[LARTC] routing

[LARTC] routing

[Spyros]

[-- Attachment #1: Type: text/plain, Size: 413 bytes --]

Hello and Happy New Year!
We have a LAN with 2 interfaces. One is configured with addresses
192.168.0.x (pseudo-addresses) and other one with real addresses, so we
use ip-masquerade. But we would like one of workstation witch has a
address 192.168.0.5 to have a real address, such us 194.219.85.4, on the

first interface or on the second. Could you tell us how we can do it. Or
if you have
another idea. Thanks.

[-- Attachment #2: Card for Spyros Dimas --]
[-- Type: text/x-vcard, Size: 319 bytes --]

begin:vcard 
n:Dimas;Spyros
tel;fax:+3013304345
tel;work:+3013304315-7
x-mozilla-html:FALSE
url:<A HREF="http://www.liaison.gr">http://www.liaison.gr</A>
org:Liaison Systems SA;I-media
adr:;;77 Akadimias;Athens;;10678;Greece
version:2.1
email;internet:<A HREF="mailto:spyros@liaison.gr">spyros@liaison.gr</A>
end:vcard

[LARTC] routing

[David]

<PRE>Spyros Dimas wrote:
&gt;<i> 
</I>&gt;<i> Hello and Happy New Year!
</I>&gt;<i> We have a LAN with 2 interfaces. One is configured with addresses
</I>&gt;<i> 192.168.0.x (pseudo-addresses) and other one with real addresses, so we
</I>&gt;<i> use ip-masquerade. But we would like one of workstation witch has a
</I>&gt;<i> address 192.168.0.5 to have a real address, such us 194.219.85.4, on the
</I>&gt;<i> 
</I>&gt;<i> first interface or on the second. Could you tell us how we can do it. Or
</I>&gt;<i> if you have
</I>&gt;<i> another idea. Thanks.
</I>
This is really an issue for your firewall/masquerade software.  If you
are masquerading using Linux and either ipchains (2.2.x) or iptables
(2.4.x) it's easy.

In either case, your firewall/masquerade server needs to have
194.219.85.4 aliased on the external interface, then:

2.2.x:
get ipmasqadm and set up a portforward from the masq server to the
workstation. Assuming you want to forward only port 80, the following
will work: 
ipmasqadm portfw -a -P tcp -L 194.219.85.4 80 -R 192.168.0.5 80

better:
2.4.x:
use iptables and runthe following:
iptables -t nat -A PREROUTING -d 194.219.85.4 -p tcp --dport 80 -j DNAT
--to-destination 192.168.0.5:80

With iptables you can easily omit the port stuff so everything passes
(just like the workstation is on the Internet) or qualify your matches
with -m multiport and select several individual ports or a range (or
ranges) of ports.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
		-- Nemesis Racing Team motto
*** sent via a Linux 2.4.0-test12 system ***


</PRE>

[LARTC] routing

[Junus]

<PRE>You could do it with kernel 2.2 without port assignment too:
You can keep to use your ordinary maquerade and add two line of commands
below :

Make IP NAT:
- ip rule add from 192.168.0.5/32 nat 194.219.85.4
(to make NAT a subnetwork form 192.168.0.4 - 192.168.0.7 just change prefik
to 30:
- ip rule add from 192.168.0.4/30 nat 194.219.85.4)


Add IP aliasing 194.219.85.4 to interface with real address: (e.g: eth0)
- ifconfig eth0:0 194.219.85.4 netmask 255.255.255.0
( or use IP command:
- ip addr add 194.219.85.4 /24 dev eth0 )

Note: you must active advance networking option at linux kernel
configuration before use ip command.

