Debian Configuration :: Routng Traffic To A Website Via A Specific Interface
Jul 30, 2011
I am running Debian Squeeze on an old pc (AMD K62-500) which serves as my multiwan router and torrent box. Internet uplink is provided via a dsl line and 2 wireless canopy modules.
Setup has been generally fine except when connecting/downloading as free user from sites like rapidshare, hotfile, filesonic, etc. The problem arises when I am connected to these sites using the wireless uplinks because of the shared public ip. I don't really download that much using direct download methods so I don't really see myself being a premium user from these sites.
If these sites are on a specific ip or ip range, an entry on the static routing table would have been fine but when I tried using ping, a different ip would appear to reply each time.
I wonder if there can be a solution like using iptables where in traffic to and from these sites will only use the NIC connected to the dsl line.
I'm hoping some of the Linux network experts can help me with this problem.
Situation: I have a technology which is a WebLogic JEE application that communicates to an Oracle database. Everything is installed in a single Linux virtual machine running in VirtualBox. Traffic from the JEE application goes via JDBC over TCP to the local running database. What I want to do is test a new database firewall server that wants all traffic destined for the database to flow via another virtual machine running the DB Firewall software.So therefore want I need to do is have DB traffic forced out over one interface only to return on another interface on the same VM listening on a different address.
JEE application running in WebLogic bound to 192.168.111.12 (eth1 a VirtualBox hostonly interface). Makes a request for 10.0.111.12 (eth2 a VirtualBox internal interface) which the database is listening on. Because both IPs are on local interfaces, Linux is going to handle the traffic and not route the 10.x traffic via the 192.x interface.I also have running the database firewall server which has a bridge (br0) between the HostOnly network and the Internal network.Both systems are running Oracle Enterprise Linux R5U4, which is basically the same as RedHat.What I want to do is have the request for 10.0.111.12 forced out via 192.168.111.12, bridged over the br0 connection and back into 10.0.111.12 and to the database. My networking knowledge is pretty good, but i'm stuck right now on the right way to do this. I'm pretty sure it is possible, I just need clear advice.
Reason for setup: Ideally I would build the system with the database on a separate machine so that I can easily route the traffic. Unfortunately we have many VirtualBox based demonstration systems with both the application and database installed on the same VM and therefore the amount of work to migrate these two dual VMs is going to be significant, also many of these VMs are demonstrated from laptops which have limited resources and creating a new database VM reduces overall performance. If I can create a way to force the traffic in this manner off and back onto the same VM via the other VM bridge, it would be fantastic.
I have a linux router with 2 physical ISPs and a VPN tunnel that all my traffic passes through. I would like to setup a rule to redirect all traffic from one internal IP address (10.0.0.x) through the physical link only. My current script is as follows.
I have a question regarding Traffic Shaping in Linux, Suppose I have a server on the internet (web, email or ftp) and I want to shape outgoing traffic per IP, say 256k for each destination IP. I've seen examples on the internet on how to shape traffic per IP by adding a queue for each IP, and some examples by using u32 hash if I have e.g. a /24 network, but if I have a server and I want to shape the traffic by destination IP, and of course... since it is a server on the internet I can't manually define any IPs of subnets. An example using the tc command?
I'm running OpenVPN service on both debian server and client. When start connection between client and server, I expect all the computer traffic (except ARP and DHCP requests) go through created tunnel. However, when I capture packets on wlan0 on client (the only connection going outside host) using Wireshark, I can see DNS requests visible and sometimes incoming TCP traffic as well, but most of the traffic is going through tunnel as expected. I provide both configurations of client and server and client routing table for inspection. I changed server address to avoid server exploitation in the case of some big configuration mistake.
Commands to run OpenVPN services are: Code: Select allFor client: sudo openvpn --config /etc/openvpn/client.conf & For server: sudo openvpn --config /etc/openvpn/server.conf &
**Client routing table when VPN is OFF** Code: Select allKernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.1 0.0.0.0 UG 1024 0 0 wlan0 192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
[code]...
