From: <t....@co...> - 2004-01-15 23:54:17
|
> Russell Packer wrote on 15.01.2004 22:45 MET: > > Hi all, > > > > Just having a bit of routing fun and wondering if anyone can help? > > > > This is my ifcfg-eth0 config: > > > > DHCP=no > > DHCP=no > > ONBOOT=yes > > DEVICE=eth0 > > IP=217.33.42.210 > > NETMASK=255.255.255.240 > > MODULE=eepro100 > > #ROUTE="$ROUTE 217.33.42.211:192.168.3.17" > > > > and ifcfg-eth2 config: > > > > DHCP=no > > DHCP=no > > ONBOOT=yes > > DEVICE=eth2 > > IP=192.168.3.1 > > NETMASK=255.255.255.0 > > MODULE=eepro100 > > #ROUTE="$ROUTE 217.33.42.211" > > > > I've tried all sorts of things in ROUTE for both adapters and I just can't get > it to work! > > > > What I am trying to achive is that anything coming in over eth0 bound for > address 217.33.42.211 gets routed to 192.168.3.17 (off eth2). I am also running > iptables and have a NAT rule set up for this. I use Fwbuilder for the iptables > stuff, so I think I can trust that :) Outbound is great - I connect to a website > from 192.168.3.17 and it shows my IP as 217.33.42.211 - its just inbound. > > > > (Oddly, from the firewall itself I can always get through to the correct host > - wether I go to 217.33.42.211 or 192.168.3.17. Its just when I try to come in > from outside... ) > > > > It should be sooo easy. I'm feeling dim now :/ > > > > Set up a the route in ifcfg-eth2 (yes, eth2 NOT eth0!) > ROUTE="$ROUTE 217.33.42.211:192.168.3.17" > (remove the ROUTE line from eth0!) > > Set an ARP entry on eth0 > arp -i eth0 -s 217.33.42.211 XX:XX:XX:XX:XX:XX pub > > with XX:XX:XX:XX:XX:XX beeing the MAC address of eth0 > which should attract all the traffic for 217.33.42.211 > to your host and then the routing table jumps in. > > Don't forget to set an entry in the FORWARD table via > iptables. Does DL support IP aliases? That's how my SnapGear linux based firewall does it, just set two IP's on eth0, then add a forwarding rule to the NAT. I suppose it does the same thing but seems a bit cleaner somehow. Tim |
From: Russell P. <rus...@ar...> - 2004-01-16 09:53:56
|
> Russell Packer wrote on 15.01.2004 22:45 MET: > > Hi all, > >=20 > > Just having a bit of routing fun and wondering if anyone can help? > >=20 > > What I am trying to achive is that anything coming in over=20 > eth0 bound for address 217.33.42.211 gets routed to=20 > 192.168.3.17 (off eth2). I am also running iptables and have=20 > a NAT rule set up for this. I use Fwbuilder for the iptables=20 > stuff, so I think I can trust that :) Outbound is great - I=20 > connect to a website from 192.168.3.17 and it shows my IP as=20 > 217.33.42.211 - its just inbound. > >=20 > > (Oddly, from the firewall itself I can always get through=20 > to the correct host - wether I go to 217.33.42.211 or=20 > 192.168.3.17. Its just when I try to come in from outside... ) > >=20 > > It should be sooo easy. I'm feeling dim now :/ > >=20 >=20 > Set up a the route in ifcfg-eth2 (yes, eth2 NOT eth0!) > ROUTE=3D"$ROUTE 217.33.42.211:192.168.3.17" > (remove the ROUTE line from eth0!) >=20 > Set an ARP entry on eth0 > arp -i eth0 -s 217.33.42.211 XX:XX:XX:XX:XX:XX pub >=20 > with XX:XX:XX:XX:XX:XX beeing the MAC address of eth0 > which should attract all the traffic for 217.33.42.211 > to your host and then the routing table jumps in. >=20 > Don't forget to set an entry in the FORWARD table via > iptables. >=20 Ah ha. Yes, the arp entry... should have remembered! The next thing is, = what if I wanted to do this "on the fly"? Those ifcfg files are only = read at boot-time, no? I tried using the "ip" command, and it all got a = bit... confusing!=20 At least the pieces of the puzzle are falling into place now, but I = could have sworn from what I'd read that I wouldn't have to play with = routing tables and the like when using iptables. Going to have to read = more! Thanks! |
From: Friedrich L. <fl...@fl...> - 2004-01-16 10:29:40
|
