subject:"\[LARTC\] Router"

Re: [LARTC] Router dropping packets? - SOLVED

2007-03-30 Thread Andy Furniss


John Philips wrote:

Guys,

I called my DSL provider and it turns out they limit
the number of simultaneous "flows" you can have.  I
guess that means active TCP connections.


But you saw problems with icmp, but as Corey said you may have Qos 
problems aswell


  Their limit

is 1500 concurrent flows, and when the tech looked at
it we had 1450 active.


Ewww that's horrible - I can eat 2k conntracks all by myself.

Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Router dropping packets? - SOLVED

2007-03-07 Thread John Philips

Guys,

I called my DSL provider and it turns out they limit
the number of simultaneous "flows" you can have.  I
guess that means active TCP connections.  Their limit
is 1500 concurrent flows, and when the tech looked at
it we had 1450 active.

I presume all these flows are from P2P users, so I'm
going to try using the connlimit iptables extension to
prevent individual users from having more than 50 or
so connections.

--- John Philips <[EMAIL PROTECTED]> wrote:

> Hey guys,
> 
> I have several Linux routers in place at high-usage
> locations (student apartment complexes).  I'm having
> trouble with some of the routers which use 6Mbit DSL
> lines as their Internet feed.  The routers use PPPoE
> and perform NAT.
> 
> During peak usage periods, the routers are dropping
> alot of packets.  I'm lead to believe this is
> because
> there are too many active connections.
> 
> For example, when I ping the WAN IP address of one
> of
> the routers from a remote location, I may start
> getting replies immediately.  But during peak
> periods,
> the first several pings usually time out and then
> they
> just start responding.  Sometimes they start
> responding on the 4th ping, sometimes the 12th,
> etc.,
> it's pretty random.
> 
> I searched the web and tried increasing my gc_cache
> settings, but it didn't make a difference.
> 
> echo 512 >
> /proc/sys/net/ipv4/neigh/default/gc_thresh1
> echo 2048 >
> /proc/sys/net/ipv4/neigh/default/gc_thresh2
> echo 4096 >
> /proc/sys/net/ipv4/neigh/default/gc_thresh3
> 
> The other notable difference is that the conntrack
> tables are much larger than normal.
> 
> `wc -l /proc/net/ip_conntrack` returns >19000 on the
> routers experiencing packet loss while virtually all
> of the other routers (not having this issue) have
> less
> than 5000 entries in ip_conntrack.  I tried
> increasing
> ip_conntrack_max in /proc, setting it to 65536 -
> didn't make a difference.
> 
> Are there any other /proc settings I should change
> to
> improve performance?  Any tips on analyzing the
> ip_conntrack data to find oddities?
> 
> FYI I'm using kernel 2.4.25.  I'd rather not upgrade
> to 2.6 since doing so in the past has introduced
> more
> problems!
> 
> Thanks.
> 
> 
> 
> 
>  
>

> No need to miss a message. Get email on-the-go 
> with Yahoo! Mail for Mobile. Get started.
> http://mobile.yahoo.com/mail 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
>
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 



 

Don't get soaked.  Take a quick peek at the forecast
with the Yahoo! Search weather shortcut.
http://tools.search.yahoo.com/shortcuts/#loc_weather
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Router dropping packets?

2007-03-05 Thread Corey Hickey

John Philips wrote:
> Hey guys,
> 
> I have several Linux routers in place at high-usage
> locations (student apartment complexes).  I'm having
> trouble with some of the routers which use 6Mbit DSL
> lines as their Internet feed.  The routers use PPPoE
> and perform NAT.
> 
> During peak usage periods, the routers are dropping
> alot of packets.  I'm lead to believe this is because
> there are too many active connections.

Besides what you wrote in the rest of your mail, do you have any other
reason to believe this? Based on the information you've given, I would
suspect you're just seeing the normal (albeit ugly) effects of
saturating a DSL line.

Are your Linux routers doing any traffic shaping? When you're having
these problems, what is the bandwidth going over the DSL? Don't forget
to look at both upstream and downstream rates.

-Corey
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Router dropping packets?

