I'm currently reading through the Linux Advanced Routing and Traffic Control HOWTO from lartc.org, and I'm wondering whether anyone knows of a file where I could keep qos rules persistent across a reboot, similar to /etc/sysconfig/iptables for netfilter. Should I just write my own script, or does something already exist?
By the way, iproute-2.6.29-4.fc12.i686.
I am sharing my DSL internet connection using a modem+wireless router (single device) to 5 systems. I want all my internet traffic to go through one of the linux boxes in my network.
The problem here is that wireless devices connect directly to the modem+wireless router.
Is such routing of traffic possible??
PS: I am not sure if i could convey my situation clearly...
I need to be able to do the following: Physical Router located at 192.168.40.1
On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2
eth1 with static ip 192.168.40.3
eth2 with static ip 192.168.40.4
Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1 Do the same (virtual address) for eth2 -- e.g. 192.168.60.1 In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this)
register phone number B at 192.168.50.1
register phone number C at 192.168.60.1
Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that). Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.
Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B. Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C. Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that). Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2). Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.
I have an Untangle Box - which for those that don't know is a modified Debian Lenny used as a router, proxy, filter and much more - It has three physical interfaces on it eht0 (incoming traffic), eth1 (Outgoing to LAN after traffic filtered), and eth2 (Called a DMZ NIC, as Untangle can be used as a router). There is also a tun0 interface setup by Untangle for VPN (Not using the Openvpn in Untangle because I need bridged a bridged VPN and this is not an option in Untangles offering), a br0.eth setup by untangle to bridge eth0 and eth1 for traffic flow through as it is inline from router to switch and not acting as the router itself, and a br0 interface that I have setup by bridge script bridging eth2 and tap0 to run OpenVPN as a bridged VPN.
The routes on the machine are as follow:
Code:
untangle:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 br.eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.0.2.0 * 255.255.255.0 U 0 0 0 dummy0
192.0.2.0 * 255.255.255.0 U 0 0 0 utun
untangle:~#
I don't see a default route listed here, however, I do have Internet connectivity on the Untangle box itself. I also know that by script to bridge the tap0 and eth2 interfaces adds a default route through the gateway on the network that eth2 is connected to. So the lack of a default route is somewhat puzzling to me, I do have the gateway set through the web based admin interface Untangle offers.
The iptables rules are as follow:
Code:
untangle:~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N alpaca-firewall .....
There was an addition output rule in the alpaca-nat-firewall rule that said DROP outgoing interface eth2, I removed that rule with no change. I can ping out from the Untangle server to the eth2 LAN, I can access resources in the eth2 subnet. But I cannot get any reply from the server from anything either in that subnet or not. If I run iftop I can see the incoming traffic form my ping but the Server sends out no reply. I think this is a firewall issue. I can access the server by connecting to the IP assigned to the eth0/br0.eth interface which is in my main LAN. I am also attaching a crude diagram of the previous setup and the new setup (Previous setup used a different server for my bridged VPN).
Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0? I tried adding an accept rule for traffic coming in on br0, but it didn't work. I tried an output rule, but that didn't work, but I may have been bungling these rules as I do not fully understand the syntax and function and body of an iptables rule. The exact original iptables information before I modified anything can be viewed at [URL].
I have problem with port based routing for local traffic. I can't use trick with iptables -t mangle, ip route table 1, ip rule fwmark table 1 because it works only with forwarded packets. I can't even use patch-o-matic because it's obsolete. And xtables-addons doesn't contain support for "-j ROUTE" yet.
View 2 Replies View RelatedI have set up a Virtual machine on a dedicated server from 1and1. I hoped to use a bridge to give the vm direct access to the internet but 1and1 do mac filtering and so the only option is to use NAT.
I used Virtual Machine Manager on my Ubuntu 10.04 machine at home to install Debain Lenny on the vm on the server using KVM and all went well. I put it on a virtual network 192.168.100.0 and i can access it from the host and i can access the internet from the guest using NAT that libvirt set-up.