Russell Packer wrote on 16.01.2004 10:53 MET: > > The next thing is, what if I wanted to do this "on the fly"? > Those ifcfg files are only read at boot-time, no? Guess what, I already did the job for you by implementing a feature into the network script to just start or stop a single interface. Just add the interface after the start or stop option, eg. /etc/init.d/networking stop eth0 /etc/init.d/networking start eth0 to reconfigure the interface eth0 with the changes made to ifcfg-eth0. -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Friedrich L. <fl...@fl...> - 2004-01-16 10:43:55
|
Russell Packer wrote on 16.01.2004 10:53 MET: >> >>Set up a the route in ifcfg-eth2 (yes, eth2 NOT eth0!) >> ROUTE="$ROUTE 217.33.42.211:192.168.3.17" >>(remove the ROUTE line from eth0!) >> >>Set an ARP entry on eth0 >> arp -i eth0 -s 217.33.42.211 XX:XX:XX:XX:XX:XX pub >> >>with XX:XX:XX:XX:XX:XX beeing the MAC address of eth0 >>which should attract all the traffic for 217.33.42.211 >>to your host and then the routing table jumps in. >> >>Don't forget to set an entry in the FORWARD table via >>iptables. >> > > > Ah ha. Yes, the arp entry... should have remembered! .... > > At least the pieces of the puzzle are falling into place > now, but I could have sworn from what I'd read that I > wouldn't have to play with routing tables and the like > when using iptables. Going to have to read more! Possibly you need also to "turn" on some of the /proc/sys/net/ipv4/conf/*/proxy_arp "knobs". And yes reading the available howtos on the net helps a lot ;-) If got it all together and tested could you possibly write a short howto for our documentation? Thanks. -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Jet <jc...@se...> - 2004-01-16 11:15:39
|
VG8gc3RhcnQgb3IgcmVzdGFydCB0aGUgYWxpYXMgaW50ZXJmYWNlLCB5b3UgY2FuIGVpdGhlcg0K DQovZXRjL2luaXQuZC9uZXR3b3JrIHJlc3RhcnQNCg0Kb3IganVzdCBzaW1wbHkgDQoNCi9ldGMv aW5pdC5kL25ldHdvcmsgc3RhcnQgZXRoMDowDQoNCkJ5IHRoZSB3YXksICJzYXZlLWNvbmZpZyIg RE9FUyBOT1Qgc2F2ZSB5b3VyIGFycCBlbnRyeS4NCg0KLSBKZXQgDQoNCj4+IA0KPiANCj4gQWgg aGEuIFllcywgdGhlIGFycCBlbnRyeS4uLiBzaG91bGQgaGF2ZSByZW1lbWJlcmVkISBUaGUgbmV4 dCB0aGluZw0KPiBpcywgd2hhdCBpZiBJIHdhbnRlZCB0byBkbyB0aGlzICJvbiB0aGUgZmx5Ij8g VGhvc2UgaWZjZmcgZmlsZXMgYXJlDQo+IG9ubHkgcmVhZCBhdCBib290LXRpbWUsIG5vPyBJIHRy aWVkIHVzaW5nIHRoZSAiaXAiIGNvbW1hbmQsIGFuZCBpdA0KPiBhbGwgZ290IGEgYml0Li4uIGNv bmZ1c2luZyEgICANCj4gDQo+IEF0IGxlYXN0IHRoZSBwaWVjZXMgb2YgdGhlIHB1enpsZSBhcmUg ZmFsbGluZyBpbnRvIHBsYWNlIG5vdywgYnV0IEkNCj4gY291bGQgaGF2ZSBzd29ybiBmcm9tIHdo YXQgSSdkIHJlYWQgdGhhdCBJIHdvdWxkbid0IGhhdmUgdG8gcGxheSB3aXRoDQo+IHJvdXRpbmcg dGFibGVzIGFuZCB0aGUgbGlrZSB3aGVuIHVzaW5nIGlwdGFibGVzLiBHb2luZyB0byBoYXZlIHRv DQo+IHJlYWQgbW9yZSEgICANCj4gDQo+IFRoYW5rcyENCj4gDQo+IA0K |
From: Friedrich L. <fl...@fl...> - 2004-01-16 13:30:01
|
Hi! *Can you please set the realname. THX!* Jet wrote on 16.01.2004 12:17 MET: > > By the way, "save-config" DOES NOT save your arp entry. Your are right, but you are always free to send-in in a patch that does save all the published ARP entries before save-config. But let's wait for Russell to report back what and how it worked. -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Russell P. <rus...@ar...> - 2004-01-16 10:49:39
|
> Possibly you need also to "turn" on some of the > /proc/sys/net/ipv4/conf/*/proxy_arp "knobs". >=20 > And yes reading the available howtos on the net helps a lot ;-) >=20 >=20 > If got it all together and tested could you possibly write a short > howto for our documentation? Thanks. >=20 Indeed. I've been documenting everything so far, so once it does all = work I'd be happy to send something in (Any particular format? Hate to = say it, but I've been using M$ Word so far). It'll be a while before I = get another maintenance window, something about ripping out the company = 'net connection and all that ;) |
From: Friedrich L. <fl...@fl...> - 2004-01-16 13:22:17
|
