Fedora Networking :: IP Masquerading For All Outgoing Traffic In Eth0
Nov 13, 2010
I have a couple of interfaces in a Fedora 14 box:
eth0: internet provided by an adsl router
eth1: LAN
I set up system-config-firewall to masquerade all outgoing traffic in eth0, as I did in other Fedora 13 boxes, but it seems it doesn't work. It sets to 1 /proc/sys/net/ipv4/ip_forward and also set the appropriate rules in iptables. But all traffic is blocked from the LAN to the Internet. "ping www.google.com" works in the Fedora box, but doesn't work in the LAN computers using the F14 IP as gateway. I have another F13 computer elsewhere configured this way and it works fine. But this one has Fedora 14.
eth0 192.168.2.100 (internal Web, Mail) eth1 192.168.3.100 (Default Gateway nic for clients) eth2 192.168.3.110 (should be default Gateway for all outgoing traffic not belonging to 192.168.2.100 and 192.168.3.100)
They are all on the same machine
i cannot set eth1 or eth2 as default gateway, as outside requests to eth0 would be handled in a false manner (somehow)
is there an easy iptables-rule to say, that outgoing traffic, not belonging to my networks can be redirected to a specific NIC (eth2)?
I need to set up my centOS computer as a firewall in my home network. Ive got 2 interfaces, eth0 and eth1. I want to allow and forward all traffic on eth0 and block all traffic on eth1 except ssh, ping(icmp) and DNS. How do I do this? Ive tried some editing in /etc/sysconfig/iptables but no luck.
I have a Linux IPTables firewall on Centos 5.3.It has one physical interface to the internet and 2 internal interfaces to a DMZ and TRUSTED zone respectively.There are 10 virtual interfaces linked to the physical public interface.Emails are being sent from my server in the DMZ out to the internet, but it is being shown as coming from the firewall IP address.It must show as coming from one of the virtual interfaces.
I've noticed recently that a lot of outgoing internet traffic is generated by my laptop (running Ubuntu 10.04 - 64 bit). This wasn't the case previously. I only found out because my wireless broadband traffic allowance suddenly was used up very quickly. I've installed ntop to try to find out where all this traffic is going to.
I did find that there were a very high number (at one stage over 11.000) of active TCP/UDP sessions (see attached screenshot). Although the traffic generated by each is only small (about 100 bits/bytes - not sure what) multiplied by thousands, makes a fair bit of traffic. I wonder if I've got some kind of a virus/bug or do I have a configuration problem with my laptop?
I have a need to make a rather odd filter in tcpdump- I would like to capture only all those packages on interface eth0, that are outgoing(in other words from IP 192.168.1.1, which is IP for eth0 in this computer) and doesn't have src MAC address 11:22:33:44:55:66. However, fallowing command says, that syntax is wrong:
Code: tcpdump -n -p -i eth0 src host 192.168.1.1 ether src not 11:22:33:44:55:66 Is this possible? If yes, then what is the correct command?
OS : CentOS 5.3 64bit How to trace incoming and outgoing network traffic for a give user? User 'A' logs in to the system and does various network connectivity As root user need to find what are the outgoing and incoming connection that are related with user 'A'. basically need to check the connection flow. netstat will show ESTABLISHED, LISTEN etc.. need something like tcpdump
Eg:- --user option for tcpdump tcpdump -vv -nn -i eth0 host 10.200.2.1 and tcp dst port 8080 --user A Can someone tell me any tool which can do such thing? Even if it can show the process ID of the client application which is trying to establish network connectivity will do.
My Ubuntu Box has 3 interfaces. eth0 (Internal 192.168.1.0/24)eth1 (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc (192.168.1.10) to only go only go through eth2
I'm running Linux Mint 10 . I have a wireless PCMCIA card (Linksys WPC 11 ver.3) that I've put into master mode, and I'm trying to set up my laptop as a wireless hotspot. I am very confident that I want to do this and have no interest in using a wireless router....I say that because that topic inevitably comes up with posts like this. The problem I'm having is I don't understand how to get wlan0 and eth0 to "talk" to each other...That is, I don't know how to set it up so that traffic from wlan0 goes through eth0, so that devices that connect to my hotspot can access the internet.I've seen a few guides about this, but they were either much broader in scope (i.e. much more complex), or for other distributions, etc, and it's too much for me to follow as a linux .
I'm having a problem and despite I have googled a lot cant find the root cause. I have a server with two embedded NICs and centos 5.5 loaded. I need to have one NIC with a fix internal IP address to communicate with the intranet and a second NIC with a fix address from my telephone provider. I know I cant have two different gateways on the net so I configured only the gateway for the second NIC leaving the field empty for the first.
