iptables questions

iptables questions

[jingai]

Hey all,

I've been trying to get iptables to work since v1.0 and
kernel v2.3.99pre5, but it always either crashes (itself)
or brings down my entire machine (hard).  Even just
adding one single NAT rule, it blows up completely.  I'd
like to have my firewall setup, but at this point I will
be satisfied with just masquerading :)  Is this a known
problem with the PPC tree, do I need a patch, or am I
just trying to do this too late at night? :)

Any help would be greatly appreciated.

Regards,
Jonathan

** Sent via the linuxppc-dev mail list. See http://lists.linuxppc.org/

Re: iptables questions

[Harald Welte]

On Tue, Jul 02, 2002 at 03:08:37PM +0300, Vladimir Getselevich wrote:
> Hi, Harald.
> 
> I asked you this question, but you didn't answered me.
> Could you please tell me how can I cause that there will not be a delay of 1
> packet in ULOG.
> It is very important for my master research.

Well, you have the sourcecode so it should be pretty easy to find out.

I'd try to set flushtimeout=0 at the modprobe commandline.

> You say that this is an option of  ipt_ULOG module. How can I configure it
> to deliver packets immediately without a delay.

just read the ipt_ULOG.c

> Best regards,
>   Vladimir

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)

iptables questions

[james li]

hi,

i am learning iptables through the HOWTO. there is one
command i am not sure. can someone explain it to me
please?

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

from author  'this rule will allow all traffic from
our $LAN_IFACE to any other interface to flow
freely,in other word,in other words allow all traffic
from our LAN to the Internet'. 

is there a default '-o eth+' in the above command that
is omitted ? should it better be 
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j
ACCEPT

INET_IFACE as (internet_interface)


/James.Q.L

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca

Re: iptables questions

[Joel Newkirk]

On Tuesday 26 November 2002 06:33 pm, james li wrote:
> hi,
>
> i am learning iptables through the HOWTO. there is one
> command i am not sure. can someone explain it to me
> please?
>
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
>
> from author  'this rule will allow all traffic from
> our $LAN_IFACE to any other interface to flow
> freely,in other word,in other words allow all traffic
> from our LAN to the Internet'.
>
> is there a default '-o eth+' in the above command that
> is omitted ? should it better be
> $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j
> ACCEPT
>
> INET_IFACE as (internet_interface)

Not necessarily.  If you only have two interfaces, and use the first rule, it 
will match anything coming in the $LAN_IFACE interface, regardless of 
destination.  (well, if the destination is local to the firewall machine it 
won't match, because it will be in the INPUT filter chain instead of 
FORWARD... :^)  If you have more than two interfaces, or situations where 
forwarding back out the same LAN interface takes place (like connecting the 
LAN to a local server, perhaps) then you might want to have different rules 
depending on destination, otherwise leaving it out simply means you don't 
care what output interface is used.  You usually would NOT want to match 
solely on the -o parameter, since that could allow incoming traffic from the 
internet to forward back out in this scenario, but such a rule is also valid.

If you have a DMZ hanging off a third interface from the firewall, then 
filtering rules pertaining to the DMZ would probably be most easily defined 
based on -o $DMZ_IFACE.  (or whatever name you used)

Depending on where the rule is placed (INPUT, FORWARD, OUTPUT, etc) you may 
find it useful to apply or omit particular parts of a rule.  For example, in 
PREROUTING chains (NAT or MANGLE) -o is undefined, so you DON'T want to try 
to match it there.  In the FORWARD filter chain the output interface is 
defined, but often isn't important, more important (IE more useful to 
filtering) would be the input iface and source/dest IP's in most cases.

j

iptables questions

[Antti Korpela]

[-- Attachment #1: Type: text/plain, Size: 555 bytes --]

Hi,

I have here some questions and i hope you have some time to answer

1. What difference and which is better between: iptables -t nat -j MASQUERADE or SNAT --to IP if im using it for internet gateway NAT-machine in big LAN-parties, over 300 IP:s.
2. I have get this error often "too much work on eth0, dropping packet..." what this mean? do i have to put this on kernel:
echo "65000" > /proc/sys/net/ipv4/ip_conntrack_max ? is there any other solutions for this ?
3. Do you have some other tips for MASQ ? :)

Thanks for your time and support!