Russell Packer wrote on 16.01.2004 11:49 MET: >>Possibly you need also to "turn" on some of the >>/proc/sys/net/ipv4/conf/*/proxy_arp "knobs". >> >>And yes reading the available howtos on the net helps a lot ;-) >> >> >>If got it all together and tested could you possibly write a short >>howto for our documentation? Thanks. >> > > > Indeed. I've been documenting everything so far, so once it > does all work I'd be happy to send something in (Any particular > format? Hate to say it, but I've been using M$ Word so far). The good old ASCII text is the best format as we don't need the formating of Word, which would just be more work to extract the contents. Take a look at the howtos I wrote ftp://ftp.fl.priv.at/pub/devil-linux/ > It'll be a while before I get another maintenance window, > something about ripping out the company 'net connection > and all that ;) Take your time. So, I'll be off for a week of skiing from tomorrow on :-) -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Russell P. <rus...@ar...> - 2004-01-16 17:09:28
|
> Hi! >=20 > *Can you please set the realname. THX!* >=20 > Jet wrote on 16.01.2004 12:17 MET: > >=20 > > By the way, "save-config" DOES NOT save your arp entry. >=20 > Your are right, but you are always free to send-in in a patch that > does save all the published ARP entries before save-config. >=20 > But let's wait for Russell to report back what and how it worked. >=20 As it happens, I think the arp entries et al. are going to be part of = the firewall.rules script (as I'm using Fwbuilder). I'm putting my = test-lab back together at the moment (and whould have done it sooner had = a w2k server not given up *sigh*), so I should be able to do the tests = next week. |
From: Friedrich L. <fl...@fl...> - 2004-01-16 17:27:20
|
Russell Packer wrote on 16.01.2004 18:09 MET: >> >>>By the way, "save-config" DOES NOT save your arp entry. >> >>Your are right, but you are always free to send-in in a patch that >>does save all the published ARP entries before save-config. >> >>But let's wait for Russell to report back what and how it worked. > > As it happens, I think the arp entries et al. are going to be part of the firewall.rules script (as I'm using Fwbuilder). I'm putting my test-lab back together at the moment (and whould have done it sooner had a w2k server not given up *sigh*), so I should be able to do the tests next week. Don't expect any replies from me next week as I'll be skiing then :-) -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Jet <jc...@se...> - 2004-01-19 05:57:04
|
T24gU2F0dXJkYXksIEphbnVhcnkgMTcsIDIwMDQgMTowOSBBTSBbR01UKzE9Q0VUXSwNClJ1c3Nl bGwgUGFja2VyIDxydXNzZWxsLnBhY2tlckBhcm5vbGRpbnRlcmFjdGl2ZS5jb20+IHdyb3RlOg0K DQo+IA0KPiBBcyBpdCBoYXBwZW5zLCBJIHRoaW5rIHRoZSBhcnAgZW50cmllcyBldCBhbC4gYXJl IGdvaW5nIHRvIGJlIHBhcnQgb2YNCj4gdGhlIGZpcmV3YWxsLnJ1bGVzIHNjcmlwdCAoYXMgSSdt IHVzaW5nIEZ3YnVpbGRlcikuIEknbSBwdXR0aW5nIG15DQo+IHRlc3QtbGFiIGJhY2sgdG9nZXRo ZXIgYXQgdGhlIG1vbWVudCAoYW5kIHdob3VsZCBoYXZlIGRvbmUgaXQgc29vbmVyDQo+IGhhZCBh IHcyayBzZXJ2ZXIgbm90IGdpdmVuIHVwICpzaWdoKiksIHNvIEkgc2hvdWxkIGJlIGFibGUgdG8g ZG8gdGhlDQo+IHRlc3RzIG5leHQgd2Vlay4gICAgDQo+IA0KDQpJIGRvbid0IHRoaW5rIGl0IGlz IGEgZ29vZCBpZGVhIHRvIHB1dCBhcnAgZW50cmllcyBpbnRvIHlvdXIgZmlyZXdhbGwucnVsZXMg c2NyaXB0LCBzaW1wbHkgYmVjYXVzZSBpdCBpcyBub3Qgc3RhbmRhcmRpemVkLg0KSG93IGFib3V0 IGEgRE5TIHNlcnZlciAodGhhdCBuZWVkIG11bHRpcGxlIElQIGFkZHJlc3Nlcyk/IA0KSXQgd291 bGRuJ3QgcHJvY2VzcyB5b3VyIGZpcmV3YWxsIHNjcmlwdHMuDQoNCkkgc3RpbGwgdGhpbmsgdGhh dCB0aGUgbW9yZSBwcm9wZXIgd2F5IHRvIHNldHVwIElQIGFsaWFzIGlzIGNyZWF0aW5nIGZpbGUg YXQgL2V0Yy9zeXNjb25maWcvbmljIGZvbGRlci4NCg0KLSBKZXQNCg== |
From: Friedrich L. <fl...@fl...> - 2004-01-26 22:50:28
|