2007-03-05 Thread Jorge Evangelista


Hi

Do you block P2P traffic in your routers?, you might use module ipp2p,
How many RAM do you have in your routers Linux?. Assure that MTU is
configured for lower 1500 in your networks cards, in many cases 1492.





On 3/5/07, John Philips <[EMAIL PROTECTED]> wrote:

Hey guys,

I have several Linux routers in place at high-usage
locations (student apartment complexes).  I'm having
trouble with some of the routers which use 6Mbit DSL
lines as their Internet feed.  The routers use PPPoE
and perform NAT.

During peak usage periods, the routers are dropping
alot of packets.  I'm lead to believe this is because
there are too many active connections.

For example, when I ping the WAN IP address of one of
the routers from a remote location, I may start
getting replies immediately.  But during peak periods,
the first several pings usually time out and then they
just start responding.  Sometimes they start
responding on the 4th ping, sometimes the 12th, etc.,
it's pretty random.

I searched the web and tried increasing my gc_cache
settings, but it didn't make a difference.

echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 >
/proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 >
/proc/sys/net/ipv4/neigh/default/gc_thresh3

The other notable difference is that the conntrack
tables are much larger than normal.

`wc -l /proc/net/ip_conntrack` returns >19000 on the
routers experiencing packet loss while virtually all
of the other routers (not having this issue) have less
than 5000 entries in ip_conntrack.  I tried increasing
ip_conntrack_max in /proc, setting it to 65536 -
didn't make a difference.

Are there any other /proc settings I should change to
improve performance?  Any tips on analyzing the
ip_conntrack data to find oddities?

FYI I'm using kernel 2.4.25.  I'd rather not upgrade
to 2.6 since doing so in the past has introduced more
problems!

Thanks.






No need to miss a message. Get email on-the-go
with Yahoo! Mail for Mobile. Get started.
http://mobile.yahoo.com/mail
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc




--
"The network is the computer"
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Router dropping packets?

2007-03-05 Thread John Philips

Hey guys,

I have several Linux routers in place at high-usage
locations (student apartment complexes).  I'm having
trouble with some of the routers which use 6Mbit DSL
lines as their Internet feed.  The routers use PPPoE
and perform NAT.

During peak usage periods, the routers are dropping
alot of packets.  I'm lead to believe this is because
there are too many active connections.

For example, when I ping the WAN IP address of one of
the routers from a remote location, I may start
getting replies immediately.  But during peak periods,
the first several pings usually time out and then they
just start responding.  Sometimes they start
responding on the 4th ping, sometimes the 12th, etc.,
it's pretty random.

I searched the web and tried increasing my gc_cache
settings, but it didn't make a difference.

echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 >
/proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 >
/proc/sys/net/ipv4/neigh/default/gc_thresh3

The other notable difference is that the conntrack
tables are much larger than normal.

`wc -l /proc/net/ip_conntrack` returns >19000 on the
routers experiencing packet loss while virtually all
of the other routers (not having this issue) have less
than 5000 entries in ip_conntrack.  I tried increasing
ip_conntrack_max in /proc, setting it to 65536 -
didn't make a difference.

Are there any other /proc settings I should change to
improve performance?  Any tips on analyzing the
ip_conntrack data to find oddities?

FYI I'm using kernel 2.4.25.  I'd rather not upgrade
to 2.6 since doing so in the past has introduced more
problems!

Thanks.




 

No need to miss a message. Get email on-the-go 
with Yahoo! Mail for Mobile. Get started.
http://mobile.yahoo.com/mail 
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Router stops forwarding packets when MAC Address changes

2006-03-13 Thread Greg Scott

Here's one that makes me scratch my head.  

I have a layout like this:

172.16.0.0/16   1.2.3.48/28 
 172.16.n.n  (fictional public IP range)
 internal hosts 
   | 
<+-+--++--+-->to the Internet 
 |||  | 
  Internal||  | 
   Host  Firewall Outside 
eth1eth0  Router 
172.16.16.99   172.16.16.3  1.2.3.50  1.2.3.49

I want to use my own MAC addresses on all the firewall NICs.  This way,
I should be able to swap firewall systems without disturbing the ARP
caches on the outside router or internal hosts.  I do it like this:

ifdown eth1
ifconfig eth1 hw ether 17:20:16:01:60:03
ifup eth1

Similarly for eth0.

