I have problem with port based routing for local traffic. I can't use trick with iptables -t mangle, ip route table 1, ip rule fwmark table 1 because it works only with forwarded packets. I can't even use patch-o-matic because it's obsolete. And xtables-addons doesn't contain support for "-j ROUTE" yet.
View 2 Replies
I have 3 gateways in my office. I want to redirect all web traffic (port 80 and 443) through one gateway and ssh connections through other one. All machines have single network interface. For this what I did is created an ip alias et0:1 and assigned ip to it. Then wrote an ip route rule to route packets from eth0:1's ip to other gateway. All other traffic will go through default gateway. But here I am not sure how I can make web browser to use eth0:1's ip. It's using eth0 's ip. I wrote a ip table rule to change source ip of http packets to et0:1's ip. But rule is on POSTROUTING chain. So I think it's happening after routing.
View 4 Replies View RelatedI am sharing my DSL internet connection using a modem+wireless router (single device) to 5 systems. I want all my internet traffic to go through one of the linux boxes in my network.
The problem here is that wireless devices connect directly to the modem+wireless router.
Is such routing of traffic possible??
PS: I am not sure if i could convey my situation clearly...
I need to be able to do the following: Physical Router located at 192.168.40.1
On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2
eth1 with static ip 192.168.40.3
eth2 with static ip 192.168.40.4
Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1 Do the same (virtual address) for eth2 -- e.g. 192.168.60.1 In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this)
register phone number B at 192.168.50.1
register phone number C at 192.168.60.1
Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that). Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.
Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B. Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C. Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that). Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2). Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.
I'm currently reading through the Linux Advanced Routing and Traffic Control HOWTO from lartc.org, and I'm wondering whether anyone knows of a file where I could keep qos rules persistent across a reboot, similar to /etc/sysconfig/iptables for netfilter. Should I just write my own script, or does something already exist?
By the way, iproute-2.6.29-4.fc12.i686.
I have an Untangle Box - which for those that don't know is a modified Debian Lenny used as a router, proxy, filter and much more - It has three physical interfaces on it eht0 (incoming traffic), eth1 (Outgoing to LAN after traffic filtered), and eth2 (Called a DMZ NIC, as Untangle can be used as a router). There is also a tun0 interface setup by Untangle for VPN (Not using the Openvpn in Untangle because I need bridged a bridged VPN and this is not an option in Untangles offering), a br0.eth setup by untangle to bridge eth0 and eth1 for traffic flow through as it is inline from router to switch and not acting as the router itself, and a br0 interface that I have setup by bridge script bridging eth2 and tap0 to run OpenVPN as a bridged VPN.
The routes on the machine are as follow:
Code:
untangle:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 br.eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.0.2.0 * 255.255.255.0 U 0 0 0 dummy0
192.0.2.0 * 255.255.255.0 U 0 0 0 utun
untangle:~#
I don't see a default route listed here, however, I do have Internet connectivity on the Untangle box itself. I also know that by script to bridge the tap0 and eth2 interfaces adds a default route through the gateway on the network that eth2 is connected to. So the lack of a default route is somewhat puzzling to me, I do have the gateway set through the web based admin interface Untangle offers.
The iptables rules are as follow:
Code:
untangle:~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N alpaca-firewall .....
There was an addition output rule in the alpaca-nat-firewall rule that said DROP outgoing interface eth2, I removed that rule with no change. I can ping out from the Untangle server to the eth2 LAN, I can access resources in the eth2 subnet. But I cannot get any reply from the server from anything either in that subnet or not. If I run iftop I can see the incoming traffic form my ping but the Server sends out no reply. I think this is a firewall issue. I can access the server by connecting to the IP assigned to the eth0/br0.eth interface which is in my main LAN. I am also attaching a crude diagram of the previous setup and the new setup (Previous setup used a different server for my bridged VPN).
Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0? I tried adding an accept rule for traffic coming in on br0, but it didn't work. I tried an output rule, but that didn't work, but I may have been bungling these rules as I do not fully understand the syntax and function and body of an iptables rule. The exact original iptables information before I modified anything can be viewed at [URL].
I have set up a Virtual machine on a dedicated server from 1and1. I hoped to use a bridge to give the vm direct access to the internet but 1and1 do mac filtering and so the only option is to use NAT.
I used Virtual Machine Manager on my Ubuntu 10.04 machine at home to install Debain Lenny on the vm on the server using KVM and all went well. I put it on a virtual network 192.168.100.0 and i can access it from the host and i can access the internet from the guest using NAT that libvirt set-up.
I bought another ip address from 1and1 with the hope of forwarding packets to the new ip address 11.22.33.02 to the guest vm.
I have tried all sorts of routing rules using iptables without any success.
my virtual network is on virbr1 the guest ip is 192.168.100.50 my external network device is ip say 11.22.33.01 on eth0 with the secondary ip say 11.22.33.02 on eth0:1
Here are the latest rules i tried:
Quote:
iptables -t nat -A PREROUTING -d 11.22.33.02 -i eth0 -j DNAT --to-destination 192.168.100.50
iptables -t nat -A POSTROUTING -s 192.168.100.50 -o eth0 -j SNAT --to-source 11.22.33.02
iptables -A FORWARD -p tcp -i eth0 -o virbr1 -d 192.168.100.50 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
[Code].....
I just got vpnc setup to work with my VPN at work and now I am trying to figure out how to limit the traffic that is routed through the VPN while I'm connected to it. I only want traffic going to the local domain to be routed through the VPN.This is what my vpnc config file looks like:
Code:
IPSec gateway publicdomain.example.com
IPSec ID XXXX
[code]....
Seems like this should be a simple question, but I've looked around and have not found an obvious location to keep custom policy based routing rules in Ubuntu./etc/network/if-up.d comes to mind, but I was wondering is that was a "standard" spot. Also it doesn't seem like these rules really need to run each time an interface is up'ed or down'ed.
View 4 Replies View RelatedI've setup an XP VM using Red Hat's KVM. The physical Red Hat box has two NICs, a fiber one in use and active and a CAT-5 one that is disabled and with no wire connected. The physical box has br0 active and bridging on the subnet of 192.168.10.0/24. ip route show also displays for virbr0 192.168.0.0/16 My physical box (192.168.10.228)can ping the virbr0 IP of 192.168.122.1, but not the XP VM of 192.168.122.228
I have played around with Window's route command to try and setup some method for the Windows VM to ping the 192.168.10.0 network, but have not had any luck. I've also messed around with the Red Hat netmask and such to work it from the Linux side. But then, as would be expected, I can't talk to other Linux boxes on the physical network.
Does anyone have any ideas how to get the Windows box to communicate with the Red Hat box and the other Linux systems beyond while keeping the two distinct networks of 192.168.10.0 and 192.168.122.0 leaving them both as Class C (255.255.255.0)? I mentioned the unused CAT-5 NIC thinking perhaps it could operate as an internal router even with no cable attached. That was just a random thought and I have not even explored that.
I have a multihomed server, connected on two different ISPs. All default trafic goes to ISP1 via wan1. There is special local processes in my system, what must go through ISP2 via wan2. This processes are make connections to TCP:80.
What did I do:
[root@localhost ~]# ifconfig wan1 10.44.8.252 netmask 255.255.255.0 broadcast 110.44.8.255 up
[root@localhost ~]# ip r r default via 10.44.8.1
[code]....
I see that frames goes out with SRC of wan1... I tried this:
[root@localhost ~]# iptables -t nat -I POSTROUTING -o wan2 -p tcp --dport 80 -j SNAT --to-source 192.168.86.2
and saw:
[root@localhost ~]# telnet 194.87.0.50 80
[root@localhost ~]# tcpdump -i wan2 -nnt port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
[code]....
The connection did not established... Conntrack does not see it!