I found that the first NIC is handling all the traffic for both interfaces (eth0 and eth1) and the second NIC is in standby (or doing nothing). This is causing the traffic intended for the second NIC never reach their destination. After a couple days working with the BIOS and other configuration files I tried another way of solve the issue. I put a fix address for the first NIC and another fix address for the second NIC (both in the same subnet) and from a computer pinged successfully both addresses. However if I disconnect the cable for the first NIC both interfaces goes down (eth0 and eth1) and both pings fails. If I disconnect the cable for the second NIC (with the first one connected) both pings still running without any disturbance.
I worked also in a second server with different hardware (different kind of motherboard, different NIC manufacturer, etc.) but the problem is also present in this second server. I was reading about NIC bonding or teaming, but this configuration is not present in the modprobe.conf or in the ifcfg-eth0 files, so I believe the problem is not related with this feature. Do you know what is happening with the NICs and how can I get two really, fully independent NICs?
There is a big problem with opensuse 11.4 and virtual interfaces.Until 11.2 outgoing traffic by default was sent by the eth0 address nevertheless which virtual interfaces did exist if any was used.Now there seems to be sent by the last interface listed with ifconfig.The outgoing address in this case will be 10.0.0.3.This is very problematic with smtp control etc.
I have recently installed Fedora 12 and want to share my internet connection with other pc's at my home including windows pc. My linux machine is connected to internet via DSL connection.
I'm looking to use Linux (Ubuntu 9.10) as a network bridge between two subnets. I can configure iptables to permit all traffic on eth0 (subnet 1) to pass to eth1 (subnet 2) but before transmitting that traffic I want to perform further analysis. Is it possible within iptables or via a third-party product such a pyroman, to write a "hook" that then directs that traffic to another application installed on the same host?
As too my question, at this time I dont control the router/firewall an I would like to block a port thats used for guild wars on my workstation for a while. The reason for blocking is children have abused it an lost it.In this case I am trying to block outgoing traffic on port 6112. I have tried setting up a proxy server on the workstation, but the game seems to ignore it an jump on. Due to the environment, I enabled the workstation SuSEFirewall2 firewall an tried setting up "lo" as a internal an configure the firewall as a router, then disable 0/0 an configured for 0/0,tcp,443 an re route port 80 traffic to proxy.
When I had my own internet, I had a transparent proxy enforcing rules for access times. So setting up a proxy on each machine would not be a bad thing, even if it took some creative thinking. I am trying, but seem to be missing something.Ideally, I would like to setup a transparent proxy, as my kids have learned alot about system administration an know to check the proxy module. If all they have to do is un check "Use Proxy" an by pass a local proxy server, then I am kinda defeated. An applications such as firefox have a proxy setting they could set to none instead of system
I pay for wifi usage. The access points are using mac address filtering. I know this because I can spoof the mac of another computer of mine and get it online. I'd like to get both the computer's online. I've been trying to do ip masquerading. It hasn't been working so far. I am not sure if the computer connected to mine through a cross over cable is revealing its mac address to the access points when communicating. If so, how does one get around this? ping shows connectivity between the two computers.
In my Fedora13 machine, while in mobile broadband, i can ping and skype outside, but cannot browse/yum etc. Few output that may be of relevence are here:
$ netstat -s IP: 149468 total packets received 6 with invalid headers 16174 with invalid addresses 0 forwarded 0 incoming packets discarded 118821 incoming packets delivered 101331 requests sent out 124 outgoing packets dropped 866 dropped because of missing route .....
I am fairly new to Ubuntu/Linux and I have somehow managed to get a server up and running. For the past few months I have been trying to get masquerading working.
I have 2 network cards eth0=Internal Lan IP address 192.168.0.254 eth1=router External IP address 10.0.0.1
I want all my internal lan traffic to go through my linux box & only have port 80 & 3128 go through squid. So for all pop3/smtp action I want the linux machine to act like a router & for port 80 & 3128 I want it to go through squid.
I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:[URL].. Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions. So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so
I am setting up a computing cluster in my lab, as below. all the "eth0" IP addresses are static (for cluster communication) and the "eth1" of the front node is the only one connected to the internet through lab's DHCP server (which is connected to a centralized computer center in the university). The thing I wish to do is to do some sort of IP masquerading to enable all the nodes to have internet access. I actually google around and read some books. The similar things I came across is setting rules in iptables but I did not manage to get any of them working. I am using Ubuntu Lucid 64-bit on all machine.
5.10 Breezy configured as machine controller. Works great eth0 is a fixed IP to communicate with controller comms board. Not easy at all to alter - the comms board is hard coded to listen on eth0 for commands.
I can use eth1 as the default gateway and ping google.com, etc. But when I now attempt to communicate with the controller with netcat, e.g.