I bought another ip address from 1and1 with the hope of forwarding packets to the new ip address 11.22.33.02 to the guest vm.
I have tried all sorts of routing rules using iptables without any success.
my virtual network is on virbr1 the guest ip is 192.168.100.50 my external network device is ip say 11.22.33.01 on eth0 with the secondary ip say 11.22.33.02 on eth0:1
Here are the latest rules i tried:
Quote:
iptables -t nat -A PREROUTING -d 11.22.33.02 -i eth0 -j DNAT --to-destination 192.168.100.50
iptables -t nat -A POSTROUTING -s 192.168.100.50 -o eth0 -j SNAT --to-source 11.22.33.02
iptables -A FORWARD -p tcp -i eth0 -o virbr1 -d 192.168.100.50 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
[Code].....
I just got vpnc setup to work with my VPN at work and now I am trying to figure out how to limit the traffic that is routed through the VPN while I'm connected to it. I only want traffic going to the local domain to be routed through the VPN.This is what my vpnc config file looks like:
Code:
IPSec gateway publicdomain.example.com
IPSec ID XXXX
[code]....
How are packets treated that do not match any of the filters?
View 4 Replies View RelatedI have a desktop, a laptop, & a wireless router. The router, unfortunately, doesn't support dd-wrt, tomato, etc firmware, but I would still like to prioritize voip/web browsing over bulk Internet traffic. I hope I can offload the router's missing QoS to my desktop.
Is it possible to have the laptop's connection go from the wall to the router to the desktop, where the desktop could perform the QoS of tomato, then continue on to the laptop? I'm a bit of a noob to networking (subnets?) but do well enough following good instructions.
As for the program that would do the QoS... Don't some Linux machines basically work as super-powered routers for businesses? So there must be some package but couldn't find one. The closest I got was wondershaper but it only shapes traffic for the computer on which it's installed; it might form part of the solution but falls short on its own. other devices should be able to access the Internet normally if the desktop is turned off, & work with other devices like a (jailbroken) iPod Touch.
I need to be able to do the following: Physical Router located at 192.168.40.1 On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2
eth1 with static ip 192.168.40.3
eth2 with static ip 192.168.40.4
Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1 Do the same (virtual address) for eth2 -- e.g. 192.168.60.1 In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this)
register phone number B at 192.168.50.1
register phone number C at 192.168.60.1
Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that). Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.
Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B. Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C. Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that). Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2). Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.
I have a firewall, this consists of three NIC's:
Code: eth0[192.168.0.2] eth1[192.168.1.2] and eth2[10.10.165.2]
I am trying to ping eth0 from eth2, but I am not able to succesfully get a response from pinging the device, I am using:
Code: ping 192.168.0.2 -I eth2
I have tried to insert routing data into the routing table, but it still doesn't work
tcng for linux traffic control. I have done all the steps necessary including compiling a QoS ready kernel and still receiving the same error while trying to ./configure
[Code]...
I definitely have bison installed, and I've also tried other packages involving YACC root@mikeypc:/usr/src/tcng# which yacc /usr/bin/yacc which then leads to bison
The network in my company use Squid Proxy serveto browse internet.Browser is IE or Firefox, and OS is Windows XP.The company need to use a new software for work, but the software don't have function that can configure Proxy server to connect to Server outside.I don't want to NAT port on router because I cannot control the traffic.Is there any software same as Proxy Client ... installed on Windows XP?My idea is that the software same as ISA server - ISA client
View 1 Replies View RelatedI need to set up my centOS computer as a firewall in my home network. Ive got 2 interfaces, eth0 and eth1. I want to allow and forward all traffic on eth0 and block all traffic on eth1 except ssh, ping(icmp) and DNS. How do I do this? Ive tried some editing in /etc/sysconfig/iptables but no luck.
