[LARTC] Traffic shapping + routing in RH 7.1

* [LARTC] Traffic shapping + routing in RH 7.1
@ 2001-12-17  3:43 Roberto Campos
  2001-12-18  2:28 ` Roberto Campos
  2001-12-18  7:56 ` bert hubert
  0 siblings, 2 replies; 3+ messages in thread
From: Roberto Campos @ 2001-12-17  3:43 UTC (permalink / raw)
  To: lartc

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1254", Size: 6067 bytes --]

0€\x06	*†H†÷\r\x01\a\x02 €0€\x02\x01\x011\v0	\x06\x05+\x0e\x03\x02\x1a\x05\00€\x06	*†H†÷\r\x01\a\x01 €$€\x04‚\vÐContent-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Hi ALL,

I'm new to TC and IPTABLES and i need help in setting up a filter/routing
solution to an ISP.
I've read all the HOWTOs and i've reading LARTC messages for a month now.
I still don't have a clue on how to do it 'cause sometimes people say it's
easy, sometimes they say it's impossible.
I'm seeking help for it. Let's move to the subject.

We have a small ISP and we are moving a linux box running RH 7.1 to avoid
having to set up BGP because we don't have an ASN.
What we want to do is to implement redundancy to the services.
The way we managed to do it is like this:

 ISP1                   ISP2
   |                      |
   |                      |
   |______  ISP  _________|
   Linux RH 7.1 ver 2.4.2-2
             |
             |
  ___________|_______________
  |     |    |    |     |    |
 boxes with services we provide

This is the cenario:

. ISP1 and ISP2 are our providers of connection to the internet
. The Linux box is running IPTABLES and TC instaled (patched full)
. The Linux is going to be our firewall and is not going to run any
services at the interfaces to ISP1 and 2.
. The firewall is going to NAT all the packets allowing us to play with
then accordingly, routing and dropping as we need.

What we have done so far?
 We've managed to play with two default gateways equal cost and it works,
the problems are that we have two diferent ISPs to work with and the box
send the packets without a simple logic, we just need that packets comming
from eth0 to go back through eth0. If we ping the firewall from ISP1
sometimes it sends back the ICMP packet with the ip from the other
interface and it's not allowed from ISP1 ou 2. That way it don't get past
their firewalls.
If i can set this up to work telling linux to send back using eth0 the
packets that comes from eth0 with the ip of eth0 or the internal ip that
was used to forward in, i'll be happy.

Then i can use DNS Bind 9.1.0 to use the cheap links for the services i
want and the expensive one to keep our clients flying on the net.

I can deal with the routing myself, my problems are that i can't
understand how linux mounts the packet or routes it based on the port it
came into the firewall when the destination machine is inside our ISP,
like our sendmail machine, for example.

Any help apreciated.

Thanks in advance.

Roberto Campos
____________________________________________
Meu Provedor Tecnologias e Informática Ltda.
Rua Camerino, 128 Grs. 302
Centro - Rio de Janeiro - RJ - CEP 20080-010
Tel.: 55 21 22835173 (PABX/FAX)
Telefone Móvel - Celular: 55 21 91978284

Witch is the best way to do it?