I want to explicitly commit bandwidth to only 3 VOIP connections, where a connection is defined as a source IP address, destination IP address, and a traffic class. I would like the traffic controller to put the first 3 VOIP connections into 3 different queues that would have equal priorities that are higher than Best Effort. If a 4th VOIP connection were to start, its packets would be put into the Best Effort queue. When one of the VOIP connections ends, I would like the incoming packets of a VOIP connection that is in the Best Effort queue (assuming there is one) to now start going into the free VOIP queue. Is it possible to do this? Can traffic control keep track of connections being created and deleted like that? If so, how is it done? I would like to avoid having to be constantly updating my filters whenever a connection starts/ends. In actuality, I would want to do this for several different classes.
View 2 Replies View Relatedmy local clients connected to the IPv6 internet.
I've already designated a machine to act as the router to the hurricane electric tunnel. I created a he-ipv6 device on it and can ping ipv6.google.com. No problem.
The problem happens when I want clients to use that router. That is, I can't ping ipv6.google.com from other machines on my LAN.
I setup /etc/radvd.conf, which seemed to successfully give out addresses to my clients:
interface eth0
{
AdvSendAdvert on;
prefix MY:HEREFIX::/64
[Code]....
I start the daemon and check that my clients have new ip6 addresses. So far so good. On my router, I do a sysctl -p and see that /proc/sys/net/ipv6/conf/all/forwarding = 1. I haven't touched ip6tables/iptables yet. Both are in a flushed state.
My ipv6 router is actually inside the LAN which gets internet from another machine which has let ipv6 packets through using protocol 41. I figure I don't have to worry about anything else because if my router can ping6 ipv6.google.com, the failure point would be there.
So my clients get ip6 addresses, but can't ping6 the router nor the ipv6.google.com. They do resolve ipv6.google.com however and I checked the traffic on the router over he-ipv6 from ifconfig and RX and TX bytes were changing during the ping.
My router has only one physical device for forwarding, eth0 and the tunnel device he-ipv6. Do I need to add some kind of ip6tables to see a simple ping from my clients?
I am using Network Manager to connect to a VPN server so that I can access some of the computers on the local network there. When I'm connected, I have two problems: All my internet traffic goes through the VPN. My computer is no longer visible on my local network. I waste a lot of time connecting and disconnecting the VPN. Is there any way I can set up a VPN so that I am still on my local network and only requests to 172.x.x.x go through the VPN. I suspect it can be done with iptables, but all the info about iptables goes WAY over my head.
View 8 Replies View RelatedWe have a need to shape outgoing traffic EXCEPT to certain IP/subnets (sounds opposite to the title, but not really :P), using iptables if possible. We've had decent luck doing it with various things, but one of the big problems is the decrease in download speed (which DOES NOT need to be shaped at all) due to upload shaping. ie, we want the shaping not to apply to TCP/UDP overhead. Semi related but probably not important is the ability to shape virtualised systems as well (ie the guests), but as the guest traffic goes through the host any traffic shaping done on/to the host should affect the guests as well.
View 1 Replies View RelatedMy linux machine is connected to the outside internet, and I have a minecraft server running on an internal machine (192.168.1.201). Right now, I am forwarding port 80 on the linux machine to 192.168.1.30, which is working.
iptables -t nat -I PREROUTING -i eth0 -d 192.168.1.30 -j DNAT --to-destination 192.168.1.201
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.201
______________________________
I want to filter out the GET/POST requests and forward them to port 8080. I can't seem to get that working.
I've tried this:
iptables -A INPUT -d 192.168.1.30 -p tcp --dport 80 -m string --algo bm --string 'GET' -j REDIRECT --to-ports 8080
I've got a Slackware 12.2 system that I'm trying to get to accept traffic on a given port, let's say 34521. When I use canyouseeme.org, to see if that port is responding, it is not.
I've put in an iptables entry to accept traffic on that port, is there anything else I need to do?