View 1 Replies View RelatedI want to use tab networking in my kvm with routing.Can any one guide me how i can do it. i have been reading different guides over the net but not understand any one clearly.I have read this[URL].. One problem is this all my server are remote and no gui is running.I am able to install kvm with ssh console with -nographic and -x "console=ttyS0" option now i want to change from bridging to tap networking with routing.And i have live ip on kvm guest/Virtual machine.
View 1 Replies View RelatedIN LAN default GW box I have a routing rule of 172.17.1.0 192.168.180.100 255.255.255.0 UG 0 0 0 eth3 that sends packets matching 172.17.1.0/24 to eth3 etc. When I ping 172.17.1.50 - it goes correctly when ping is issued in the same box (LAN GW) - falls through to default rule when the ping is done in LAN's boxes i.e. it goes to the LAN GW box and then to Internet incorrectly instead of going to eth3 and 192.168.180.100.
Is there any way of seeing why the packet matches or not the routing rules?
I have a Pc that has 2 Ethernet and I have also 2 switch. I want the PC to become the router and be connected to 2 switch.How can I setup this one on FEDORA and I want to assigned for eth0 192.168.26.51 and eth1 192.168.22.51 for the IP.
View 1 Replies View RelatedTwo days ago we started to receive the following message:
/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/lib/init/rw/.mdadm /lib/init/rw/.ramfs
/lib/init/rw/.mdadm
INFECTED (PORTS: 4369)
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
And about at the same time (a day before that) we have set up new rules for the queueing disciplines using 'tc' on our Debian lenny box (these rules are for some of the experiments we are carrying out). I have ran the chkrootkit manually and this message (as above) keeps appearing, while the rkhunter tool does not complain about these items. Could there be a connection between setting up the new qdisc's and the chkrootkit "INFECTED" messages?
I have just installed Fedora 10 on an old laptop and was quite impressed with how smoothly it all went ... until it came to setting up networking!
I have battled for three days now and I'm almost there;
- installed updated firmware to the built in Broadcom 4306 wireless network adapter
- got NetworkManager to work with a static ip address by manually editing the ifcfg-wlan0 file
- managed to get the WPA security to work
The only problem I am left with is that there is no default route; if I set one up using: ip r a default via 10.1.1.1 dev wlan0
Then everything starts working.
If I try to add routes using the NetworkManager gui interface they dont get saved (no suprises there then! ).
I have tried creating a route-wlan0 file in /etc/sysconfig/network-scripts/ but this seems to be ignored by NetworkManager.
Since the NetworkManager GUI is almost useless, does anyone know if there are any other configuration files I can manually modify to get a default route set?
On a Fedora 11 machine, I configured ppp0 on eth0 and ppp1 on eth1, each one is connected to a modem, I also defined ppp0 as the default gateway.. Should I do anything else to load balance the 2 connections or will ppp1 take some of the load by default? Should I add any other routing rules? If yes then please tell me what should I add, keeping in mind that for each pppoe connection both the pppoe address and the remote address are not static so I actually needed some scripting to change the default gateway each time the remote pppoe address changes.
View 4 Replies View RelatedI want to implement routing using fedora 14. The following is how I arrange my computers -
[PC1]<=======>[ROUTER]<=======>[PC2]
And the following are the configuration -
PC1 : (Tiny Core Linux)
eth0 192.168.2.2/24 (netmask 255.255.255.0)
ROUTER (FC14)
eth0 192.168.2.1/24 (netmask 255.255.255.0)
eth1 192.168.4.1/24 (netmask 255.255.255.0)
PC2 (Tiny Core Linux)
eth0 192.168.4.2/24 (netmask 255.255.255.0)
On the ROUTER I have set the ip_forward=1 and eth0.proxy_arp=1 and eth1.proxy_arp=1
then I run the following command :
route add -net 192.168.2.0/24 gw 192.168.2.1 dev eth0
route add -net 192.168.4.0/24 gw 192.168.4.1 dev eth1
On PC1 I executed the following :
route add -net 192.168.4.0/24 gw 192.168.2.1 dev eth0
and for PC2 I run the following
route add -net 192.168.2.0/24 gw 192.168.4.1 dev eth0
After doing those things, I can't ping between PC1 and PC2... but both can ping the router...