>From my internal host, ping 1.2.3.49.  This works before switching MAC
Addresses and fails after doing it.  
The internal host can ping the firewall at 172.16.16.3.
The firewall can ping 1.2.3.49.  
But that firewall will not forward anything after giving its NICs my
made-up MAC Addresses.  

When I put the MAC Addresses back to their "real" values, the firewll
forwards again.  

>From the internal host, arp -a shows what it is supposed to show.  

The firewall is running 2.4.27 from kernel.org.  I am using 3Com 3C905B
NICs.  /proc/sys/net/ipv4/ip_forward is 1.  

What am I missing?  Why does changing MAC Addresses mess up forwarding?

Thanks

- Greg Scott
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] router problem

2004-12-19 Thread sergis

Hi all i have big problem,I am newbie and my english is bad,but i know you can
help solve my problem.

I have box with gentoo,I live in latvia and i have 2 ISP:
One isp gives me ip range from 62.85.71.1-62.85.71.15 (62.85.71.1 is gateway)
but there is only latvian trafik - no other countries (link is 2 mbit
Asinhronus dsl) and other isp who gives me one ip from dhcp adn there ios no
trafik limitations (link is 512kbit Asinhronus dsl).I have local net connected
to this linux box who haves ip range 10.10.10.11-10.10.10.19 gw is 10.10.10.1
on my linux box.On this linux box running (mail,dns,web,counter strike
server).On local net are more p2p programms,downloaders,e.t.c.When people from
"outside" playing on my server hi have extreme lags caused by link owerloading
and large packet loss.But my priority is cs trafik. I need to priorize this
trafik(i know cs have many litle packets) but i need to priorize my cs
server.And i need your help.I try wondersharper but without results.

With this script i start my box now:(is this correct?)