I have "Server A" with real internet ip 1.2.3.4 (eth0) and lan ip 192.168.1.1 (eth1) There's also "Server B" with lan ip 192.168.1.2 (eth0), I'm running an Apache Web server on "Server B", so I want to redirect all traffic from IP 1.2.3.4 port 80 (Server A) to 192.168.1.2 port 80 (Server B), using the following rule:
[Code]....
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80 This actually works pretty good, from internet I can browse ttp://1.2.3.4 But the problem is that if I check the Apache logs, all incoming connections seems to come from 192.168.1.1 instead of showing the real source ip addresses (internet ip's) so this is screwing up all my web stats, I've been looking for hours and hours on how to make a transparent redirect, but can't find any info, I know there must be a way because my old WRT54G router which uses iptables could do it.
I have a fairly clean install of Debian 5.04 on a G5 tower and am having some local network sharing problems. The machine linuxG5 has an address of 192.168.1.4 and when I am logged into that machine I get the following output
silver@linuxG5:~$ nmap localhost
Starting Nmap 4.62 ( http://nmap.org ) at 2010-04-24 10:19 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1706 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
[Code]...
I'm new to iptable configuration. I've set up a VPN using DD-WRT on my router and it works fine. However the VPN company does not allow port 25 traffic (in case of spammers) so now I can't get my emails sent out.
I'm guessing I can add some rules to my iptable so that all traffic except port 25 traffic can go out through the VPN tunnel. And hopefully, all port 25 traffic will go out through the normal Internet connection.code...
made software which we can get network traffic Report of of Switches for Daily,monthly and yearly base , in MRTG we can configure as a switch so we can get particular switch Traffic but how can we get each port of traffic of a switch in MRTG
View 1 Replies View RelatedI'm hoping some of the Linux network experts can help me with this problem.
Situation: I have a technology which is a WebLogic JEE application that communicates to an Oracle database. Everything is installed in a single Linux virtual machine running in VirtualBox. Traffic from the JEE application goes via JDBC over TCP to the local running database. What I want to do is test a new database firewall server that wants all traffic destined for the database to flow via another virtual machine running the DB Firewall software.So therefore want I need to do is have DB traffic forced out over one interface only to return on another interface on the same VM listening on a different address.
JEE application running in WebLogic bound to 192.168.111.12 (eth1 a VirtualBox hostonly interface). Makes a request for 10.0.111.12 (eth2 a VirtualBox internal interface) which the database is listening on. Because both IPs are on local interfaces, Linux is going to handle the traffic and not route the 10.x traffic via the 192.x interface.I also have running the database firewall server which has a bridge (br0) between the HostOnly network and the Internal network.Both systems are running Oracle Enterprise Linux R5U4, which is basically the same as RedHat.What I want to do is have the request for 10.0.111.12 forced out via 192.168.111.12, bridged over the br0 connection and back into 10.0.111.12 and to the database. My networking knowledge is pretty good, but i'm stuck right now on the right way to do this. I'm pretty sure it is possible, I just need clear advice.
Reason for setup: Ideally I would build the system with the database on a separate machine so that I can easily route the traffic. Unfortunately we have many VirtualBox based demonstration systems with both the application and database installed on the same VM and therefore the amount of work to migrate these two dual VMs is going to be significant, also many of these VMs are demonstrated from laptops which have limited resources and creating a new database VM reduces overall performance. If I can create a way to force the traffic in this manner off and back onto the same VM via the other VM bridge, it would be fantastic.
I need to be able to do the following: Physical Router located at 192.168.40.1 On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2
eth1 with static ip 192.168.40.3
eth2 with static ip 192.168.40.4
Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1 Do the same (virtual address) for eth2 -- e.g. 192.168.60.1 In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this)
register phone number B at 192.168.50.1
register phone number C at 192.168.60.1
Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that). Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.
Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B. Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C. Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that). Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2). Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.
Is there any way to verify if packets being trafficked over a certain port are valid for the service you want to use this port for?