Jet wrote on 19.01.2004 06:58 MET: > On Saturday, January 17, 2004 1:09 AM [GMT+1=CET], > Russell Packer <rus...@ar...> wrote: > > >>As it happens, I think the arp entries et al. are going to be part of >>the firewall.rules script (as I'm using Fwbuilder). I'm putting my >>test-lab back together at the moment (and whould have done it sooner >>had a w2k server not given up *sigh*), so I should be able to do the >>tests next week. >> > > > I don't think it is a good idea to put arp entries into your > firewall.rules script, simply because it is not standardized. Never heard of proxy arp? That's actually what you should do here and I think adding an arp entry is what needs to be done to achieve this. > How about a DNS server (that need multiple IP addresses)? > It wouldn't process your firewall scripts. I don't understand that. DNS and the firewall script has nothing do do with each other. > > I still think that the more proper way to setup IP alias is > creating file at /etc/sysconfig/nic folder. As said, I think the proxy arp way is the way it should be. -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Jet C. <jc...@tr...> - 2004-01-28 09:04:29
|
T24gTW9uZGF5LCBKYW51YXJ5IDI2LCAyMDA0IDI6MzMgQU0sIEZyaWVkcmljaCBMb2JlbnN0b2Nr IDxmbEBmbC5wcml2LmF0PiB3cm90ZToNCg0KPiANCj4gTmV2ZXIgaGVhcmQgb2YgcHJveHkgYXJw PyBUaGF0J3MgYWN0dWFsbHkgd2hhdCB5b3Ugc2hvdWxkDQo+IGRvIGhlcmUgYW5kIEkgdGhpbmsg YWRkaW5nIGFuIGFycCBlbnRyeSBpcyB3aGF0IG5lZWRzIHRvIGJlDQo+IGRvbmUgdG8gYWNoaWV2 ZSB0aGlzLg0KDQpOby4gSSB0aGluayB3ZSBhbGwgbWlnaHQgaGF2ZSBhIG1pc3VuZGVyc3RhbmRp bmcgaGVyZS4NClRoZSBvYmplY3RpdmUgaXMgdG8gc2V0dXAgYW4gSVAgYWxpYXNlcy4NCg0KVGhl cmUgYXJlIHR3byB3YXkgdG8gc2V0IHRoaXMgdXAuDQpPbmUgaXMgdG8gY3JlYXRlIElQIGFsaWFz IHVzaW5nICJpZmNvbmZpZyBldGgwOjAgeC54LngueCB1cCIgKHdpdGggY3JlYXRpbmcgZmlsZSBh dCAvZXRjL3N5c2NvbmZpZy9uaWMvKQ0KU2Vjb25kIGlzIHRvIGNyZWF0ZSBhbiBhcnAgZW50cnkg dXNpbmcgImFycCAtcyB4LngueC54IHB1YiIgKGFuZCBzYXZlIHRoZSBjb25maWcgaW4gZmlyZXdh bGwucnVsZXMpDQoNClJ1c3NlbCBQYWNrZXIgaGFzIHByZWZlcnJlZCB0aGUgc2Vjb25kIG1ldGhv ZCBpbnN0ZWFkIG9mIHRoZSBmaXJzdC4NCg0KPj4gSG93IGFib3V0IGEgRE5TIHNlcnZlciAodGhh dCBuZWVkIG11bHRpcGxlIElQIGFkZHJlc3Nlcyk/DQo+PiBJdCB3b3VsZG4ndCBwcm9jZXNzIHlv dXIgZmlyZXdhbGwgc2NyaXB0cy4NCj4gDQo+IEkgZG9uJ3QgdW5kZXJzdGFuZCB0aGF0LiBETlMg YW5kIHRoZSBmaXJld2FsbCBzY3JpcHQgaGFzIG5vdGhpbmcNCj4gZG8gZG8gd2l0aCBlYWNoIG90 aGVyLg0KPiANCg0KSSBwcmVmZXIgdGhlIGZpcnN0IG1ldGhvZCBhcyBpdCBpcyBtb3JlIHN0YW5k YXJkaXplLCBhbmQgYmVjYXVzZSBpdCB3aWxsIHRha2UgY2FyZSBpZiBhIEROUyBzZXJ2ZXIgbmVl ZCBJUCBhbGlhc2VzLg0KKFllcywgRE5TIHNlcnZlciB0aGF0IG5lZWQgc2Vjb25kIElQIGFkZHJl c3Mgd2lsbCBub3QgcHJvY2VzcyB0aGUgZmlyZXdhbGwucnVsZXMgc2NyaXB0KQ0KDQo+PiANCj4+ IEkgc3RpbGwgdGhpbmsgdGhhdCB0aGUgbW9yZSBwcm9wZXIgd2F5IHRvIHNldHVwIElQIGFsaWFz IGlzDQo+PiBjcmVhdGluZyBmaWxlIGF0IC9ldGMvc3lzY29uZmlnL25pYyBmb2xkZXIuDQo+IA0K PiBBcyBzYWlkLCBJIHRoaW5rIHRoZSBwcm94eSBhcnAgd2F5IGlzIHRoZSB3YXkgaXQgc2hvdWxk IGJlLg0KDQpXaHkgeW91IHRoaW5rIHByb3h5IGFycCBpcyB0aGUgd2F5IGl0IHNob3VsZCBiZT8N CkkgZG9uJ3QgdW5kZXJzdGFuZCBoZXJlLg0KDQotLSANCkpldCAoU2VjdXJpdHkgQW5hbHlzdCkN Cg== |
From: Friedrich L. <fl...@fl...> - 2004-01-28 20:20:26
|
Jet Chan wrote on 28.01.2004 10:05 MET: > On Monday, January 26, 2004 2:33 AM, Friedrich Lobenstock <fl...@fl...> wrote: > > >>Never heard of proxy arp? That's actually what you should >>do here and I think adding an arp entry is what needs to be >>done to achieve this. > > > No. I think we all might have a misunderstanding here. > The objective is to setup an IP aliases. Russell's config is as follows: eth0 +------+ eth2 ethX +------+ ethY +------+ -------------| DL |---------------| GW |---------| PC | +------+ +------+ +------+ eth0 = 217.33.42.210/28 eth2 = 192.168.3.1/24 ethX = 192.168.3.17/24 ethY = 217.33.42.211/32 (*) see his posting in the archive http://sourceforge.net/mailarchive/message.php?msg_id=7020432 So the objective is primarily not to setup an IP alias. > There are two way to set this up. > One is to create IP alias using "ifconfig eth0:0 x.x.x.x up" (with creating file at /etc/sysconfig/nic/) > Second is to create an arp entry using "arp -s x.x.x.x pub" (and save the config in firewall.rules) > > Russel Packer has preferred the second method