Regards,
Junus Junarto D


&gt;<i> --__--__--
</I>&gt;<i>
</I>&gt;<i> Date: Wed, 03 Jan 2001 07:37:31 -0500
</I>&gt;<i> From: &quot;David A. Bandel&quot; &lt;<A HREF="mailto:david@pananix.com">david@pananix.com</A>&gt;
</I>&gt;<i> Organization: Pananix, S.A.
</I>&gt;<i> To: Spyros Dimas &lt;<A HREF="mailto:spyros@liaison.gr">spyros@liaison.gr</A>&gt;
</I>&gt;<i> Cc: <A HREF="mailto:lartc@mailman.ds9a.nl">lartc@mailman.ds9a.nl</A>
</I>&gt;<i> Subject: Re: [LARTC] routing
</I>&gt;<i>
</I>&gt;<i> Spyros Dimas wrote:
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; Hello and Happy New Year!
</I>&gt;<i> &gt; We have a LAN with 2 interfaces. One is configured with addresses
</I>&gt;<i> &gt; 192.168.0.x (pseudo-addresses) and other one with real addresses, so we
</I>&gt;<i> &gt; use ip-masquerade. But we would like one of workstation witch has a
</I>&gt;<i> &gt; address 192.168.0.5 to have a real address, such us 194.219.85.4, on the
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; first interface or on the second. Could you tell us how we can do it. Or
</I>&gt;<i> &gt; if you have
</I>&gt;<i> &gt; another idea. Thanks.
</I>&gt;<i>
</I>&gt;<i> This is really an issue for your firewall/masquerade software.  If you
</I>&gt;<i> are masquerading using Linux and either ipchains (2.2.x) or iptables
</I>&gt;<i> (2.4.x) it's easy.
</I>&gt;<i>
</I>&gt;<i> In either case, your firewall/masquerade server needs to have
</I>&gt;<i> 194.219.85.4 aliased on the external interface, then:
</I>&gt;<i>
</I>&gt;<i> 2.2.x:
</I>&gt;<i> get ipmasqadm and set up a portforward from the masq server to the
</I>&gt;<i> workstation. Assuming you want to forward only port 80, the following
</I>&gt;<i> will work:
</I>&gt;<i> ipmasqadm portfw -a -P tcp -L 194.219.85.4 80 -R 192.168.0.5 80
</I>&gt;<i>
</I>&gt;<i> better:
</I>&gt;<i> 2.4.x:
</I>&gt;<i> use iptables and runthe following:
</I>&gt;<i> iptables -t nat -A PREROUTING -d 194.219.85.4 -p tcp --dport 80 -j DNAT
</I>&gt;<i> --to-destination 192.168.0.5:80
</I>&gt;<i>
</I>&gt;<i> With iptables you can easily omit the port stuff so everything passes
</I>&gt;<i> (just like the workstation is on the Internet) or qualify your matches
</I>&gt;<i> with -m multiport and select several individual ports or a range (or
</I>&gt;<i> ranges) of ports.
</I>&gt;<i>
</I>&gt;<i> Ciao,
</I>&gt;<i>
</I>&gt;<i> David A. Bandel
</I>&gt;<i> --
</I>&gt;<i> Focus on the dream, not the competition.
</I>&gt;<i> -- Nemesis Racing Team motto
</I>&gt;<i> *** sent via a Linux 2.4.0-test12 system ***
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> --__--__--
</I>&gt;<i>
</I>&gt;<i> _______________________________________________
</I>&gt;<i> LARTC mailing list
</I>&gt;<i> <A HREF="mailto:LARTC@mailman.ds9a.nl">LARTC@mailman.ds9a.nl</A>
</I>&gt;<i> <A HREF="http://mailman.ds9a.nl/mailman/listinfo/lartc">http://mailman.ds9a.nl/mailman/listinfo/lartc</A>
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> End of LARTC Digest
</I>



</PRE>

[LARTC] routing

[Junus]

<PRE>You could do it with kernel 2.2 without port assignment too:
You can keep to use your ordinary maquerade and add two line of commands
below :

Make IP NAT:
- ip rule add from 192.168.0.5/32 nat 194.219.85.4
(to make NAT a subnetwork form 192.168.0.4 - 192.168.0.7 just change prefik
to 30:
- ip rule add from 192.168.0.4/30 nat 194.219.85.4)


Add IP aliasing 194.219.85.4 to interface with real address: (e.g: eth0)
- ifconfig eth0:0 194.219.85.4 netmask 255.255.255.0
( or use IP command:
- ip addr add 194.219.85.4/24 dev eth0 )

Note: you must active advance networking option at linux kernel
configuration before use ip command.