I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:[URL].. Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions. So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so
Code: iptables -F INPUT
iptables -F OUTPUT
iptables -I INPUT 1 -s *.*.*.* -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 2 -s *.*.*.* -p tcp -j ACCEPT
[Code]...
After seeing that i went digging in the code and figured it was something todo with memory allocation.
I have a problem with the activation of routing under fedora. The problem lies exactly in the file ip_forward who I didn't not change the value to 1. When I use the command echo 1> / proc/sys/net/ipv4/ip_forward. They appears not granted permission. Knowing that I use the root account.
View 1 Replies View Relatedi have a Server, which has 2 nics installed. Each of those is connected to a router, which is connected to internet. On the server, i have apache, maillserver and im-server running. On the other hand, also squid, dansguardian and clam are running. so now: via eth0 i would like to have just the traffic, which is requested from outside (the big bad internet..) to my server (apache, mail, etc). via eth1 i would like to have all OUTGOING (also to the big bad internet) from the server, which is requested by a internal client. And of course all requests to my own server
both nics shall route their traffic to their own router. For better comprehension please consult the enclosed graph. Until now, i did not find a good solution, the default route is set to the traffic from eth0, if not, no external request will find back to a client do you have a idea how to handle this the easiest way?
I don't know what I'm trying to achieve falls into 'routing' or 'Bridging'???I have two network ports (with static IP ) and I would like to forward RX packets of one to the other.
I have done this in Windows by enabling a service called 'routing'.Is there something similar in Fedora 11? I am pretty sure there are a few thread explaining these but I am just not educated enough to find one that makes sense to me, so Please excuse me for starting a redundant thread and point me to it?
I am having trouble for routing port 80 from a Billion adsl modem to a guest server in VirtualBox. There are quite few different changes from my last setup so I kind of confuse which one is wrong.
I used to use have the setup belowusing modem Linksys WAG354G use static ip 192.168.1.100 for my machine use static ip 192.168.1.102 for my guest VirtualBox server guest OS is serving http listening on port 80 i use bridge from my host OS for VirtualBox set my modem to direct all traffic on port 80 to 192.168.1.102 host OS was Fedora 11
now I useusing modem Billion 7404VNPX use same static address and configuration host OS is Fedora 13
main issue is I cannot reach the guest OS if I navigate to my modem ip address. (e.g. http://192.168.1.1) if I change the modem to direct all traffic to my host OS ip address (192.168.1.100) it works nicely.
I have tried to disable and enable the firewall without any luck.
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code:
iptables -I INPUT -p gre -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT
iptables -I FORWARD -d 172.16.10.101 -j ACCEPT
The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
I have an internet connection which requires pppoe setup to login with the specified username and password ip address is dynamic.Above are the screenshots for your reference for which I establish the internet connection.the pppoe settings can be done through "sudo pppoeconf" but for the screenshot No. 2.what is the procedure? I need to specify the service name for my internet connection.how to configure my internet connection.
View 8 Replies View RelatedI've recently upgraded to Fedora 15 after a failed Fedora 11-12 upgrade (luckily all my data is on a seperate drive!) and have been re-installing all the applications i had before. One strange problem i've come across is with XMMS. When it gets to the end of a song it wont move onto the next one. I've tried checking and unchecking the 'No Playlist Advance' option and it has made no difference. I tried changing the output from ALSA to OSS but that didn't even play the tracks so i switched back.
View 3 Replies View RelatedI am a new fedora user. I want to download videos from web which wee can see. In windows xp we can download it by using IDM and its advance browser integration. I have setup WINE in my PC. But I am not able to work with it. How to work with it.
View 2 Replies View Related