Server :: Send Traffic Down WAN Link Depending On Client IP Address Range?
Apr 15, 2011
I am running Debian Squeeze with the following basic services running:DNS
DHCP
Samba
Squid
The server is setup with three NICs: eth0 (WAN1), eth1 (WAN2), and eth2 (LAN).The server addresses clients with an IP range of 10.0.30.1 - 10.0.30.254. Some clients will be set with reservations so they fall into the 10.0.40.1 - 254 range.
What I want to do is have any outgoing external traffic coming from the first range (10.0.30.0) to use WAN link 1, and any outgoing external traffic coming from the second range (10.0.40.0) to use WAN link 2.
I have sort of got something working. I have created a bare minimum transparent squid3 setup on port 3128, and set the iptables as follows:
I can get internet access, however obviously it only goes through one WAN link. It also seems slower than it should be. I experimented with tcp_outgoing_address, but seemed to not be my friend.
I would like to set a double range of IP address with my DHCP3-server. Now, I have eth0 (which is my only network card) with this IP address : 172.16.93.1 and I have created a second interface eth0:1 with this address: 192.168.3.1. The goal is to give an IP address 172.16.93.X to phones (with option 66) and the IP address 192.168.3.X to the computers.
This is my DHCPD.conf : ddns-update-style none; option domain-name "mycompany.com"; option domain-name-servers 172.16.93.1; default-lease-time 3600; max-lease-time 2347200; authoritative; log-facility local7; option ip-forwarding off; default-lease-time 20; max-lease-time 20; .....
Right now my DHCP server work fine, (I means, no error at the startup ) but the server give always the same kind of IP address, whatever if it's a phone or a computer. I notice something "wired", if I put the : subnet 192.168.3.0 netmask 255.255.255.0 { range 192.168.3.100 192.168.3.199; option routers 192.168.3.254; } (Which is first in the dhcpd.conf) after the "subnet 172.16.93.0 netmask 255.255.255.0", the server will give IP address 172.16.93.X at all the clients. Is it possible to give more than one IP range with one network card at the same time? And how set the option 66 to only give IP address (172.16.93.X) to the phones?
I am working on implementing a protocol on NS2.34 .I really need help to solve this problem . Actually , I don't now whether the problem is generated by the tcl code or the c++ code when I run the simulation, I get this result :
Code: num_nodes is set 64 INITIALIZE THE LIST xListHead 34 45 channel.cc:sendUp - Calc highestAntennaZ_ and distCST_ highestAntennaZ_ = 1.5, distCST_ = 550.0 SORTING LISTS ...DONE! code....
I was looking for live link to download ubuntu mobile but unfortunately I don't find anything... Can someone send me a link for download and a link with the installation instructions ?? All the links that I found are dead.
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code: iptables -I INPUT -p gre -j ACCEPT iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT iptables -I FORWARD -d 172.16.10.101 -j ACCEPT The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
Is it possible for a client to "export" or "send" it's /dev/cdrom0 to a server via SSH? I have managed to st up a connection with Xserver so I can see the servers gnome interface in my ubuntu client.
I've come across a strange issue where any email address that I email with mail returns an error "Bad Address"
Fairly new Centos 5.4 Install, sendmail is the MTA. Linux 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux DNS is working fine so there isn't a problem. [root@hn1 /]# host -t mx iol.co.za iol.co.za mail is handled by 10 mg1.iol.co.za. iol.co.za mail is handled by 10 mg2.iol.co.za. iol.co.za mail is handled by 30 vulpix.iol.co.za.
Yet when I try to use mail it fails: [root@hn1 /]# which mail /bin/mail [root@hn1 /]# ls -lrth /bin/mail -rwxr-xr-x 1 root mail 83K Jan 7 2007 /bin/mail [root@hn1 /]# mail -s "test" bob@mydomain.co.za Bad address Nothing in the maillog.
I added an init script numbered just before bind9 starts, which needs to see the ipv6 link-local address on eth0. Sometimes this address is not configured, yet. In all cases it eventually is configured.
I am unable to find any script that is configuring the ipv6 link-local address (which is in part based on the MAC address). Does anyone know if there is some script or program that is supposed to be doing this, or is it an internal kernel function?