Regards,
Junus Junarto D


&gt;<i> --__--__--
</I>&gt;<i>
</I>&gt;<i> Date: Wed, 03 Jan 2001 07:37:31 -0500
</I>&gt;<i> From: &quot;David A. Bandel&quot; &lt;<A HREF="mailto:david@pananix.com">david@pananix.com</A>&gt;
</I>&gt;<i> Organization: Pananix, S.A.
</I>&gt;<i> To: Spyros Dimas &lt;<A HREF="mailto:spyros@liaison.gr">spyros@liaison.gr</A>&gt;
</I>&gt;<i> Cc: <A HREF="mailto:lartc@mailman.ds9a.nl">lartc@mailman.ds9a.nl</A>
</I>&gt;<i> Subject: Re: [LARTC] routing
</I>&gt;<i>
</I>&gt;<i> Spyros Dimas wrote:
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; Hello and Happy New Year!
</I>&gt;<i> &gt; We have a LAN with 2 interfaces. One is configured with addresses
</I>&gt;<i> &gt; 192.168.0.x (pseudo-addresses) and other one with real addresses, so we
</I>&gt;<i> &gt; use ip-masquerade. But we would like one of workstation witch has a
</I>&gt;<i> &gt; address 192.168.0.5 to have a real address, such us 194.219.85.4, on the
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; first interface or on the second. Could you tell us how we can do it. Or
</I>&gt;<i> &gt; if you have
</I>&gt;<i> &gt; another idea. Thanks.
</I>&gt;<i>
</I>&gt;<i> This is really an issue for your firewall/masquerade software.  If you
</I>&gt;<i> are masquerading using Linux and either ipchains (2.2.x) or iptables
</I>&gt;<i> (2.4.x) it's easy.
</I>&gt;<i>
</I>&gt;<i> In either case, your firewall/masquerade server needs to have
</I>&gt;<i> 194.219.85.4 aliased on the external interface, then:
</I>&gt;<i>
</I>&gt;<i> 2.2.x:
</I>&gt;<i> get ipmasqadm and set up a portforward from the masq server to the
</I>&gt;<i> workstation. Assuming you want to forward only port 80, the following
</I>&gt;<i> will work:
</I>&gt;<i> ipmasqadm portfw -a -P tcp -L 194.219.85.4 80 -R 192.168.0.5 80
</I>&gt;<i>
</I>&gt;<i> better:
</I>&gt;<i> 2.4.x:
</I>&gt;<i> use iptables and runthe following:
</I>&gt;<i> iptables -t nat -A PREROUTING -d 194.219.85.4 -p tcp --dport 80 -j DNAT
</I>&gt;<i> --to-destination 192.168.0.5:80
</I>&gt;<i>
</I>&gt;<i> With iptables you can easily omit the port stuff so everything passes
</I>&gt;<i> (just like the workstation is on the Internet) or qualify your matches
</I>&gt;<i> with -m multiport and select several individual ports or a range (or
</I>&gt;<i> ranges) of ports.
</I>&gt;<i>
</I>&gt;<i> Ciao,
</I>&gt;<i>
</I>&gt;<i> David A. Bandel
</I>&gt;<i> --
</I>&gt;<i> Focus on the dream, not the competition.
</I>&gt;<i> -- Nemesis Racing Team motto
</I>&gt;<i> *** sent via a Linux 2.4.0-test12 system ***
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> --__--__--
</I>&gt;<i>
</I>&gt;<i> _______________________________________________
</I>&gt;<i> LARTC mailing list
</I>&gt;<i> <A HREF="mailto:LARTC@mailman.ds9a.nl">LARTC@mailman.ds9a.nl</A>
</I>&gt;<i> <A HREF="http://mailman.ds9a.nl/mailman/listinfo/lartc">http://mailman.ds9a.nl/mailman/listinfo/lartc</A>
</I>

