binding nntp to one interface

binding nntp to one interface

[Rasmus Reinholdt Nielsen]

Hi

I have two different internet connections, to two different ISP's, set up 
as load balancing.

My problem is that both my isp's have ip restricted their newsservers, so I 
need to bind all outgoing trafic on port 119 to a specific interface or ip. 
Anybody knows how to do this?

I have tried using redirect but it didn't work

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 119 -j REDIRECT --to 
<wan-ip>

and I get an error of "Invalid argument" on this SNAT rule

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 119 -j SNAT --to <wan-ip>

hope somebody knows haw to do this.

Thanks

/Rasmus

RE: binding nntp to one interface

[İhsan Turkmen]

Rasmus.
SNAT can not be defined in PREROUTING , you must use POSTROUTING table. This
is your first failure..


-----Original Message-----
From: Rasmus Reinholdt Nielsen [mailto:rasmus@narani.dk]
Sent: Thursday, September 12, 2002 10:06 AM
To: netfilter@lists.samba.org
Subject: binding nntp to one interface


Hi

I have two different internet connections, to two different ISP's, set up 
as load balancing.

My problem is that both my isp's have ip restricted their newsservers, so I 
need to bind all outgoing trafic on port 119 to a specific interface or ip. 
Anybody knows how to do this?

I have tried using redirect but it didn't work

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 119 -j REDIRECT --to 
<wan-ip>

and I get an error of "Invalid argument" on this SNAT rule

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 119 -j SNAT --to
<wan-ip>

hope somebody knows haw to do this.

Thanks

/Rasmus

RE: binding nntp to one interface

[Rasmus Reinholdt Nielsen]

thanks

I can know set the rule, but it doesn''t help. What I guess I really need 
is a way to bind all outgoing requests on port 119 to one interface, i.e. ppp0


anybody knows if this is possible?


Rasmus

At 10:26 12-09-2002 +0300, İhsan  Turkmen wrote:
>Rasmus.
>SNAT can not be defined in PREROUTING , you must use POSTROUTING table. This
>is your first failure..
>
>
>-----Original Message-----
>From: Rasmus Reinholdt Nielsen [mailto:rasmus@narani.dk]
>Sent: Thursday, September 12, 2002 10:06 AM
>To: netfilter@lists.samba.org
>Subject: binding nntp to one interface
>
>
>Hi
>
>I have two different internet connections, to two different ISP's, set up
>as load balancing.
>
>My problem is that both my isp's have ip restricted their newsservers, so I
>need to bind all outgoing trafic on port 119 to a specific interface or ip.
>Anybody knows how to do this?
>
>I have tried using redirect but it didn't work
>
>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 119 -j REDIRECT --to
><wan-ip>
>
>and I get an error of "Invalid argument" on this SNAT rule
>
>iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 119 -j SNAT --to
><wan-ip>
>
>hope somebody knows haw to do this.
>
>Thanks
>
>/Rasmus

Re: binding nntp to one interface

[Anders Fugmann]

Rasmus Reinholdt Nielsen wrote:
> Hi
> 
> I have two different internet connections, to two different ISP's, set 
> up as load balancing.
> 
> My problem is that both my isp's have ip restricted their newsservers, 
> so I need to bind all outgoing trafic on port 119 to a specific 
> interface or ip. Anybody knows how to do this?

You have to use the iproute2 program package to do this. iptables cannot 
set or change routes, only hint on how routing should be done by marking
packets. In the mangle-PREROUTING chain, use the MARK target to mark the
packets with some id:

iptables -t mangel -A PREROUTING -d news.isp.dk --dport 119 -j MARK 
--set-mark 1
iptables -t mangel -A OUTPUT -d news.isp.dk --dport 119 -j MARK --set-mark 1

Next use the iproute2 package and create a routing policy, which
send the packets in the correct routing table.

I'm not that familliar with iproute2, but i guess that the following 
would work:

list all possible routes to the news server:
$ ip route get news.isp.dk
This should list two routes:
xx.xx.xx.xx dev eth0 src yy.yy.yy.yy realms AA...
xx.xx.xx.xx dev eth1 src zz.zz.zz.zz realms BB...

Say that you want to route through eth0, then instruct the routing that 
it should route all packets with mark 10 to this realm:
$ ip rule add fwmark 10 table BB prio 100

As I said, I am not familliar with this, so it is only a qualified 
guess. Take a look at lartc.org and the documentation in the iproute 
package on howto set this up.

Hope it works
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent/Iptables FIREWALL
http://fiaif.fugmann.dhs.org

Re: binding nntp to one interface

[Antony Stone]

On Thursday 12 September 2002 8:05 am, Rasmus Reinholdt Nielsen wrote:

> Hi
>
> I have two different internet connections, to two different ISP's, set up
> as load balancing.
>
> My problem is that both my isp's have ip restricted their newsservers, so I
> need to bind all outgoing trafic on port 119 to a specific interface or ip.
> Anybody knows how to do this?

I'm not sure I understand the problem.

You have an nntp server set up to connect to your ISP's nntp server (either 
one, or both, of your ISPs).

Because your ISPs systems are very close (in network hops) to your external 
interface, surely your routing makes sure that requests to ISP A's nntp 
server go through the connection to ISP A, and requests to ISP B's nntp 
server go through the connection to ISP B ?