instead of the first. Because setting up an IP alias, if it works is a crude workaround. >>>How about a DNS server (that need multiple IP addresses)? >>>It wouldn't process your firewall scripts. >> >>I don't understand that. DNS and the firewall script has nothing >>do do with each other. > > I prefer the first method as it is more standardize, and because it will take care if a DNS server need IP aliases. > (Yes, DNS server that need second IP address will not process the firewall.rules script) Sorry but I don't understand at all what you are talking about. >>>I still think that the more proper way to setup IP alias is >>>creating file at /etc/sysconfig/nic folder. >> >>As said, I think the proxy arp way is the way it should be. > > > Why you think proxy arp is the way it should be? > I don't understand here. Because the DL machine should just route packets destined for 217.33.42.211 to the router 192.168.3.17. I just looked it up at http://www.tldp.org/HOWTO/HOWTO-INDEX/howtos.html you might want to read http://www.tldp.org/HOWTO/Proxy-ARP-Subnet/index.html -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Jet C. <jc...@tr...> - 2004-01-30 22:16:47
|
T24gVGh1cnNkYXksIEphbnVhcnkgMjksIDIwMDQgNDoxOSBBTSwgRnJpZWRyaWNoIExvYmVuc3Rv Y2sgPGZsQGZsLnByaXYuYXQ+IHdyb3RlOg0KDQo+PiANCj4+IFJ1c3NlbCBQYWNrZXIgaGFzIHBy ZWZlcnJlZCB0aGUgc2Vjb25kIG1ldGhvZCBpbnN0ZWFkIG9mIHRoZSBmaXJzdC4NCj4gDQo+IEJl Y2F1c2Ugc2V0dGluZyB1cCBhbiBJUCBhbGlhcywgaWYgaXQgd29ya3MgaXMgYSBjcnVkZSB3b3Jr YXJvdW5kLg0KPiANCg0KT2gsIGl0IHNlZW1zIGxpa2UgSSBhbSB0aGUgb25lIHdobyBtaXN1bmRl cnN0YW5kaW5nIHRoZSByZXF1aXJlbWVudC4NCihOb3Qgc3VyZSB3aHkgSSBjb21lIHRvIHRoYXQg Y29uY2x1c2lvbikNCk9LLCBhZ3JlZWQuIFRoZSBwcmltYXJ5IG9iamVjdGl2ZSBpcyBub3QgdG8g c2V0dXAgYW4gSVAgYWxpYXMuDQpJIHRoaW5rIGhlIGp1c3QgbmVlZCBhIHdheSB0byBkbyBOQVQu DQoNCkkndmUgZXhhbWluZSB3aGF0IGlzIHRoZSByaWdodC9iZXN0IHdheSB0byBkbyBOQVQgdHdv IHllYXJzIGFnby4NCkFuZCBJIGRpZCBjb21lIGFjcm9zcyB3aGF0IGlzIFByb3h5IEFSUC4NCkhv d2V2ZXIsIEkgZW5kIHVwIHVzaW5nIElQIGFsaWFzaW5nIHRvIHNpbXBseSBiZWNhdXNlIGl0IHdv cmtzIGFuZCBpdCBpcyBzaW1wbGUuDQpJIGp1c3QgaGF2ZSB0byBjcmVhdGUgYW4gSVAgYWxpYXMg KGZvciBlaHRlcm5ldCBuZXR3b3JrIHB1YmxpY2F0aW9uKSBhbmQgY3JlYXRlIHRoZSBJUFRhYmxl IE5BVCBydWxlcy4NCihBbmQgSSBhbHNvIG5lZWQgdG8gZW5hYmxlIElQIGZvcndhcmRpbmcgYW5k IG1heSBuZWVkIHRvIHJvdXRlIGFkZCBpZiB0aGUgZGVzdGluYXRpb24gaG9zdCBpcyBvbiBhIG5l dHdvcmsgdGhhdCBtb3JlIHRoYW4gb25lIGhvcCkNCkkgZG9uJ3QgaGF2ZSB0byBkbyBhZGQgYW55 IG1vcmUgcm91dGluZyBlbnRyaWVzIG9yIGFueXRoaW5nIGVsc2UuDQpUaGUgb25seSBkcmF3YmFj ayBmb3IgdGhpcyBtZXRob2QgaXMgIndoYXQgaWYgd2UgbmVlZCB0byBhZGQgYSBjbGFzcy1DIG5l dHdvcmsgb3Igc3VibmV0Ii4NClRoZW4gd2Ugd2lsbCBoYXZlIHRvIGNyZWF0ZSAyNTUgSVAgYWxp YXNlcyAoZm9yIGEgY2xhc3MtQyBzdWJuZXQpLg0KDQpJTUhPLCBpdCBpcyBtdWNoIG1vcmUgZGlm ZmljdWx0IHRvIHBlcmZvbSB0cm91Ymxlc2hvb3Rpbmcgb24gYSBwcm94eSBBUlAgc2V0dXAuDQpT aW1wbHkgYmVjYXVzZSAiaWZjb25maWciIHdpbGwgZ2l2ZSBtZSBhbiBpZGVhIG9uICJXaGF0ICho b3cgbWFueSkgSVAgZG9lcyBJIHB1Ymxpc2hpbmcgb24gdGhlIG5ldHdvcmsiLg0KUHJveHkgQVJQ IHdpbGwgbm90IHRlbGwgeW91IHRoYXQgeW91ciBsaW51eCBib3ggaXMgImhvc3RpbmciIGFuIElQ IGFkZHJlc3MgZm9yIGEgbmV0d29yayBiZWhpbmQgeW91Lg0KIA0KPj4+PiBIb3cgYWJvdXQgYSBE TlMgc2VydmVyICh0aGF0IG5lZWQgbXVsdGlwbGUgSVAgYWRkcmVzc2VzKT8NCj4+Pj4gSXQgd291 bGRuJ3QgcHJvY2VzcyB5b3VyIGZpcmV3YWxsIHNjcmlwdHMuDQo+IA0KPiBTb3JyeSBidXQgSSBk b24ndCB1bmRlcnN0YW5kIGF0IGFsbCB3aGF0IHlvdSBhcmUgdGFsa2luZyBhYm91dC4NCg0KU29y cnkgdG8gbWFrZSB5b3UgY29uZnVzZSBoZXJlLiANCkkgbWVudGlvbiB0aGlzLCBpcyB0byBkZW1v c3RyYXRlIHRoYXQgIklmIHlvdSB3YW50IHRvIHNldHVwIElQIGFsaWFzLCBkb24ndCBhZGQgaXQg dG8gZmlyZXdhbGwucnVsZXMgc2NyaXB0Ii4NCkJlY2F1c2UgRE5TL3dlYi9TTVRQIHNlcnZlcnMg bWlnaHQgbmVlZCBJUCBhbGlhc2luZyBhcyB3ZWxsLg0KTXkgcG9pbnQgaGVyZSBpcywgaXQgaXMg YSBiYWQgaWRlYSAidG8gbW9kaWZ5IGZpcmV3YWxsLnJ1bGVzIiBzY3JpcHQgdG8gc2V0dXAgSVAg YWxpYXMuIA0KVGhpcyBzZXJ2ZXJzIHdpbGwgbm90IHByb2Nlc3MgdGhlIGZpcmV3YWxsLnJ1bGVz IHNjcmlwdCBhbmQgd2h5IG5vdCBzdGFuZGFyZGl6ZSBpdCBhbmQgc2V0IGl0IHVwIHNvbWV3aGVy ZSBlbHNlLg0KDQotLSANCkpldCAoU2VjdXJpdHkgQW5hbHlzdCkNCg== |