______________________________________________
FREE Personalized Email at Mail.com
Sign up at <A HREF="http://www.mail.com/?sr=signup">http://www.mail.com/?sr=signup</A>


</PRE>

[LARTC] Routing

[Dave Miller]

[-- Attachment #1: Type: text/plain, Size: 557 bytes --]

I am running RH 7.0 (kernel 2.2.16) as a router/masq machine with 5 windows machines connected internally.  I have 2 dsl lines as internet connections, - the first is 384k up and down.  The second is 1.5mbit down and only 90kb up.  Is there a way to send all my upload / requests out the 384 line, but have it return on the download side of the 1.5mb line?  That would give me the best of both worlds currently.  Since I'm using masq., does that complicate things?  Would I be better off using Kernel 2.4 with it's advanced features?

Thanks 

Dave M.

[-- Attachment #2: Type: text/html, Size: 1009 bytes --]

Re: [LARTC] Routing

[Arthur van Leeuwen]

On Fri, 6 Jul 2001, Dave Miller wrote:

> I am running RH 7.0 (kernel 2.2.16) as a router/masq machine with 5 windows
> machines connected internally.  I have 2 dsl lines as internet
> connections, - the first is 384k up and down.  The second is 1.5mbit down
> and only 90kb up.  Is there a way to send all my upload / requests out
> the 384 line, but have it return on the download side of the 1.5mb line?

If both lines serve the same network, yes. However, as the dsl lines are
most probably not to IP addresses in the same network, it is quite unlikely
that you will succeed. The problem is not whether or not you can configure
your system to do so; the problem is getting the rest of the world to
recognize that your return packets should be routed back to provider 2
even though your packets came from provider 1.

> That would give me the best of both worlds currently.
> Since I'm using masq., does that complicate things?
> Would I be better off using Kernel 2.4 with it's advanced features?

For routing that is a non-issue. All advanced routing stuff was in 2.2.17
already, but the traffic control stuff didn't mature until 2.4.

Doei, Arthur.

-- 
  /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Routing

[Dave Miller]

[-- Attachment #1: Type: text/plain, Size: 2526 bytes --]

Actually, both lines must use PPPOE - non static ip's (thanks Verizon and Bellatlantic), I had the Bellatlantic account before the merger, and now have the second through Verizon.  Doing a double pppoe is no big deal thanks to Roaring Penguin's software using the GUI that is available.  If my understanding is correct - if I could change the source address of all the packets going out through the 384 line to read what the pppoe address is for the 1.5mb line - should that not work?  The rest of the world would see the source address as that of  the 1.5 line instead of the 384 line. I just don't know how to do that.

Dave

----- Original Message ----- 
From: "Arthur van Leeuwen" <arthurvl@sci.kun.nl>
To: "Dave Miller" <lartc@millerscomp.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Friday, July 06, 2001 11:01 AM
Subject: Re: [LARTC] Routing


> On Fri, 6 Jul 2001, Dave Miller wrote:
> 
> > I am running RH 7.0 (kernel 2.2.16) as a router/masq machine with 5 windows
> > machines connected internally.  I have 2 dsl lines as internet
> > connections, - the first is 384k up and down.  The second is 1.5mbit down
> > and only 90kb up.  Is there a way to send all my upload / requests out
> > the 384 line, but have it return on the download side of the 1.5mb line?
> 
> If both lines serve the same network, yes. However, as the dsl lines are
> most probably not to IP addresses in the same network, it is quite unlikely
> that you will succeed. The problem is not whether or not you can configure
> your system to do so; the problem is getting the rest of the world to
> recognize that your return packets should be routed back to provider 2
> even though your packets came from provider 1.
> 
> > That would give me the best of both worlds currently.
> > Since I'm using masq., does that complicate things?
> > Would I be better off using Kernel 2.4 with it's advanced features?
> 
> For routing that is a non-issue. All advanced routing stuff was in 2.2.17
> already, but the traffic control stuff didn't mature until 2.4.
> 
> Doei, Arthur.
> 
> -- 
>   /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the money
>  /__\  /  | A friend is someone with whom | Love like you have never been hurt
> /    \/__ | you can dare to be yourself   | Dance like there's nobody watching
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