Then you just need to decide whether your nntp server is going to connect 
only to one, or to both, of your ISPs.

Alternatively, if your routing doesn't automatically determine which way to 
get to either of your ISPs servers, a few iproute2 commands should fix this.

I don't think you need to do anything with netfilter (in fact I don't think 
you can) because this sounds like a routing issue, not a filtering problem.

Antony.

-- 

Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

IPTABLES NewBie

[HareRam]

Hi all

iam using Redhat 7.2 with Iptable 1.2.4 upgraded
and patched with p-o-m
now my application is allow only register mac Address and rest all drop
i am having home based network
ever customer have give specific address, since they have regiter only one
PC for Browsing
he should get only for that PC,, they are using Winproxy and consuming lot
of bandwidth

can i have small example how do i enable only register MAC to allow all
Services
rest all should deny directly

right now iam using like this script
iam forwarding all the 80 port traffic to squid cache server


m=modprobe
$m ip_conntrack_ftp
$m ip_conntrack_irc
$m ip_conntrack
$m ip_nat_ftp
$m ip_nat_irc
$m ip_queue
$m iptable_filter
$m iptable_mangle
$m iptable_nat
$m ip_tables
$m ipt_limit
$m ipt_LOG
$m ipt_mac
$m ipt_mark
$m ipt_MARK
$m ipt_MASQUERADE
$m ipt_MIRROR
$m ipt_multiport
$m ipt_owner
$m ipt_REDIRECT
$m ipt_REJECT
$m ipt_state
$m ipt_tcpmss
$m ipt_TCPMSS
$m ipt_tos
$m ipt_TOS
$m ipt_unclean
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -t nat -A PREROUTING -s 192.168.20.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3129
/sbin/iptables -t nat -A PREROUTING -s 192.168.3.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3129
/sbin/iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o eth0 -j
MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE


suggest me how do i have sample to add, to deny un authorised MAC address

thanks in advance
hare

Re: binding nntp to one interface

[Anders Fugmann]

Rasmus Reinholdt Nielsen wrote:
> thanks a lot
> 
> it seams like its working now
Perfect. Glad I could help.
Just to be sure, was all the steps I gave you correct?

Regards
Anders Fugmann

-- 
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.

Re: binding nntp to one interface

[Rasmus Reinholdt Nielsen]

almost

insmod /lib/modules/2.4.19-pre9/kernel/net/ipv4/netfilter/iptable_mangle.o
iptables -t mangle -A PREROUTING -d news.isp.dk -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d news.isp.dk -j MARK --set-mark 1

for the iptables marking and

echo 203 table1.out >> /etc/iproute2/rt_tables
echo 204 table2.out >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table table1.out
ip rule add fwmark 2 table table2.out

ip route add default via <gateway1> dev ppp0 table table1.out
ip route add default via <gateway2> dev eth2 table table2.out

for iproute2

and it all work like a beuty

Thanks again

Rasmus

At 13:51 12-09-2002 +0200, Anders Fugmann wrote:
>Rasmus Reinholdt Nielsen wrote:
>>thanks a lot
>>it seams like its working now
>Perfect. Glad I could help.
>Just to be sure, was all the steps I gave you correct?
>
>Regards
>Anders Fugmann
>
>--
>Neo: 'Can you fly that thing?'
>Trinity: 'Not yet'.
>$ apt-get install pilot-prg-v212helicopter.

Re: IPTABLES NewBie

[Antony Stone]

On Thursday 12 September 2002 12:31 pm, HareRam wrote:

> can i have small example how do i enable only register MAC to allow all
> Services
> rest all should deny directly

I suggest you create a special user-defined chain for MAC address matching, 
and call it near the top of your FORWARD chain:

iptables -N macmatch

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j macmatch
... other FORWARDing rules allowing specific protocols etc ...

iptables -A macmatch -m mac --mac-source 00:11:22:33:44:55 -j RETURN
iptables -A macmatch -m mac --mac-source 11:22:33:44:55:66 -j RETURN
iptables -A macmatch -m mac --mac-source 22:33:44:55:66:77 -j RETURN
iptables -A macmatch -j DROP

where the macmatch rules list all your permitted MAC addresses.

The reason for putting the jump to the macmatch chain after the ESTABLISHED, 
RELATED rule in your FORWARD chain is so that MAC matching is only done on 
the first packet of each connection - if that is accepted then there's no 
need to do all the checking again for every other packet in the connection.

Antony.

-- 

Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

NAT and NAT

[HareRam]

Hi all 

i have ADSL connection
ADSL provider didnot provide Public IP
he is doing NAT with ADSL router

iam trying to have Redhat Box as a gateway for all
my ADSL router ip is 192.168.40.1
my router (linux is 192.168.40.2, gateway is 192.168.40.1)
now any Router (Linux) another ethernet start from 192.168.30.1
and client ip start from 192.168.30.2.... 253.
iam running transparent Squid also

and i have another Link which is Public IP also connected to same network
here iam using another Linux Server with Different IP block
192.169.100.1 ethernet 1 and clients are from 192.168.100.2 onwards


now iam looking
i want to club both network to one  IP block and Serve them load balance
is this NAT and NAT os possible
is there any performance issues
is there any limitations
how do the load automatically shift if link 1 down to link 2
how do the load automatically shift if link 2 down to link 1

any sample URL or script will be appriciated

thanks
hare