Code: echo !HH | nc 192.168.1.6 80
I obviously never get an answer since the request is passed via eth1. Using the -g option with netcat doesn't work either. I had a look at iptables but it doesn't seem to be able to do what I want. How I can still use eth0 as my communication port to the controller whilst eth1 is the default gateway?
I have two servers on a vlan at my datacentre/colocation and previously both servers had public IPs on their eth0 interfaces. The servers are HP ProLiant DL360s - one is a G4 and one is a G5 The newer G5 is now the LAMP server and the G4 has been retired and I want to repurpose it as an iSCSI target using openfiler freenas or similar.
My G5 has public/static IPs lashed to the eth0 physical interface and the eth1 is not configured to do anything yet. The G4 will have both interfaces available - perhaps one for ssh access from one of my static public IPs and the other to be a private IP on the local vlan. Here is what I am trying to get my head around...
The G5 eth0 - Public IP - full LAMP services on two or three virtual interfaces eth1 - Private IP 192.168.0.1 The G4 eth0 - Public IP for ssh eth1 - Private IP 192.168.0.2
Because my traffic between eth1 on these boxes is via private IPs on the local private vlan it doesn't add to my quota for bandwidth. How do I go about configuring the routing and gateways and other aspects of this so that I can run a private IP space network between the eth1s and still serve the outside world from the eth0s...
I am afraid that if I assign the private IPs to the eth1 interfaces the routing may either not work or interfere with the access to the production internet facing interfaces (eth0s).
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code: iptables -I INPUT -p gre -j ACCEPT iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT iptables -I FORWARD -d 172.16.10.101 -j ACCEPT The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
I'm running a dual boot Ubuntu 10.04/Backtrack 4 (Ubuntu 8.10) system. I can get internet in the BT4 side but not in the Lucid side. In Lucid I can ping my router, and the network manager says I'm good to go, but I can't get to any web sites. It all started when I tried to put my laptop on another network by mimicking the settings of a computer I had just unplugged from the network. MAC address and all.
ifconfig eth0:
Code:
eth0 Link encap:Ethernet HWaddr 00:1f:16:ba:4c:8c inet addr:10.136.9.147 Bcast:10.136.9.159 Mask:255.255.255.240 inet6 addr: fe80::21f:16ff:feba:4c8c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
I've tried both the firewall interface that comes with Fedora and Firestarter, neither can configure as I want. So I think I'm going to have to do it by hand. In this laptop I have one 10/100 Nic and one wifi connection, at times either of them can be connected to the network. How can I configure IPtables so that any traffic is allowed out, nothing is allowed in (other than std stateful firewall replies), no icmp and that the fw logs any attempts to connect to the laptop?
I am running Fedora 9 and KDE 4.2.1. I want to set up some traffic shaping on my machine to prevent my torrent client from hogging my entire bandwidth. I.e., I want KTorrent to download and upload to the best of its ability, but still be able to browse the net freely in spite of the torrents. I have done some reading about traffic shaping in Linux. There is lots of material about it, but most of it (such as the lartc.org "howto") is very complex and comprehensive and looks extremely intimidating. Furthermore, most of it addresses situations where you want to distribute traffic between multiple computers in a network. I just want to manage processes on a single machine. I am hoping for a piece of software that lets me assign each a "priority" to each application, or something like that. Like cFosSpeed for Windows.
I have a 2 machine LAN with both machines having an ethernet card and a wireless card. There is a Netgear router, both eth and WiFi, allowing both machines to access the internet.
On my Linux machine I am looking for some software that allows me to keep track of my broadband usage on that machine, excluding traffic between the two machines.
There are numerous such programmes for this in XP, which use Winpcap and a GUI frontend. The "other" machine on my LAN is XP and uses just such a program.
I'm currently reading through the Linux Advanced Routing and Traffic Control HOWTO from lartc.org, and I'm wondering whether anyone knows of a file where I could keep qos rules persistent across a reboot, similar to /etc/sysconfig/iptables for netfilter. Should I just write my own script, or does something already exist? By the way, iproute-2.6.29-4.fc12.i686.
Most discussion of lightweight desktops seems to focus on cpu and/or gpu load. I want to ask a different question (though it may have the same solution): how to set up a secure remote desktop server for students to minimise network load. My current setup (gnome plus vncserver, tunneled over ssh) is certainly a bad choice, but I'm having trouble finding the right information about what to choose. My current best guesses:LXDE (not too unfamilar to students used to gnome)NX (generally said to give better compression) Is this a reasonable compromise? Is there a better solution? host server settings to reduce network load client settings the students could use to minimise network load security implications of distributing the nx ssh session key widely