[-- Attachment #2: Type: text/html, Size: 3712 bytes --]

Re: [LARTC] Routing

[Deepak singhal]

[-- Attachment #1: Type: text/plain, Size: 3332 bytes --]

I think there is a simple solution to all this. This is what we do in DVB recieve-only service. What u have to do is to masquerade all ur outgoing traffic to some ip address of ur 1.5 mb link and route it through 384kbps link. As the ip address which is sent out is of that of 1.5 mb link ..it will return back through ur 1.5 mb link automatically .

Only restriction is that u shld hv real ips for both links , what i mean by that is ..ur outgoing traffic shld not get masquerade agn ..as then the traffic will come back thgh the same link. 

Deepak Singhal
  ----- Original Message ----- 
  From: Dave Miller 
  To: LARTC@mailman.ds9a.nl 
  Sent: Friday, July 06, 2001 8:48 PM
  Subject: Re: [LARTC] Routing


  Actually, both lines must use PPPOE - non static ip's (thanks Verizon and Bellatlantic), I had the Bellatlantic account before the merger, and now have the second through Verizon.  Doing a double pppoe is no big deal thanks to Roaring Penguin's software using the GUI that is available.  If my understanding is correct - if I could change the source address of all the packets going out through the 384 line to read what the pppoe address is for the 1.5mb line - should that not work?  The rest of the world would see the source address as that of  the 1.5 line instead of the 384 line. I just don't know how to do that.

  Dave

  ----- Original Message ----- 
  From: "Arthur van Leeuwen" <arthurvl@sci.kun.nl>
  To: "Dave Miller" <lartc@millerscomp.com>
  Cc: <lartc@mailman.ds9a.nl>
  Sent: Friday, July 06, 2001 11:01 AM
  Subject: Re: [LARTC] Routing


  > On Fri, 6 Jul 2001, Dave Miller wrote:
  > 
  > > I am running RH 7.0 (kernel 2.2.16) as a router/masq machine with 5 windows
  > > machines connected internally.  I have 2 dsl lines as internet
  > > connections, - the first is 384k up and down.  The second is 1.5mbit down
  > > and only 90kb up.  Is there a way to send all my upload / requests out
  > > the 384 line, but have it return on the download side of the 1.5mb line?
  > 
  > If both lines serve the same network, yes. However, as the dsl lines are
  > most probably not to IP addresses in the same network, it is quite unlikely
  > that you will succeed. The problem is not whether or not you can configure
  > your system to do so; the problem is getting the rest of the world to
  > recognize that your return packets should be routed back to provider 2
  > even though your packets came from provider 1.
  > 
  > > That would give me the best of both worlds currently.
  > > Since I'm using masq., does that complicate things?
  > > Would I be better off using Kernel 2.4 with it's advanced features?
  > 
  > For routing that is a non-issue. All advanced routing stuff was in 2.2.17
  > already, but the traffic control stuff didn't mature until 2.4.
  > 
  > Doei, Arthur.
  > 
  > -- 
  >   /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the money
  >  /__\  /  | A friend is someone with whom | Love like you have never been hurt
  > /    \/__ | you can dare to be yourself   | Dance like there's nobody watching
  > 
  > 
  > _______________________________________________
  > LARTC mailing list / LARTC@mailman.ds9a.nl
  > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

[-- Attachment #2: Type: text/html, Size: 5362 bytes --]

Re: [LARTC] Routing

[Arthur van Leeuwen]

On Fri, 6 Jul 2001, Dave Miller wrote:

> Actually, both lines must use PPPOE - non static ip's (thanks Verizon and
> Bellatlantic), I had the Bellatlantic account before the merger, and now
> have the second through Verizon.  Doing a double pppoe is no big deal thanks
> to Roaring Penguin's software using the GUI that is available.  If my
> understanding is correct - if I could change the source address of all the
> packets going out through the 384 line to read what the pppoe address is for
> the 1.5mb line - should that not work?  The rest of the world would see the
> source address as that of  the 1.5 line instead of the 384 line. I just
> don't know how to do that.