INET_IFACE=eth0
INET_NET=62.85.71.0/28
INET_GW=62.85.71.1
INET_IP=62.85.71.10
INET_BCAST_ADRESS=62.85.71.15
INET_MASK=255.255.255.240
DSL_IFACE=eth2
DSL_NET=81.198.4.0/28
DSL_GW=81.198.4.1
DSL_IP=81.198.7.159
DSL_BCAST_ADRESS=81.198.7.255
DSL_MASK=255.255.252.0
LAN_IFACE=eth1
LAN_IP=10.10.10.0
LAN_NET=10.10.10.0/24
LAN_MASK=255.255.255.0
LAN_BCAST=10.10.10.255
INET_IP1=62.85.71.2
INET_IP2=62.85.71.3
INET_IP3=62.85.71.4
INET_IP4=62.85.71.5
INET_IP5=62.85.71.6
INET_IP6=62.85.71.7
INET_IP7=62.85.71.8
INET_IP8=62.85.71.9
INET_IP9=62.85.71.11
LAN_IP1=10.10.10.11/32
LAN_IP2=10.10.10.12/32
LAN_IP3=10.10.10.13/32
LAN_IP4=10.10.10.14/32
LAN_IP5=10.10.10.15/32
LAN_IP6=10.10.10.16/32
LAN_IP7=10.10.10.17/32
LAN_IP8=10.10.10.18/32
LAN_IP9=10.10.10.19/32
IP=ip 
IPT=iptables
IR=route
IFC=ifconfig
echo "1" > /proc/sys/net/ipv4/ip_forward 
$IFC eth0:1 $INET_IP1 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
$IFC eth0:2 $INET_IP2 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
$IFC eth0:3 $INET_IP3 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
$IFC eth0:4 $INET_IP4 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
$IFC eth0:5 $INET_IP5 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
$IFC eth0:6 $INET_IP6 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
$IFC eth0:7 $INET_IP7 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
$IFC eth0:8 $INET_IP8 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
$IFC eth0:9 $INET_IP9 broadcast $INET_BCAST_ADRESS netmask $INET_MASK
ip route flush table main
ip route flush table 1 
ip route flush table 2 
ip route add 62.85.71.0/28 dev eth0 src 62.85.71.10 
ip route add 10.10.10.0/24 dev eth1 src 10.10.10.1 
ip route add 81.198.4.0/28 dev eth2 src 81.198.7.159
ip route add 127.0.0.0/8 dev lo 
ip route add default via 81.198.4.1
ip route add 62.85.71.0/28 dev eth0 src 62.85.71.10 table 1 
ip route add 10.10.10.0/24 dev eth1 src 10.10.10.1 table 1 
ip route add 81.198.4.0/23 dev eth2 src 81.198.7.159 table 1
ip route add 127.0.0.0/8 dev lo 
ip route add default via 62.85.71.1 table 1
ip route add 62.85.71.0/28 dev eth0 src 62.85.71.10 table 2
ip route add 10.10.10.0/24 dev eth1 src 10.10.10.1 table 2
ip route add 81.198.4.0/28 dev eth2 src 81.198.7.159 table 2
ip route add 127.0.0.0/8 dev lo table 2 
ip route add default via 81.198.4.1 table 2 
ip rule add from 62.85.71.2 table 1
ip rule add from 62.85.71.3 table 1
ip rule add from 62.85.71.4 table 1
ip rule add from 62.85.71.5 table 1
ip rule add from 62.88.71.6 table 1
ip rule add from 62.85.71.7 table 1
ip rule add from 62.85.71.8 table 1
ip rule add from 62.85.71.9 table 1
ip rule add from 62.85.71.10 table 1
ip rule add from 62.85.71.11 table 1 
ip rule add from 81.198.7.159 table 2 
$IPT -t mangle -F
$IPT -A OUTPUT -t mangle -p udp --sport 27015  -j TOS --set-tos
Maximize-Throughput 
$IPT -A OUTPUT -t mangle -p udp --dport 27015  -j TOS --set-tos
Maximize-Throughput 
$IPT -t nat -F
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP1 -j SNAT --to $INET_IP1
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP2 -j SNAT --to $INET_IP2
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP3 -j SNAT --to $INET_IP3
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP4 -j SNAT --to $INET_IP4
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP5 -j SNAT --to $INET_IP5
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP6 -j SNAT --to $INET_IP6
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP7 -j SNAT --to $INET_IP7
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP8 -j SNAT --to $INET_IP8
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP9 -j SNAT --to $INET_IP9
$IPT -t nat -A POSTROUTING -o $DSL_IFACE -j SNAT --to $DSL_IP
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
 echo 1 > $f
done
$IPT -A FORWARD -i eth1 -s ! $LAN_NET -j DROP
for LIST in `cat /etc/init.d/Scripts/data/lv_iplist`; do
ip route add to $LIST via 62.85.71.1
done
/etc/init.d/Scripts/data/lv_iplist contains data of my country i subnets
(example 81.19

Re: [LARTC] Router serving several inet ips

2004-01-11 Thread Damion de Soto

Hi Carlos,
The iptables after '#' is what i tried.. but it did not work, it gave me
this message:
debian:/etc/init.d# sh nat.sh
Warning: weird character in interface `eth1:0' (No aliases, :, ! or *).
Warning: weird character in interface `eth1:0' (No aliases, :, ! or *).
iptables v1.2.7a: multiple -j flags not allowed
#iptables -t nat -A POSTROUTING -o eth1:0
#iptables -A FORWARD -i eth0 -j ACCEPT -m state --state
NEW,ESTABLISHED,RELATED
#iptables -A FORWARD -i eth1:0 -j ACCEPT -m state --state
ESTABLISHED,RELATED  -j MASQUERADE
You need to fix those 3 lines just like the error messages say.
Iptables uses the real interface (eth1) not the aliased one.
and you can't combine two -j flags ACCEPT and MASQUERADE.  I assume the -j MASQUERADE 
option is a mistake and should belong elsewhere.



--
~~~
Damion de Soto - Software Engineer  email: [EMAIL PROTECTED]
SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809
 | Custom Embedded Solutions  fax: +61 7 3891 3630
 | and Security Appliancesweb: http://www.snapgear.com
~~~
 ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Router serving several inet ips

2004-01-10 Thread Carlos L

Hi all,

i have a router with debian 3.0 kernel 2.4.20, working with htb quite well,
limiting bandwidth and doing port and ip priorizations.