I searched through many forums and documentation and I found, that for all the traffic going via VPN is command: *push "redirect-gateway def1"* neccessary, however, I have leaks despite this command being in place. I already spent over 2 days with this and tried to configure it in many ways, now I have no clue what I'm missing.
I need to be able to do the following: Physical Router located at 192.168.40.1 On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2 eth1 with static ip 192.168.40.3 eth2 with static ip 192.168.40.4
Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1 Do the same (virtual address) for eth2 -- e.g. 192.168.60.1 In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this) register phone number B at 192.168.50.1 register phone number C at 192.168.60.1
Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that). Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.
Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B. Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C. Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that). Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2). Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.
I installed the PPTP Client [URL] and can successfully connect to my VPN (creates interface ppp0). The problem is, I'm trying to tunnel all of my traffic on my system through the connection. I've seen conflicting howtos and scripts including pptpclient's documentation (the ip-up and ip-down scripts don't work). How does one simply (even if I type it manually) tunnel the traffic?
System Info: OS: Debian Squeeze, Kernel 2.6.32-5-686 GUI: Gnome (standard one from netisnt unstable install) Main interface: eth1 PPTP interface: ppp0
I have a laptop connected to internet via wlan0. I also have eth0 interface and with it I share internet. I want to modify/filter all the traffic passing by the first laptop, something like this:
I know that in FreeBSD it is possible to use ipfw for that purpose, because it build-in into kernel. We set for example rule Code: Select allipfw add divert 2000 ip from any to 1.0.1.1
and we can use our own application to process those packets, reinject them forward etc. It will work also fast, because as I said, it build into kernel.
Is there any standart Linux-based solution to do the same? I found some info about netmap-ipfw. Is this a correct solution? Or I have to use for example IP-aliases and iptables to do that?
I need to process all the IP-packets, not only TCP/UDP/etc-protocol. Solution also must be very fast.
I would like to redirect traffic coming from a machine A through a SOCKS proxy (setted on machine B)Machine B run "ssh -D 4242". So that create a SOCKS proxy on machine B.Machine A would like to connect on the internet, but the only way is to use machine B SOCKS proxy. The problem is machine A don't know how to use SOCKS Proxy. (Actually, i can just set ip, netmask and gateway on machine A).So, I would like to set up something on machine B that will redirect all traffic coming from machine A throught the SOCKS proxy.
I am running on debian squeeze 6.0.2. I have been using it for the last id say 3 weeks and really am enjoying it.
I generally use transmission-gtk to share files over the internet. Normally I seed torrents at 110-160kb/s for hours at a time. However after messing around with firestarter my upload speed for seeding torrents rarely peaks over 70kb/s. I have purged firestarter with no success of my regular upload speed, and am very confused as to what happened. I also notice sometimes when it will get to about 70kb/s it will immediately drop down to the 20-30kb/s range.
For incoming bittorrent connections I use port 37294. I have set port 37294 to be allowed in my firewall, and forwarded in my router (since purging firestarter did not help I just reinstalled it).
I have also read allowing ports 6881-6889 is important, but I have never done that in my history of using torrents, and I have never experienced a decrease in UL speed like this.
Have I done something incorrect? I have never had this issue on other machines?
I have a strange iptables issues. I have just built a new Debian install and starting adding some real basic rules (see below) the problem seems to be that the localhost itself can't get any returning traffic. That is, it seems to be allowed outgoing traffic but not the connected, returning traffic. Ordinarily allowing Established Connections would resolve this, see the rule below, but it hasn't. Why this doesn't work. Removing the last DROP in the INPUT chains obviously makes the traffic work!
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -s x.x.x.x iptables -A INPUT -j ACCEPT -s x.x.x.x iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 80 iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 8080 iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -j DROP
I am in serious situation involving PPTP protocol VPN in Debian 8 Jessie stable. I recently became a paid VPN subscriber. Using PPTP; Is there a way to automatically route all traffic through ppp0? Im getting the vpn service killed (ip address goes back to normal unmasked state) whenever there is a power outage (modem reset) and there are alot of those where I live, Im going to get astabilizer and I need a software solution for the situation as well. Theres gotta be a way to route all traffic through the VPN route ppp0 . I tried adding persist and maxfail 0 to the pptp config file but it did not do what i wanted.