Roberto Campos
____________________________________________
Meu Provedor Tecnologias e Informática Ltda.
Rua Camerino, 128 Grs. 302
Centro - Rio de Janeiro - RJ - CEP 20080-010
Tel.: 55 21 22835173 (PABX/FAX)
Telefone Móvel - Celular: 55 21 91978284
\0\0\0\0\0\0 ‚\bI0‚\x03Y0‚\x02Â \x03\x02\x01\x02\x02\x11\0ÄŒê\x0fÙ\0®âÇg\x0eÙ Í³0\r\x06	*†H†÷\r\x01\x01\x04\x05\00_1\v0	\x06\x03U\x04\x06\x13\x02US1\x170\x15\x06\x03U\x04
\x13\x0eVeriSign, Inc.1705\x06\x03U\x04\v\x13.Class 1 Public Primary Certification Authority0\x1e\x17\r991117000000Z\x17\r040106235959Z0Ï1-0+\x06\x03U\x04
\x13$Certisign Certificadora Digital LTDA1\x1f0\x1d\x06\x03U\x04\v\x13\x16VeriSign Trust Network1?0=\x06\x03U\x04\v\x136Terms of use at https://www.certisign.com.br/RPA (c)991<0:\x06\x03U\x04\x03\x133Certisign Class 1 Consumer Individual Subscriber CA0Ÿ0\r\x06	*†H†÷\r\x01\x01\x01\x05\0\x03\00‰\x02\0¯’rÆøÆ\x1f\x17sÈ¦B¦m`Ñ\x14\x1aœ›éCD7R\x02°ÔþåH’\x1aí AgM\v‚¤u›5Þê]Üf\a¢VðHfx[ÛüÃø9l®r\añ\x15d^[ò\x03©7Ë\x06š:a±qÕ_qD#Ýˆ³\x13zúÁÝr\fÕôzzªFs@íÉBõ %ç¹Ö·`®ÇˆÉìõ±¸r,\rƒ\x02\x03\x01\0\x01££0 0$\x06\x03U\x1d\x11\x04\x1d0^[¤\x190\x171\x150\x13\x06\x03U\x04\x03\x13\fAffiliate1-80\x11\x06	`†H\x01†øB\x01\x01\x04\x04\x03\x02\x01\x060G\x06\x03U\x1d \x04@0>0<\x06
`†H\x01†øE\x01\a\x0f0.0,\x06\b+\x06\x01\x05\x05\a\x02\x01\x16 https://www.certisign.com.br/RPA0\x0f\x06\x03U\x1d\x13\x04\b0\x06\x01\x01ÿ\x02\x01\00\v\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x060\r\x06	*†H†÷\r\x01\x01\x04\x05\0\x03\0¢péy;Œ
ŒŒ°ÿà\x15õh\x7f·ª\x16hMSDÈŸâ®ÍÛ<ÐÞ^[Á\x0fJíÉº Y²jò'&"ûÍ\x02Z
Œ¥¥êb\x03\x0efxæ\x05¤–Ûr©ay¦á º\rïDMb¨È`\x19}eÞS’ýJß¤»W\x7fÒ\x05‡µê?Ì\x134Ýàh\x15²™J°D,Y¾dë¤ÃÛ¾‹8\x1c…:0‚\x04è0‚\x04Q \x03\x02\x01\x02\x02\x10\r\r¨)˜Æ‘A•X®ê2E¹0\r\x06	*†H†÷\r\x01\x01\x04\x05\00Ï1-0+\x06\x03U\x04
\x13$Certisign Certificadora Digital LTDA1\x1f0\x1d\x06\x03U\x04\v\x13\x16VeriSign Trust Network1?0=\x06\x03U\x04\v\x136Terms of use at https://www.certisign.com.br/RPA (c)991<0:\x06\x03U\x04\x03\x133Certisign Class 1 Consumer Individual Subscriber CA0\x1e\x17\r011212000000Z\x17\r021212235959Z0‚\x01{1-0+\x06\x03U\x04
\x14$Certisign Certificadora Digital LTDA1'0%\x06\x03U\x04\v\x14\x1eCustomer Support - Class 1 CSC1402\x06\x03U\x04\v\x13+Terms of use at www.certisign.com/RPA (c)001>0<\x06\x03U\x04\v\x135Authenticated by Certisign Certificadora Digital LTDA1'0%\x06\x03U\x04\v\x13\x1eMember, VeriSign Trust Network1\x1e0\x1c\x06\x03U\x04\v\x13\x15Persona Not Validated1\x1c0\x1a\x06\x03U\x04\v\x13\x13Digital ID Class 1 1\x190\x17\x06\x03U\x04\x03\x13\x10Roberto L Campos1)0'\x06	*†H†÷\r\x01	\x01\x16\x1aroberto@meuprovedor.com.br0\0\r\x06	*†H†÷\r\x01\x01\x01\x05\0\x03K\00H\x02A\0ÆF*