Now i want to server more than 1 internet ip, later i will do priorizations
on each ip.. but.. i can´t manage yet the first thing.
The idea is that it works as a "dhcp server", assigning the ips.. but the
traffic must go through the linux box (so i can priorize and limit
bandwidth).
i have set up the second internet ip with ipalias in eth1:0, and it is
active, i get ping from internet.. no problem.. but it does not work fine
when i try to assign it to a private ip

The idea is assigning 192.168.0.3 to eth1:0 (no natting, .. just the entire
ip)

The iptables after '#' is what i tried.. but it did not work, it gave me
this message:
debian:/etc/init.d# sh nat.sh
Warning: weird character in interface `eth1:0' (No aliases, :, ! or *).
Warning: weird character in interface `eth1:0' (No aliases, :, ! or *).
iptables v1.2.7a: multiple -j flags not allowed

Thanks in advance,
Carlos

The script, below..

#!/bin/sh

echo "AthoS LaN Generando iptables..." > /dev/tty12

#limpiamos las tablas de iptables
iptables -F
iptables -t nat -F
iptables -t filter -F

#eth1 sera la interfaz de internet
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

#eth0 la interfaz de la red local
iptables --append FORWARD --in-interface eth0 -j ACCEPT

#iptables -t nat -F PREROUTING
#iptables -t nat -P PREROUTING  ACCEPT
#iptables -t nat -F POSTROUTING
#iptables -t nat -P POSTROUTING ACCEPT
#iptables -t nat -A POSTROUTING -o eth1:0
#iptables -A FORWARD -i eth0 -j ACCEPT -m state --state
NEW,ESTABLISHED,RELATED
#iptables -A FORWARD -i eth1:0 -j ACCEPT -m state --state
ESTABLISHED,RELATED  -j MASQUERADE

#activamos el forward
echo 1 > /proc/sys/net/ipv4/ip_forward


#reglas para enrutado de paketes...

#1.- redirecciona las peticiones del puerto 21 a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168
.0.2:21

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Router for giving more than 1 ip

2003-08-31 Thread Martin A. Brown

 : Hi i have a debian box working as a router.. it works quite well, now i
 : want to give more than 1 ip.. is it possible to do it?

You want to host more than one IP on your box?  Easily done.

# ip addr add eth1 $SECONDARY_OUTSIDE_IP/32

 : some of them must be an open ip.. i mean.. all ports opened is it
 : possible? how should i do it?

Sure, it's possible*.  Note, though, that in this command, you have not
specified a destination address on these DNAT commands, so you'll need to
change them.

 : iptables -t nat -A PREROUTING \
 : -i eth1 -p tcp --dport 110 -j DNAT --to 192.168.0.16:25

This should be something more like this:

  iptables -t nat -A PREROUTING -j DNAT --to 192.168.0.16:25 \
-i eth1 -p tcp --dport 110 -s 0/0 -d $PRIMARY_OUTSIDE_IP

 : iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

If you wish to have more control over the source address of these packets,
you can use "-j SNAT --to $PRIMARY_OUTSIDE_IP".

[ many DNAT commands snipped ]

* in order to open all ports to a given internal IP, try the following:

  iptables -t nat -A PREROUTING -j DNAT --to $GAPING_SECURITY_HOLE \
-i eth1 -s 0/0 -d $SECONDARY_OUTSIDE_IP

That should do it!  Be forewarned, that application layer protocols which
embed network layer information in their messages will be
confusedconsider the usual NAT problems with FTP.

Best of luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Router for giving more than 1 ip

2003-08-30 Thread carlos lorente


Hi i have a debian box working as a router.. it works quite well, now 
i want to give more than 1 ip.. is it possible to do it? some of them 
must be an open ip.. i mean.. all ports opened is it possible? how 
should i do it?

Here is my nat.sh script just in case someone wants it.. (comments r 
in spanish.. and not right)

Thanks in advance,

#!/bin/sh

echo "AthoS LaN Generando iptables..." > /dev/tty12


#limpiamos las tablas de iptables
iptables -F
iptables -t nat -F
iptables -t filter -F

#eth1 sera la interfaz de internet
iptables --table nat --append POSTROUTING --out-interface eth1 -j 
MASQUERADE

#eth0 la interfaz de la red local
iptables --append FORWARD --in-interface eth0 -j ACCEPT

#activamos el forward
echo 1 > /proc/sys/net/ipv4/ip_forward


#reglas para enrutado de paketes...