From: Friedrich L. <fl...@fl...> - 2004-01-30 23:01:05
|
Jet Chan wrote on 29.01.2004 03:38 MET: > On Thursday, January 29, 2004 4:19 AM, Friedrich Lobenstock <fl...@fl...> wrote: > > >>>Russel Packer has preferred the second method instead of the first. >> >>Because setting up an IP alias, if it works is a crude workaround. >> > > > Oh, it seems like I am the one who misunderstanding the requirement. > (Not sure why I come to that conclusion) > OK, agreed. The primary objective is not to setup an IP alias. > I think he just need a way to do NAT. > > I've examine what is the right/best way to do NAT two years ago. > And I did come across what is Proxy ARP. > However, I end up using IP aliasing to simply because it works and it is simple. > I just have to create an IP alias (for ehternet network publication) and create the IPTable NAT rules. > (And I also need to enable IP forwarding and may need to route add if the destination host is on a network that more than one hop) > I don't have to do add any more routing entries or anything else. > The only drawback for this method is "what if we need to add a class-C network or subnet". > Then we will have to create 255 IP aliases (for a class-C subnet). > > IMHO, it is much more difficult to perfom troubleshooting on a proxy ARP setup. > Simply because "ifconfig" will give me an idea on "What (how many) IP does I publishing on the network". > Proxy ARP will not tell you that your linux box is "hosting" an IP address for a network behind you. When using proxy arp "route" will show you the same info without clobbering the output of "ifconfig" with un-needed interface information. >>>>>How about a DNS server (that need multiple IP addresses)? >>>>>It wouldn't process your firewall scripts. >> >>Sorry but I don't understand at all what you are talking about. > > > Sorry to make you confuse here. > I mention this, is to demostrate that "If you want to setup IP alias, don't add it to firewall.rules script". > Because DNS/web/SMTP servers might need IP aliasing as well. > My point here is, it is a bad idea "to modify firewall.rules" script to setup IP alias. > This servers will not process the firewall.rules script and why not standardize it and set it up somewhere else. OK, now I understand somehow what you mean. First it's "your problem" if you do not want to set up ip aliases in firewall.rules when you should do proxy arp instead. Second IP aliases can be set up like any other interface, just create a file /etc/sysconfig/nic/ifcfg-eth0:0 with the following content: DHCP=no ONBOOT=yes DEVICE=eth0:0 IP=aaa.bbb.ccc.ddd -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Russell P. <rus...@ar...> - 2004-01-16 17:32:39
|
> Russell Packer wrote on 16.01.2004 18:09 MET: > >> > >>>By the way, "save-config" DOES NOT save your arp entry. > >> > >>Your are right, but you are always free to send-in in a patch that > >>does save all the published ARP entries before save-config. > >> > >>But let's wait for Russell to report back what and how it worked. > >=20 > > As it happens, I think the arp entries et al. are going to=20 > be part of the firewall.rules script (as I'm using=20 > Fwbuilder). I'm putting my test-lab back together at the=20 > moment (and whould have done it sooner had a w2k server not=20 > given up *sigh*), so I should be able to do the tests next week. >=20 > Don't expect any replies from me next week as I'll be skiing then :-) >=20 Nice. Don't get too piste. Its probably going to be a week before I get another maintenance window = to take the machine out of the lab and into production anyway. I have = many things to test now! :) |
From: Russell P. <rus...@ar...> - 2004-01-19 14:36:50
|