`†uÕ~mËI4€àIsA\x17Â4Ü\x18T\x04æM)\x014R\r\x05`<¾AÇë0¥šH%f\x14\‡…\x18Â\x1fG½ÏÀâ:øm-\x02\x03\x01\0\x01£‚\x01X0‚\x01T0	\x06\x03U\x1d\x13\x04\x020\00r\x06\x03U\x1d\x1f\x04k0i0g e c†ahttp://onsitecrl.verisign.com/CertisignCertificadoraDigitalLTDACustomerSupportClass1CSC/LatestCRL0¬\x06\x03U\x1d \x04¤0¡0ž\x06\v`†H\x01†øE\x01\a\x01\x010Ž0(\x06\b+\x06\x01\x05\x05\a\x02\x01\x16\x1cLINKIFYDCFCBaHcdBEccHIFaafDADbeGaeAGAHIedHffGAE\x06\b+\x06\x01\x05\x05\a\x02\x020V0\x15\x16\x0eVeriSign, Inc.0\x03\x02\x01\x01\x1a=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0\x11\x06	`†H\x01†øB\x01\x01\x04\x04\x03\x02\a€0\x11\x06
`†H\x01†øE\x01\x06	\x04\x03\x01\x01ÿ0\r\x06	*†H†÷\r\x01\x01\x04\x05\0\x03\0s¼\x10\x11(\bÏ«Ž`\x02r`H§þ	^[o\x06ŒRÀ,Ëô î´6¬^[D¥ø†¿£L\x11L±äÎ¼þ\x1a\x13-ªÞÑyÀZS
\x05åh¸ÆõvE…„ØN\x14£XÈ/\x1d;\x05ZfŸ\x05X\x1c\x12õÌ_À¼tn’)—Ò/Þ·\x14$Î\x14€Å‹\x19„+Yù÷ä×ì€éG£^[mOp™¤1‚\x02ý0‚\x02ù\x02\x01\x010ä0Ï1-0+\x06\x03U\x04
\x13$Certisign Certificadora Digital LTDA1\x1f0\x1d\x06\x03U\x04\v\x13\x16VeriSign Trust Network1?0=\x06\x03U\x04\v\x136Terms of use at https://www.certisign.com.br/RPA (c)991<0:\x06\x03U\x04\x03\x133Certisign Class 1 Consumer Individual Subscriber CA\x02\x10\r\r¨)˜Æ‘A•X®ê2E¹0	\x06\x05+\x0e\x03\x02\x1a\x05\0 ‚\x01¯0\x18\x06	*†H†÷\r\x01	\x031\v\x06	*†H†÷\r\x01\a\x010\x1c\x06	*†H†÷\r\x01	\x051\x0f\x17\r011217034324Z0#\x06	*†H†÷\r\x01	\x041\x16\x04\x14e>üNÃù\x1eOáÛùÊúKóÿ‚A}\x1e0X\x06	*†H†÷\r\x01	\x0f1K0I0
\x06\b*†H†÷\r\x03\a0\x0e\x06\b*†H†÷\r\x03\x02\x02\x02\0€0\a\x06\x05+\x0e\x03\x02\a0\r\x06\b*†H†÷\r\x03\x02\x02\x01(0\a\x06\x05+\x0e\x03\x02\x1a0
\x06\b*†H†÷\r\x02\x050õ\x06	+\x06\x01\x04\x01‚7\x10\x041ç0ä0Ï1-0+\x06\x03U\x04
\x13$Certisign Certificadora Digital LTDA1\x1f0\x1d\x06\x03U\x04\v\x13\x16VeriSign Trust Network1?0=\x06\x03U\x04\v\x136Terms of use at https://www.certisign.com.br/RPA (c)991<0:\x06\x03U\x04\x03\x133Certisign Class 1 Consumer Individual Subscriber CA\x02\x10\r\r¨)˜Æ‘A•X®ê2E¹0\r\x06	*†H†÷\r\x01\x01\x01\x05\0\x04@9«+ŸÑt{’>"\x10Iž„Ò´êÿ–ÄÅç¤g2ò ÄäO\brLJÎƒNûÏ[\x18y\îÃJŒB'¨\x18½ñ\x13^[þžçÅñ¡iæ\0\0\0\0\0\0

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

^ permalink raw reply	[flat|nested] 3+ messages in thread