#1.- redirecciona las peticiones del puerto 21 a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 
192.168.0.16:21
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 
192.168.0.16:143
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 993 -j DNAT --to 
192.168.0.16:993
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 995 -j DNAT --to 
192.168.0.16:995
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 
192.168.0.16:110
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1 -j DNAT --
to 192.168.0.16:1
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 
192.168.0.16:80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to 
192.168.0.16:8000
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8000 -j DNAT --to 
192.168.0.16:8000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8001 -j DNAT --to 
192.168.0.16:8001
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8001 -j DNAT --to 
192.168.0.16:8001
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport  -j DNAT --to 
192.168.0.13:
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5556 -j DNAT --to 
192.168.0.13:5556

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j DNAT --to 
192.168.0.16:53
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to 
192.168.0.16:53
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 23 -j DNAT --to 
192.168.0.16:23
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 23 -j DNAT --to 
192.168.0.16:23
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 
192.168.0.16:25
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 
192.168.0.16:110
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3306 -j DNAT --to 
192.168.0.16:3306
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 
192.168.0.16:143
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 143 -j DNAT --to 
192.168.0.16:143
#2.- redirecciona los dccs a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4502:4510 -j 
DNAT --to 192.168.0.13:4502-4510
#3.- puertos para el msn (para enviar)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6891:6899 -j 
DNAT --to 192.168.0.13:6891-6899
#4.- puertos para el emule

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5800 -j DNAT --to 
192.168.0.165:5800
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1433 -j DNAT --to 
192.168.0.165:1433
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4500 -j DNAT --to 
192.168.0.13:4500
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5900 -j DNAT --to 
192.168.0.165:5900
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6900 -j DNAT --to 
192.168.0.166:6900
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2593 -j DNAT --to 
192.168.0.165:2593
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4501 -j DNAT --to 
192.168.0.166:4501
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4000 -j DNAT --to 
192.168.0.166:4000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7000 -j DNAT --to 
192.168.0.166:7000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6901 -j DNAT --to 
192.168.0.113:6901



iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4661 -j DNAT --to 
192.168.0.13:4661
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4662 -j DNAT --to 
192.168.0.13:4662
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6699 -j DNAT --to 
192.168.0.13:6699
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7751 -j DNAT --to 
192.168.0.13:7751
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 6257 -j DNAT --to 
192.168.0.13:6257

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4668 -j DNAT --to 
192.168.0.62:4668
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7373 -j DNAT --to 
192.168.0.8:7373
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7372 -j DNAT --to 
192.168.0.8:7372
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -j DNAT --to 
192.168.0.8:20
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7373 -j DNAT --to 
192.168.0.8:7373

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4666 -j DNAT --to 
192.168.0.8:4666
i

[LARTC] Router for giving more than 1 ip

2003-08-29 Thread carlos lorente


Hi i have a debian box working as a router.. it works quite well, now 
i want to give more than 1 ip.. is it possible to do it? some of them 
must be an open ip.. i mean.. all ports opened is it possible? how 
should i do it?

Here is my nat.sh script just in case someone wants it.. (comments r 
in spanish.. and not right)

Thanks in advance,

#!/bin/sh

echo "AthoS LaN Generando iptables..." > /dev/tty12


#limpiamos las tablas de iptables
iptables -F
iptables -t nat -F
iptables -t filter -F

#eth1 sera la interfaz de internet
iptables --table nat --append POSTROUTING --out-interface eth1 -j 
MASQUERADE

#eth0 la interfaz de la red local
iptables --append FORWARD --in-interface eth0 -j ACCEPT

#activamos el forward
echo 1 > /proc/sys/net/ipv4/ip_forward


#reglas para enrutado de paketes...