One workaround I am considering is making this init script go into a loop around sleep 1 to keep checking for the ipv6 address. But I'm concerned this might cause some problems. Any suggestions? I don't want to let it move on to start bind9 until the configuration this script does (more ipv6 addresses) is done.
This is on Ubuntu 9.10 server (for which there is not a prefix choice).
i have a small issue, to make our network more secure, i now require outgoing email to require authentication. Now the problem..i have a automated mailer that does not have the option to authenticate. is there a way to allow a certain email address or the local network to send out without authentication? If i cannot do this for a single email user to allow them through with authentication, how would i remove the authentication paramaters in the postfix smtp..
I want to configure a VPN over the Internet.I installed the 'openvpn' package, generated the key file, transfered it by a secure way to the client, and setted up the configuration file.
So, in that configuration file I input the IP addresses of the tunneled interfaces. Both IPs are static in the tunnel.
Then, I've heard somewhere that I can assign a dynamic configuration IP for the client. I do this registering a range.
Well, when I tried to change static IP to dynamic IP (changing '192.168.0.2' to '192.168.0.0/24') in the configuration file, the OpenVPN didn't work.
Obviously I don't know what I'm doing, and I really, don't believe that simply changing the IP will make it work, but I tried.
I hope I explained my problem as well.
My configuration file:
# OpenVPN Server Configuration File dev tun 0 ifconfig 192.168.0.1 192.168.0.2 cd /etc/openvpn secret key_file
In client I execute the 'openvpn' without the '--daemon' parameter.Then I want that my client uses a IP in a range (192.168.0.0/24, for example), instead of a static IP (192.168.0.2).I also thought to use a DHCP server, but I'm not sure that will work.
I have installed a working DNS server on my home network. I have an unique server, devoted to dns, gateway, storage which runs opensuse 11.0 (I known that it is rather old). Two new clients require DHCP. I have installed, using yast, a very simple DHCP server, according to the following config:
(I have tried to add "ddns-update-style none", and to remove the ntp-servers option, since my server is not a time server, without success). Unfortunately, even if the client (a mac running OSX 10.4) receives a right IP and gateway address, it displays neither dns server address nor default domain name. The same mac, on my office network (not managed by me), receives everything.
I'm troubling setting up my dhcp3-server.Although I've configured "option domain-name-servers 192.168.1.1" in my dhcpd.conf my windows-xp-clients dns-server address is set to 192.186.1.1.This is strange! All other things seem to work correctly.This is my dhcpd.conf:
I got to establish an OpenVPN connection between two server and I have dhcpd on the client server which feeds a few SIP phones. All these phones are supposed to the register server through the tunnel.Here is the network structure:
Client CentOS: eth0: 192.168.0.0/24 eth1:192.168.100.0/24 tun0:172.15.0.0/24 DHCPD: feeding above eth1 and all the phones with 192.168.100.0/24
If I ping 172.15.0.1 from the the Client CentOS it works all fine. Everything pings and I can even do SSH. However, the phones which obtain their ip through eth1 on the same server can not reach the 172.15.0.1. I think it's a route issue here. Can you please guide me to the right direction as to how to forward certain traffic through tun0 and leave the rest of the traffic to go through eth0?
I don't want to turn on IPTABLES as this is time consuming for me now and there is VPN setup. It has to do with setting up the routing but I am not sure.
I have set up postfix and dovecot as per the Ubuntu anual and appear to have a functioning mail server.Using the sendmail command I can send mail and I receive mail in ~/Maildir. Using Thunderbird I can read any mails received but I can't send any mail from Thunderbird. I have tried with both STARTTLS and SSL/TLS and whilst I get the prompt for a password I keep getting the message my password for my server is wrong.I have ports 25, 465, 587 and 993. Is that all the right ports?When I ping my domain name it resolves to my router name whereas I believe it should resolve to my IP. Could there be a problem with my host file? I've had a play but to no avail.Here's the error in mail.log.
im trying to send pages of 4096 bytes from kernel layer of server to kernel layer of client over a network. previously i tried the foll. code , for data less than a 100 bytes it worked fine , but for something larger than that the computer hangs......(even the dmesg's wont say why) i also wanted to know how we could use the 'sendpage' function to solve this problem.
