: # Enables packet forwarding net.ipv4.ip_forward=1 You could also add the following to enable route verification: # Enables source route verification net.ipv4.conf.default.rp_filter = 1 Thanks, Ashok ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Router
On Friday 22 November 2002 16:08, Rimas wrote: > Hi guys, > > I'm asking the same question again (it's very urgent for me). > > How to build a router on Linux box? > > I have a Linux box (Redhat 7.3) with two network cards. > eth0 is connection to my wireless ISP and eth1 to my FWs. > I want to route eth0<-->eht1. Both NIC have real Internet IP as well like > FWs. > I need no NAT (no needs to hide my real IP, because it have to be seen from > Internet). > Do I have to use ip route or iptables or combination of it. If the box is up and running with 2 nic's configured, try this : echo 1 > /proc/sys/net/ipv4/ip_forward Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Router
> How to build a router on Linux box? This is a bit like asking 'How do I build a nuclear reactor, I need to have it done by monday' :) You will need to sit down and do quite a bit of reading. There are howto documents, there are books on the subject, there are mailing lists like this. You'll need to spend time with all three types of information source. The book "Linux Firewalls", despite the title, is a good source of informaiton on routing with Linux. The book "Linux Routing" is also good. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Router
Hi guys, I'm asking the same question again (it's very urgent for me). How to build a router on Linux box? I have a Linux box (Redhat 7.3) with two network cards. eth0 is connection to my wireless ISP and eth1 to my FWs. I want to route eth0<-->eht1. Both NIC have real Internet IP as well like FWs. I need no NAT (no needs to hide my real IP, because it have to be seen from Internet). Do I have to use ip route or iptables or combination of it. Thank you Rimas ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] router redandancy with vrrpd
Hi all, maybe someone of you guys can help me on my problem. I have 2 Zebra 0.93a routers with SuSE Linux 8.0. Each router as working BGP sessions to some uplink providers. Each one has an interface dedicated for my internal network. The idea is that the other router starts up all 50 gateway ip addresses needed on its internal interface. I'm dealing with a lot of /24 networks, each one has x.x.x.1 as gateway. To make this easier I changed the netmask from /32 to /24 in the vrrpd source code and recompiled. No problem until now. But, when the gateway addresses are up, I cannot reach me servers. I did I simple ping, and got no response at all. I tried arping, and I got an immediate response. After that ping also worked. But only for some minutes, and the servers got lost again. After that I shut down vrrpd and added my gateway addresses manually to the interface: ip addr add x.x.x.1 brd + dev $INT And I got the same problem there. Then I tried using aliases, but again the same problem. If I do a simple ifconfig $INT x.x.x.1 netmask 255.255.255.0 broadcast x.x.x.255 then I won't have the problem at all. I don't think the problem is directly related to vrrpd, but I cannot figure out what's going wrong here. Some additional infos: I'm using arpd instead of kernel space arp I have approx. 1000 Servers connected via multiple switches behind my internal nic. I need to bring ip approx. 50 secondary ip addresses. Perhaps there are to many servers connected via one nic, but why does it work with ifconfig and not with ip addr add. Thanx in advance Sascha ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/