On a second note, its clear to add that I basically need a way to also auto load the line
pppd call blabla.net and route add default dev ppp0
On system startup by default so the computer does not use "Wired" connection ^at all^ when not through ppp0. Any other way of not losing VPN anonymity ever due to hardware malfunction.
Is there a way to do this? Ive looked on the net and everything seems like its either from the nineties or can fry my pc , Im no debian expert, less than a year at linux..
Need it to use wired only if ppp0 is being used so if its no vpn, no connection at all period,
I am trying something a bit tricky.Suppose there is a website URL...Now suppose when i open a file /var/www/ test.php which connects to the above website to gather some info and then allow me to further in the process, i want it to instead direct to a file say /var/www/test_done.php.How do i edit my hosts file for such a scenario? Is there any other better option than using a hosts file ?
I'm renting a server which comes with 5 IP addresses, but only one network device. From what I can understand I'm able to create aliases by adding entries to /etc/networks/interfaces, I haven't tried I'm in the planning stages. Hypothetically, 192.168.22.30 is my primary IP and I want to set eth0:1 to have 192.168.22.31, and then after that I want to create a virtual machine (using kvm/qemu) that is able to communicate bidirectionally to the internet over eth0:1, and leave eth0 strictly for administrating (not for VM traffic).
The qemu guides I'm finding seem to assume that I want to use TAP or VDE, what I want to use is a sub-ip/alias. One guide I saw had me eliminate everything from eth0 and put it under br0. That would leave me unable to ssh into my server (and unable to administrate). Is there a way I can do something along the lines of: qemu [options] -net [option] -netdev=eth0:1 ?
Is is possible, via iptables or something similar, to bind a service running on a specific port to a specific interface? My case: I use a VPN service for privacy. I would like to have all traffic except ftp and ssh to run over tun0. Ports 21 and 22 will need to be accessible to the outside world (eth0) while the VPN is running.
How to remove a specific folder from your backup?$ rdiff-backup --remove-older-than now /backup/backup_laptop/home/derick/DownloadsFatal Error: Increments for directory /backup/backup_laptop/home/derick/Downloads cannot be removed separately.Instead run on entire directory /backup/backup_laptop.
I'm developing with puppet, and I need to do an aptitude update from a specific file, here is my configuration: The file sources.list in /etc/apt/ is deleted. I've created 3 files in /etc/apt/sources.list.d each one with their repos:
00-debian_sources.list deb http://ftp.fr.debian.org/debian/ lenny main contrib non-free deb-src http://ftp.fr.debian.org/debian/ lenny main contrib non-free
[code]....
All the repos are updated/refreshed , and I only want to refresh/update the specific repos insie of the file 01-debian_security_updates.list. On the other hand if I put some repos in the sources.list and delete the 3 files and I create an external file for example in /tmp/temprepo and I do the command aptitude update -o dir::etc::sourcelist=/tmp/temprepo it works fine.give some workaround to update and then upgrade packages from the files specified in my config.
I'm running gnome desktop on squeeze system. When I boot my system seems to be using my internet modem as its dhcp server. The rest of the machines on my lan are correctly using my router for that purpose. As a result, what happens then is that my debian machine frequently gets a duplicate ip address assigned to it. I would like to specify to my debian computer that I want it to use the specific fixed ip address of my router for dhcp purposes.
After updating and subsequently restarting today, I can no longer bring up my wireless interface:
ifup wlan0 SIOCSIFFLAGS: Unknown error 132 Could not set interface 'wlan0' UP SIOCSIFFLAGS: Unknown error 132 SIOCSIFFLAGS: Unknown error 132 Failed to bring up wlan0
iwconfig lo no wireless extensions. eth0 no wireless extensions.
wlan0IEEE 802.11abg ESSID: off/any Mode: Managed Access Point: Not-AssociatedTx-Power=off Retry long limit:7RTS thr: offFragment thr:off Encryption key:off Power Management:off
Suppose I have both a hardwired and a wireless network connection active on the same system at the same time. Can I tell my browser which one to use? Can I tell other programs which one to use? Or do they choose for themselves> Or does some automatic system protocol select which one to use for them?