I'm assuming that the following should block the complete 178.123.xxx.xxx address range.
Code: iptables -I INPUT -s 178.123.0.0/24 -j DROP Then I believe that I need to save this change.
Code: service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
However, I'm not so sure that it is actually working based on the fact that there continues to be access to my wiki from that address range. The following is after I made the firewall change.
Quote:
178.123.177.61 - - [31/Dec/2010:04:24:40 -0500] "GET /mywiki/Opera%20Web%20Browser?action=edit&editor=text HTTP/1.1" 200 6346 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" code....
Let me state that I'm new at this iptables thing. I did some reading and decided that I need to make the above change to the firewall but it doesn't seem to make a difference.
I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:
Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP ... $IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?
While I was tweaking 5.3 to get it up to speed on a couple of servers, I used to make some use of IRC 9#centos). Haven't looked at it for a while. Decided to fire it up again tonite, only to find things...have changed. Now there is seems to be 2 channels: #centos and #centos-unregistered. I *was* already registered with nickserv, but that didn't seem to work anymore. Re-registered, but am still seeing no traffic at all. My irc client (chatzilla) suggests there are lots of users 'online', but still - not seeing any traffic at all.
eth0 192.168.2.100 (internal Web, Mail) eth1 192.168.3.100 (Default Gateway nic for clients) eth2 192.168.3.110 (should be default Gateway for all outgoing traffic not belonging to 192.168.2.100 and 192.168.3.100)
They are all on the same machine
i cannot set eth1 or eth2 as default gateway, as outside requests to eth0 would be handled in a false manner (somehow)
is there an easy iptables-rule to say, that outgoing traffic, not belonging to my networks can be redirected to a specific NIC (eth2)?
I use F12 and I need help with correct syntax to specify range of IP address in hosts.allow or hosts.deny or in /etc/exports file eg. 192.168.1.100 to 192.168.1.255.
I need to create two Access Control Lists for my networks using SQUID proxy. The ip address range from 165.165.42.10 to 165.165.42.50 for one network and from 165.165.42.60 to 165.165.42.90 for another network. How can I make it?
I have dhcp3-server (isc-dhcp-server) installed on my Debian and now I got a question about how it's giving the IP addresses to new devices.
For example: I connected my laptop and dhcp server gave me 192.168.1.5 address. Will it always give me the same ip address when I connect my laptop or it will eventually change after some time (week-month)? If it's not changing it, then I am wrong about this.
BUT...If I am somehow correct and if it will change in a week and give me another random (like 192.168.1.8) IP even I won't change my laptop network adapter, is it possible to configure dhcp server to always give same IP address depending on what MAC it is?
To make it clear, I want that when I connect new device (new laptop/pc) dhcp server would give it random IP but same time it would note the MAC address and never change the IP on that MAC.
I know about MAC filters, but setting filters is when you know MAC address since beginning and want to assign IP for it, but in my situation I don't know the MAC address.
I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:[URL].. Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions. So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so
I am puzzled with trying to configure a linux (openSUSE) client to dhcp to eBox DHCP server. I am using dhclient to lease an IP address with dhclient eth0 -s 10.45.48.108 and get a response
openSUSE11232CL1 dhclient: DHCPDISCOVER on eth0 to 10.45.48.108 port 67 interval 4 openSUSE11232CL1 dhclient: DHCPOFFER from 10.45.48.108 openSUSE11232CL1 dhclient: DHCPREQUEST on eth0 to 10.45.48.108 port 67 openSUSE11232CL1 dhclient: send_packet: Network is unreachable openSUSE11232CL1 dhclient: send_packet: please consult README file regarding broadcast address.
The server reports eBox141 dhcpd: DHCPDISCOVER from 00:0c:29:3e:57:a3 (openSUSE11232CL1.domain.net) via eth0 eBox141 dhcpd: DHCPOFFER on 10.45.200.2 to 00:0c:29:3e:57:a3 (openSUSE11232CL1.domain.net) via eth0
I interpret this as the server receives the request and the client accepting it but the lease does not last long and the connection breaks. what this could be and why the connection breaks? Or my undestanding is totally wrong on how it works and should work? And BTW, where is that README file that's referenced in the message I receive on the client?