> >=20 > > As it happens, I think the arp entries et al. are going to=20 > be part of > > the firewall.rules script (as I'm using Fwbuilder). I'm putting my > > test-lab back together at the moment (and whould have done it sooner > > had a w2k server not given up *sigh*), so I should be able to do the > > tests next week. =20 > >=20 >=20 > I don't think it is a good idea to put arp entries into your=20 > firewall.rules script, simply because it is not standardized. > How about a DNS server (that need multiple IP addresses)?=20 > It wouldn't process your firewall scripts. >=20 > I still think that the more proper way to setup IP alias is=20 > creating file at /etc/sysconfig/nic folder. Hm. Thing is, I've already decided on FWbuilder as the firewall.rules = builder and that *should* deal with all aliases / arp entries. |
From: Russell P. <rus...@ar...> - 2004-01-31 02:11:42
|
> >>Never heard of proxy arp? That's actually what you should > >>do here and I think adding an arp entry is what needs to be > >>done to achieve this. > >=20 > > No. I think we all might have a misunderstanding here. > > The objective is to setup an IP aliases. As far as I'm concerned, I'm happy with whatever method works! >=20 > Russell's config is as follows: >=20 >=20 > eth0 +------+ eth2 ethX +------+ ethY +------+ > -------------| DL |---------------| GW |---------| PC | > +------+ +------+ +------+ >=20 > eth0 =3D 217.33.42.210/28 > eth2 =3D 192.168.3.1/24 >=20 > ethX =3D 192.168.3.17/24 > ethY =3D 217.33.42.211/32 (*) Hm... not quite how it looks physically. I've been rushed of my feet = doing other things, so I still haven't had time to go back to my lab = setup and get things working. It looks more like this in ASCII :) eth0 +------+ eth2 +------+ Router------------| DL |----------------| PC | +------+ +------+ 192.168.3.17 The router has 16 ip's that it will accept - 217.33.42.208/28 So anothing in the range 217.33.42.208 to 217.33.42.224 will hit the = router and go to DL's eth0 If something comes in to 217.33.42.211 it should simple be routed = through to 192.168.3.17. (And conversly, if 192.168.3.17 goes out, it = should appear to have come from 217.33.42.211). Everything else on the = internal network should like like it came from 217.33.42.209. |
From: Friedrich L. <fl...@fl...> - 2004-01-31 15:27:58
|
Russell Packer wrote on 29.01.2004 11:35 MET: >>Russell's config is as follows: >> >> >> eth0 +------+ eth2 ethX +------+ ethY +------+ >> -------------| DL |---------------| GW |---------| PC | >> +------+ +------+ +------+ >> >>eth0 = 217.33.42.210/28 >>eth2 = 192.168.3.1/24 >> >>ethX = 192.168.3.17/24 >>ethY = 217.33.42.211/32 (*) > > > Hm... not quite how it looks physically. At least that was what you described. > I've been rushed of my > feet doing other things, so I still haven't had time to go back > to my lab setup and get things working. > > It looks more like this in ASCII :) > > eth0 +------+ eth2 +------+ > Router------------| DL |----------------| PC | > +------+ +------+ 192.168.3.17 > > > The router has 16 ip's that it will accept - 217.33.42.208/28 > > So anothing in the range 217.33.42.208 to 217.33.42.224 will hit the router and go to DL's eth0 > > If something comes in to 217.33.42.211 it should simple be > routed through to 192.168.3.17. (And conversly, if 192.168.3.17 > goes out, it should appear to have come from 217.33.42.211). > Everything else on the internal network should like like it > came from 217.33.42.209. This look rather strange to me. Can you please illustrate with ASCII graphic like I did above where each of the IP addresses should reside? And some background information is always helpfull. I think somehow you are thinking in the wrong way, or is it me not understanding what you are really trying to accomplish? -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Tim T. <t....@co...> - 2004-01-31 18:04:38
|