I've got 4 or 5 of these TRENDnet USB network adapters ( TU-ET100c ) that I use frequently when I'm configuring firewalls or IPS devices for customers. I use them in combination with VirtualBox to test. They've always worked great until my new laptop I just got, and I put 10.04 on it. Previously I was on 9.x. Sometimes they will give a link light, other times not. And when they do the interface shows that it's up, but I can't get any traffic across the interface.
How do you count the traffic on the interface, friends ?
I have a router for a medium-size LAN. HTTP-traffic goes through the transparent proxy, logs are parsed with Sarg, so that's the way I look how much megabytes my users 'do' daily.
Now I want to get rid of proxy, just to do sNAT. But I still want to know the daily traffic of my users (even in general, not for each user).
I'm having trouble making my cifs shares user mountable from bash: mount.cifs: permission denied: no match for /home/jcress/gatton/webspace found in /etc/fstab
I have some beginner questions about DHCP, Avahi, and configuring a small home LAN.Suppose I have a dynamic IP address assigned by my ISP, which requires DHCP be enabled in my dsl modem/router/"firewall" [sic]. Suppose for simplicity I have just one PC behind the dsl modem.I think "enabling DHCP" in the modem/router means that a DHCP client runs on the router, which communicates with a DHCP server run by my ISP when I boot up a PC on my LAN. Is that guess correct? Can I get DHCP to assign a particular local IP, say 192.168.1.10 (which is not the one taken by the router--- for this discussion, let's say that is 192.168.1.0) to my PC each time I boot it up?
Now suppose I want to build a stand-alone firewall, so that my LAN will have the firewall and the first PC behind the modem, with the first PC virtually behind the firewall. By default, I think these will both have DHCP clients running which I need to configure properly. The firewall should also have a DHCP server which should control how local IP addresses are assigned, correct? I should try to arrange that the LAN has only DHCP server, only one NTP timeserver, only one DNS nameserver, correct?My first PC seems to have installed an autorun client called Avahi, which performs DNS multicast services and incorporates something called zeroconf which seems to have something to do with remote desktops, which I don't need and which is a potential security hazard. But it seems that Avahi is an intrinsic part of the KDE desktop and cannot be removed. Just want to be sure that Avahi can coexist comfortably with dhcp3-client, which is also installed on that PC. They perform different tasks, correct?If I can get the stand-alone firewall to work, I know I need to turn off the commercial firewall in the dslmodem/router/firewall device. Should I purchase a bridge and try to turn off the routing function also?
I need to install any version of Debian with the Debian Kernel version 2.6.22-3-686. I don't mind what version of Debian it is, I just need it to have this specific kernel! Debian Etch comes with 2.6.18-4-686 and Lenny comes with 2.6.26-2-686 so the kernel I need is obviously somewhere in between.
I have tried using the following commands to see if kernel 2.6.22-3-686 is available for download via the apt-get method in both Debian Etch and Lenny but it is not...
So does anyone know where/how I can download specific kernels and install them for use? I have a computer sitting next to me that has multiple kernels as an option on boot, and they all boot into the same system, however I do not know the person who set up the computer so cannot ask them how they did it
I got to establish an OpenVPN connection between two server and I have dhcpd on the client server which feeds a few SIP phones. All these phones are supposed to the register server through the tunnel.Here is the network structure:
Client CentOS: eth0: 192.168.0.0/24 eth1:192.168.100.0/24 tun0:172.15.0.0/24 DHCPD: feeding above eth1 and all the phones with 192.168.100.0/24
If I ping 172.15.0.1 from the the Client CentOS it works all fine. Everything pings and I can even do SSH. However, the phones which obtain their ip through eth1 on the same server can not reach the 172.15.0.1. I think it's a route issue here. Can you please guide me to the right direction as to how to forward certain traffic through tun0 and leave the rest of the traffic to go through eth0?
I don't want to turn on IPTABLES as this is time consuming for me now and there is VPN setup. It has to do with setting up the routing but I am not sure.