#1.- redirecciona las peticiones del puerto 21 a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 
192.168.0.16:21
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 
192.168.0.16:143
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 993 -j DNAT --to 
192.168.0.16:993
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 995 -j DNAT --to 
192.168.0.16:995
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 
192.168.0.16:110
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1 -j DNAT --
to 192.168.0.16:1
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 
192.168.0.16:80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to 
192.168.0.16:8000
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8000 -j DNAT --to 
192.168.0.16:8000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8001 -j DNAT --to 
192.168.0.16:8001
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 8001 -j DNAT --to 
192.168.0.16:8001
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport  -j DNAT --to 
192.168.0.13:
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5556 -j DNAT --to 
192.168.0.13:5556

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j DNAT --to 
192.168.0.16:53
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to 
192.168.0.16:53
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 23 -j DNAT --to 
192.168.0.16:23
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 23 -j DNAT --to 
192.168.0.16:23
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 
192.168.0.16:25
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 
192.168.0.16:110
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3306 -j DNAT --to 
192.168.0.16:3306
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 143 -j DNAT --to 
192.168.0.16:143
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 143 -j DNAT --to 
192.168.0.16:143
#2.- redirecciona los dccs a mi pc
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4502:4510 -j 
DNAT --to 192.168.0.13:4502-4510
#3.- puertos para el msn (para enviar)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6891:6899 -j 
DNAT --to 192.168.0.13:6891-6899
#4.- puertos para el emule

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5800 -j DNAT --to 
192.168.0.165:5800
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1433 -j DNAT --to 
192.168.0.165:1433
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4500 -j DNAT --to 
192.168.0.13:4500
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5900 -j DNAT --to 
192.168.0.165:5900
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6900 -j DNAT --to 
192.168.0.166:6900
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2593 -j DNAT --to 
192.168.0.165:2593
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4501 -j DNAT --to 
192.168.0.166:4501
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4000 -j DNAT --to 
192.168.0.166:4000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7000 -j DNAT --to 
192.168.0.166:7000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6901 -j DNAT --to 
192.168.0.113:6901



iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4661 -j DNAT --to 
192.168.0.13:4661
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4662 -j DNAT --to 
192.168.0.13:4662
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6699 -j DNAT --to 
192.168.0.13:6699
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7751 -j DNAT --to 
192.168.0.13:7751
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 6257 -j DNAT --to 
192.168.0.13:6257

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4668 -j DNAT --to 
192.168.0.62:4668
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7373 -j DNAT --to 
192.168.0.8:7373
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7372 -j DNAT --to 
192.168.0.8:7372
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -j DNAT --to 
192.168.0.8:20
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7373 -j DNAT --to 
192.168.0.8:7373

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4666 -j DNAT --to 
192.168.0.8:4666
i

[LARTC] Router for the two diffent networks

2003-02-19 Thread Remus

Hi folks,

I have the Linux (Slackware 8.1) router and I use it to replace hardware
router ( for example CISCO).
This router is for only external IP addresses: I got 6 IPs from my ISP and
of course to use them I made router on Linux box.

My scheme is:

Internet connection form radio modem
   | eth0
-
| Linux box|
-
  | eth1

| switch|

||
-  --
| FW1  |   | FW2|
-  --
||
Local network

All network connections use ext IPS except local network.
Everything works just fine.

So my question is can I put two extra network cards to my Linux box and use
the same PC as router for the second
Internet connecton?

Or do I have to use second one Linux box for it?
eth0 and eth1 routing between first ISP IPs and eth2 and eht3 is routing
between second one IPSP IPs?


Thank you in advance

Remus

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Router

2002-11-22 Thread Ashok N N

On Friday 22 November 2002 10:33 am, Stef Coene wrote:
> On Friday 22 November 2002 16:08, Rimas wrote:
> > Hi guys,
> >
> > I'm asking the same question again (it's very urgent for me).
> >
> > How to build a router on Linux box?
> >
> > I have a Linux box (Redhat 7.3) with two network cards.
> > eth0 is connection to my wireless ISP and eth1 to my FWs.
> > I want to route eth0<-->eht1. Both NIC have real Internet IP as well like
> > FWs.
> > I need no NAT (no needs to hide my real IP, because it have to be seen 
from
> > Internet).
> > Do I have to use ip route or iptables or combination of it.
> If the box is up and running with 2 nic's configured, try this :
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> Stef
> 

Just to enable routing (without any firewall stuff) the above command would be 
sufficient. To make it permanent, add the following to /etc/sysctl.conf:
# Enables packet forwarding
net.ipv4.ip_forward=1