Well, sorry, no. The upstream network may very well filter what it considers
'foreign' source addresses from its net, thereby effectively blocking all
your traffic. You can *try*, ofcourse, but I wouldn't be surprised if you
cut off all your connectivity doing so.

If you want to try: the 'src' hints for routes are followed, independent of
the interface you route out of.

Doei, Arthur.

-- 
  /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Routing

[Dave Miller]

I'm not convinced yet that it won't work.  Bellatlatic and Verizon are
actually on the same network.  The ip addresses that we get through the two
accounts overlap sometimes.  They will let us send email from a Verizon
account through a Bellatlantic connection and vise-versa.  Do you have an
web address for the "src" hints to help me along.  If it doesn't work -we so
be it.  However, I still want to give it a try.

Thanks for all the help so far.

Dave


>
> On Fri, 6 Jul 2001, Dave Miller wrote:
>
> > Actually, both lines must use PPPOE - non static ip's (thanks Verizon
and
> > Bellatlantic), I had the Bellatlantic account before the merger, and now
> > have the second through Verizon.  Doing a double pppoe is no big deal
thanks
> > to Roaring Penguin's software using the GUI that is available.  If my
> > understanding is correct - if I could change the source address of all
the
> > packets going out through the 384 line to read what the pppoe address is
for
> > the 1.5mb line - should that not work?  The rest of the world would see
the
> > source address as that of  the 1.5 line instead of the 384 line. I just
> > don't know how to do that.
>
> Well, sorry, no. The upstream network may very well filter what it
considers
> 'foreign' source addresses from its net, thereby effectively blocking all
> your traffic. You can *try*, ofcourse, but I wouldn't be surprised if you
> cut off all your connectivity doing so.
>
> If you want to try: the 'src' hints for routes are followed, independent
of
> the interface you route out of.
>
> Doei, Arthur.
>
> --
>   /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the
money
>  /__\  /  | A friend is someone with whom | Love like you have never been
hurt
> /    \/__ | you can dare to be yourself   | Dance like there's nobody
watching
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Routing

[Arthur van Leeuwen]

On Sat, 7 Jul 2001, Dave Miller wrote:

> I'm not convinced yet that it won't work.  Bellatlatic and Verizon are
> actually on the same network.  The ip addresses that we get through the two
> accounts overlap sometimes.  They will let us send email from a Verizon
> account through a Bellatlantic connection and vise-versa.  Do you have an
> web address for the "src" hints to help me along.  If it doesn't work -we so
> be it.  However, I still want to give it a try.

Hey, you might very well indeed be lucky. Let me get home first and have
a good night's rest and I'll send you a somewhat complete setup script
tomorrow.

Doei, Arthur. (Who thinks co-location facilities are too darn cold)

-- 
  /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] routing

[Daniel Wittenberg]

Ok, so I think I understand this simple routing question.  I have
several internal subnets: 172.16.1.0/24, 172.16.2.0/24, etc.  I have 2
out-going network links:
1.1.1.1 and 2.2.2.2

So I can change the out-going route by using:
echo "100 link1" >> /etc/iproute2/rt_tables
ip rule add from 172.16.1.0/24 table link1
ip rule add from 172.16.2.0/24 table link1
ip route add default via 1.1.1.1 dev $EXTERNAL_INTERFACE table link1

echo "200 link2" >> /etc/iproute2/rt_tables
ip rule add from 172.16.3.0/24 table link2
ip rule add from 172.16.4.0/24 table link2
ip rule add from 172.16.5.0/24 table link2
ip route add default via 2.2.2.2 dev $EXTERNAL_INTERFACE table link2


and if I understand this correctly, this doesn't change anything in
iptables, so I can still this at the end of my firewall script.  I'll
also want to use SNAT and change the out-going IP's so they come back on
the correct link.  Look good?  I can't test this in production very
often, so before I do I thought I'd run it by everyone since I'm very
much a newbie on tc...