One obvious example that probably clarifies my question:
When I open port 443 (outgoing or incoming) for https/ssl traffic, I don't want this port to be used for say openvpn traffic.
Thus: when someone wants to surf to a website with https, it should be ok but if someone wants to connect to his home openvpn server over that same port, it should be blocked.
I was asked to setup 802.1x Port Based Authentication for users connecting to a Managed Cisco Switch. From what I was told, it should work like this:
- User plugs workstation into switch.
- Workstation asks user for radius credentials.
- Workstation is then able to authenticate to the Radius server.
- After workstation is authenticated, the switchport then becomes unrestricted and allows the workstation to communicate on the network.
build a cluster within local network based on opensuse and fedora?
View 2 Replies View RelatedI have two networks. One of them is wired, the other is wireless. The wired has an internet connection and a few other computers connected to it. The wireless network has a few hosts connected to it too, but it has no internet connection. What I've been trying, fruitlessly, to do, is make all connections that are bound to the internet, or my wired network, be routed that way, and all the connections to the hosts of the wireless network go that way.
Here's the setup..
Wired:
192.168.1.0/24 Gateway = 192.168.1.1
Route internet through here
Wireless
192.168.2.0/24 Gateway = 192.168.2.1
If my computer sends a packet to the internet, it should be routed through 192.168.1.1 If I send a packet to one of the local hosts of the wireless network, it should be routed through 192.168.2.1. Here's the routing table I've set up(This is one of many configurations I've tried)
Code:
$ ip route show
192.168.2.1 dev wlan0 scope link
192.168.2.0/24 via 192.168.2.1 dev wlan0 src 192.168.2.4
[code]....
With this, and everything else, I get destination host unreachable when pinging. The strange thing is that, if I unplug my eth cable, reboot and connect to the wireless network, everything is fine and I can access the router and the others. I'm trying to improve my networking skills, as I've had this of setting up a small linux box as a router for quite some time, for the fun of it, but I need to get routing under control before I go ruin my network.
I have a firewall, this consists of three NIC's:
Code: eth0[192.168.0.2] eth1[192.168.1.2] and eth2[10.10.165.2]
I am trying to ping eth0 from eth2, but I am not able to succesfully get a response from pinging the device, I am using:
Code: ping 192.168.0.2 -I eth2
I have tried to insert routing data into the routing table, but it still doesn't work
I have a reverse ssh connection established from a remote machine to my local machine - it is established with autossh from the remote machine - I know it is connecting because I can see the two ssh processes on the local machine - and, when I kill the two ssh processes, two new ssh processes are immediately established. But I cannot login to the port on the local machine. I have tried everything - it simply refuses to connect. This remote machine is miles away and not readily accessible.
Code:
ssh -p 7766 -vvv user[at_sign]192.168.1.108
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
[Code]...
I'm wondering if there is some way I could utilize netcat or socat to "tap into" this connection from my local machine??? (My ultimate goal would be to get to a shell on the remote machine.)
Here's my (admittedly complex) situation:
I set up a dynamic DNS address for my home network. Let's call it [URL]. Then I set up one of my machines with a bind9 DNS server and pointed my router's DNS setting to it. I did this so that I could resolve awesome.server.com from machines inside my network and have them correctly find my server. Then I set up a second machine to serve web pages using [URL]. I did this by forwarding port 9200 on my router to port 80 on that machine. This works, but of course, it only works from outside my network.
What is the best way to get [URL] to work from inside my network?
I've tried setting up the iptables on my server to forward that port, but it just times out. I used these rules that I found by searching the internet:
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 9200 -j DNAT --to 192.168.0.300:80
iptables -A INPUT -p tcp -m state --state NEW --dport 9200 -i eth1 -j ACCEPT
However, those rules might be failing because they are intended to forward ports requested from outside the network. I must admit, this iptables stuff is way, way over my head. Is there a different method that I must use to make it work inside my network? Or is there a better way besides iptables?