You could also add the following to enable route verification:
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1

Thanks,
Ashok
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Router

2002-11-22 Thread Stef Coene

On Friday 22 November 2002 16:08, Rimas wrote:
> Hi guys,
>
> I'm asking the same question again (it's very urgent for me).
>
> How to build a router on Linux box?
>
> I have a Linux box (Redhat 7.3) with two network cards.
> eth0 is connection to my wireless ISP and eth1 to my FWs.
> I want to route eth0<-->eht1. Both NIC have real Internet IP as well like
> FWs.
> I need no NAT (no needs to hide my real IP, because it have to be seen from
> Internet).
> Do I have to use ip route or iptables or combination of it.
If the box is up and running with 2 nic's configured, try this :

echo 1 > /proc/sys/net/ipv4/ip_forward

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Router

2002-11-22 Thread David Boreham

 
> How to build a router on Linux box?

This is a bit like asking 'How do I build a nuclear reactor, I need to
have it done by monday' :)

You will need to sit down and do quite a bit of reading.
There are howto documents, there are books on the subject,
there are mailing lists like this. You'll need to spend time with
all three types of information source.

The book "Linux Firewalls", despite the title, is a good
source of informaiton on routing with Linux.

The book "Linux Routing" is also good.





___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Router

2002-11-22 Thread Rimas

Hi guys,

I'm asking the same question again (it's very urgent for me).

How to build a router on Linux box?

I have a Linux box (Redhat 7.3) with two network cards.
eth0 is connection to my wireless ISP and eth1 to my FWs.
I want to route eth0<-->eht1. Both NIC have real Internet IP as well like
FWs.
I need no NAT (no needs to hide my real IP, because it have to be seen from
Internet).
Do I have to use ip route or iptables or combination of it.

Thank you

Rimas




___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] router redandancy with vrrpd

2002-11-08 Thread PlusServer - Sascha Wintz

Hi all,

maybe someone of you guys can help me on my problem.

I have 2 Zebra 0.93a routers with SuSE Linux 8.0.

Each router as working BGP sessions to some uplink providers.

Each one has an interface dedicated for my internal network.

The idea is that the other router starts up all 50 gateway ip addresses
needed on its internal interface.

I'm dealing with a lot of /24 networks, each one has x.x.x.1 as gateway.
To make this easier I changed the netmask from /32 to /24 in the vrrpd
source code and recompiled.

No problem until now. But, when the gateway addresses are up, I cannot
reach me servers. I did I simple ping, and got no response at all. I
tried arping, and I got an immediate response. After that ping also
worked. But only for some minutes, and the servers got lost again.

After that I shut down vrrpd and added my gateway addresses manually to
the interface:
ip addr add x.x.x.1 brd + dev $INT 
And I got the same problem there. 

Then I tried using aliases, but again the same problem. 

If I do a simple
ifconfig $INT x.x.x.1 netmask 255.255.255.0 broadcast x.x.x.255

then I won't have the problem at all.

I don't think the problem is directly related to vrrpd, but I cannot
figure out what's going wrong here.

Some additional infos:
I'm using arpd instead of kernel space arp
I have approx. 1000 Servers connected via multiple switches behind my
internal nic.
I need to bring ip approx. 50 secondary ip addresses.

Perhaps there are to many servers connected via one nic, but why does it
work with ifconfig and not with ip addr add.


Thanx in advance
Sascha



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Router dropping packets? - SOLVED

Re: [LARTC] Router dropping packets? - SOLVED

Re: [LARTC] Router dropping packets?

Re: [LARTC] Router dropping packets?

[LARTC] Router dropping packets?

[LARTC] Router stops forwarding packets when MAC Address changes

[LARTC] router problem

Re: [LARTC] Router serving several inet ips

[LARTC] Router serving several inet ips

Re: [LARTC] Router for giving more than 1 ip

[LARTC] Router for giving more than 1 ip

[LARTC] Router for giving more than 1 ip

[LARTC] Router for the two diffent networks

Re: [LARTC] Router

Re: [LARTC] Router

Re: [LARTC] Router

[LARTC] Router

[LARTC] router redandancy with vrrpd

18 matches

Site Navigation

Mail list logo

Footer information