Thanks!
Dan


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] routing

[bert hubert]

On Mon, Dec 24, 2001 at 10:58:14PM -0600, Daniel Wittenberg wrote:

> So I can change the out-going route by using:
> echo "100 link1" >> /etc/iproute2/rt_tables
> ip rule add from 172.16.1.0/24 table link1
> ip rule add from 172.16.2.0/24 table link1
> ip route add default via 1.1.1.1 dev $EXTERNAL_INTERFACE table link1
> 
> echo "200 link2" >> /etc/iproute2/rt_tables
> ip rule add from 172.16.3.0/24 table link2
> ip rule add from 172.16.4.0/24 table link2
> ip rule add from 172.16.5.0/24 table link2
> ip route add default via 2.2.2.2 dev $EXTERNAL_INTERFACE table link2

Looks good.

> and if I understand this correctly, this doesn't change anything in
> iptables, so I can still this at the end of my firewall script.  I'll
> also want to use SNAT and change the out-going IP's so they come back on
> the correct link.  Look good?  I can't test this in production very
> often, so before I do I thought I'd run it by everyone since I'm very
> much a newbie on tc...

We use a combination of SNAT/DNAT, MASQ, CBQ, iptables AND Policy routing in
production, and it all works fine.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
Netherlabs BV / Rent-a-Nerd.nl           - Nerd Available -
Linux Advanced Routing & Traffic Control: http://ds9a.nl/lartc

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

[LARTC] Routing

[Jose Sebastiao Martins]

[-- Attachment #1: Type: text/plain, Size: 1622 bytes --]

Hi all,

I'm new to iproute2 and iptables. It's a very simple topology:



world--a.b.c.d--|router|--x.y.z.10--x.y.z.8--|linux+iptables|
                                                             |
                                                        172.16.0.1
                                                             |
                                                            / \
                                                           / HUB
                                               linux1=172.16.0.200

I can ping  x.y.z.8 from privite net linux1 or $windows but not
the router interface x.y.z.10.
Here are my settings:

ip ro sh
200.179.120.0/23 dev eth1  scope link
172.16.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 200.179.120.10 dev eth1

ip ru sh
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup 253

If I try:
ip route add 172.16.0.0/16 via 200.179.120.10
ip route add 172.16.0.0/16 via 200.179.120.8
I get
File exists

I'm already setting the rules. For now it's completly open.
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state 
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Please, what I'm missing?

TIA
Jose Sebastiao Martins
tiao@int.efoa.br



[-- Attachment #2: Type: text/plain, Size: 167 bytes --]


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.404 / Virus Database: 228 - Release Date: 15/10/02

Re: [LARTC] Routing

[Martin A. Brown]

Jose,

You show your filters (iptables -t filter -nL), but you don't show your 
NAT tables.  You should probably be using NAT/masquerading on this 
machine, since it connects an RFC1918 network (172.16.0.0/xx) to the 
Internet.

Check the netfilter list, archives, and HOWTOs--LARTC isn't the right 
forum for your question.

  http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
  http://iptables-tutorial.frozentux.net/

Nonetheless, you probably want to do something like this:

# iptables -t nat -A POSTROUTING -o $OUTSIDE_INTERFACE -j SNAT \
> --to-source x.y.z.8

Good luck,

-Martin

 : Hi all,
 : 
 : I'm new to iproute2 and iptables. It's a very simple topology:
 : 
 : world--a.b.c.d--|router|--x.y.z.10--x.y.z.8--|linux+iptables|
 :                                                              |
 :                                                         172.16.0.1
 :                                                              |
 :                                                             / \
 :                                                            / HUB
 :                                                linux1\x172.16.0.200
 : 
 : I can ping  x.y.z.8 from privite net linux1 or $windows but not
 : the router interface x.y.z.10.
 : Here are my settings:
 : 

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/