[-- Attachment #2: Type: text/html, Size: 1350 bytes --]

Re: iptables questions

[Jeffrey Laramie]

Antti Korpela wrote:

> Hi,
>  
> I have here some questions and i hope you have some time to answer
>  
> 1. What difference and which is better between: iptables -t nat -j 
> MASQUERADE or SNAT --to IP if im using it for internet gateway 
> NAT-machine in big LAN-parties, over 300 IP:s.

According to Oskar's tutorial SNAT is preferable for static IPs:

> It is still possible to use the *MASQUERADE* target instead of *SNAT* 
> even though you do have an static IP, however, it is not favorable 
> since it will add extra overhead, and there may be inconsistencies in 
> the future which will thwart your existing scripts and render them 
> "unusable".
>

> 2. I have get this error often "too much work on eth0, dropping 
> packet..." what this mean? do i have to put this on kernel:
> echo "65000" > /proc/sys/net/ipv4/ip_conntrack_max ? is there any 
> other solutions for this ?

Can't help with this.

> 3. Do you have some other tips for MASQ ? :)


SNAT is pretty straightforward and there aren't a lot of configuration 
choices. It's a good idea to read all of Oskar's tutorial, but you 
should at least read and understand this section:

http://iptables-tutorial.frozentux.net/chunkyhtml/targets.html#SNATTARGET

Jeff

Re: iptables questions

[Antony Stone]

On Monday 17 November 2003 2:07 pm, Jeffrey Laramie wrote:

> Antti Korpela wrote:
> >
> > 1. What difference and which is better between: iptables -t nat -j
> > MASQUERADE or SNAT --to IP if im using it for internet gateway
> > NAT-machine in big LAN-parties, over 300 IP:s.
>
> According to Oskar's tutorial SNAT is preferable for static IPs:

My understanding is that SNAT is marginally more efficient than MASQUERADE 
because the address to be susbstituted is fixed in the SNAT rule, whereas 
with MASQUERADE the rule needs to look up the address of the interface before 
it knows what to replace into the packet.

Whether you could measure the difference in efficiency between the two rules 
is another matter entirely, however.   My recommendation would be to go for 
maximum readability of your rules.

Regards,

Antony.

-- 

90% of network problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: iptables questions

[William Stearns]

Good evening, Antti,

On Sat, 15 Nov 2003, Antti Korpela wrote:

> I have here some questions and i hope you have some time to answer
> 
> 1. What difference and which is better between: iptables -t nat -j
> MASQUERADE or SNAT --to IP if im using it for internet gateway
> NAT-machine in big LAN-parties, over 300 IP:s.

	MASQUERADE is for situations where your outside IP address 
changes; most commonly used for modem connections.  If your outside 
address is static, use SNAT.
	http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html

> 2. I have get this error often "too much work on eth0, dropping

	I _think_ this is a better question for the linux-net mailing 
list.  I have a sense this is an internal problem with the network card 
driver and not with netfilter.
	You might see if a newer kernel is available, or even consider 
using the 2.6.x test kernels; they're probably able to scale better.

> packet..." what this mean? do i have to put this on kernel: echo "65000"
> > /proc/sys/net/ipv4/ip_conntrack_max ? is there any other solutions for
> this ?

	I don't think this is related.

> 3. Do you have some other tips for MASQ ? :)

	I tend to include this line in /etc/modules.conf to increase the 
connection table size (not sure if it's truly required anymore):
options ip_conntrack hashsize=16384
	Cheers,
	- Bill

---------------------------------------------------------------------------
	"Scattered showers my ass!"
	-- Noah
(Courtesy of "Michael B. Trausch" <mtrausch@wcnet.org>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------

Re: iptables questions

[Cedric Blancher]

Le lun 17/11/2003 à 15:18, Antony Stone a écrit :
> My understanding is that SNAT is marginally more efficient than MASQUERADE 
> because the address to be susbstituted is fixed in the SNAT rule, whereas 
> with MASQUERADE the rule needs to look up the address of the interface before 
> it knows what to replace into the packet.

There's another advantage in using SNAT instead of MASQUERADE. When you
use MASQUERADE, nated connections are bound to output interface. If it
gets down, all theses connections will get flushed. With SNAT, there's
no interface dependency of this kind.

At home, I have a PPPoE DSL access. When I had a dynamic IP, I was
setting SNAT rule using pppd ip-up script. So when the PPP link get up
and down, I don't loose my current connections. I used to lose them
using MASQUERADE.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!