Friedrich Lobenstock wrote: > Russell Packer wrote on 29.01.2004 11:35 MET: > >>> Russell's config is as follows: >>> >>> >>> eth0 +------+ eth2 ethX +------+ ethY +------+ >>> -------------| DL |---------------| GW |---------| PC | >>> +------+ +------+ +------+ >>> >>> eth0 = 217.33.42.210/28 >>> eth2 = 192.168.3.1/24 >>> >>> ethX = 192.168.3.17/24 >>> ethY = 217.33.42.211/32 (*) >> >> >> >> Hm... not quite how it looks physically. > > > At least that was what you described. > > >> I've been rushed of my >> feet doing other things, so I still haven't had time to go back >> to my lab setup and get things working. >> >> It looks more like this in ASCII :) >> >> eth0 +------+ eth2 +------+ >> Router------------| DL |----------------| PC | >> +------+ +------+ 192.168.3.17 >> >> >> The router has 16 ip's that it will accept - 217.33.42.208/28 >> >> So anothing in the range 217.33.42.208 to 217.33.42.224 will hit the >> router and go to DL's eth0 >> >> If something comes in to 217.33.42.211 it should simple be >> routed through to 192.168.3.17. (And conversly, if 192.168.3.17 >> goes out, it should appear to have come from 217.33.42.211). >> Everything else on the internal network should like like it >> came from 217.33.42.209. > > > This look rather strange to me. Can you please illustrate with > ASCII graphic like I did above where each of the IP addresses > should reside? And some background information is always helpfull. > > I think somehow you are thinking in the wrong way, or is it me > not understanding what you are really trying to accomplish? Correct me if I'm wrong, but doesn't IP Aliasing bring a lot more to the table than just an ARP entry? Like potentially adding a new subnet on the interface along with a new default route entry, allowing the anti-spoofing stuff to still work, allowing the new IP to processed by the local machine for (multi) NAT'ing, DHCP proxy, etc? The one thing I use it for is my cable modem - it's on the far sideof the firewall, and has a private IP (192.168.100.1) hard-coded for the Web Admin interface. So it's not the same subnet at the WAN IP of the firewall. I added the alias to the WAN port, and a couple of firewall rules to allow traffic thu. The alias handles the routing, and the firewall LAN port is the default gateway for the LAN of course. Tim |
From: Russell P. <rus...@ar...> - 2004-03-16 16:51:06
|
[snip] Finally sorted! Yes, I was having routing run - DST nat was giving me hassle, and lots of people were helping me this way and that. Proxy arp and and ip aliases were bantered around, but I never quite got to the bottom of things as I got rushed off onto another project. This week I actually had time to start again, and found the problem fairly quickly - once I'd managed to put my tiny lab back together. Basically, my problems were caused by FWbuilder and the SNMP discovery option. This added all 6 of my interfaces rather nicely (yes, I know, 3 dual-nics *is* a bit over the top :), but as I wasn't using all of the interfaces just yet, the discovery option added them into the rulebase with what looked like a blank IP address in the GUI, but in the XML is turned out to be saved as 0.0.0.0. This caused problems later on when the DNAT rules were generated. So. The long and the short of it is FWBuilder does generate a very nice firewall.rules file that does everything for you. No need to play with proxy arp or make routing changes to /etc/sysconfig/nic/ifcfg-ethx. This makes it really easy to implement stuff, as simply by clicking "install" on FWbuilder all the proxy arp / interface alias / routing stuff is done for you. No problems with save-config here, everything needed is handled by the firewall.rules script :) Phew! |
From: Friedrich L. <fl...@fl...> - 2004-01-16 00:18:51
|
t....@co... wrote on 16.01.2004 00:54 MET: >Friedrich Lobenstock wrote: >> >>Set up a the route in ifcfg-eth2 (yes, eth2 NOT eth0!) >> ROUTE="$ROUTE 217.33.42.211:192.168.3.17" >>(remove the ROUTE line from eth0!) >> >>Set an ARP entry on eth0 >> arp -i eth0 -s 217.33.42.211 XX:XX:XX:XX:XX:XX pub >> >>with XX:XX:XX:XX:XX:XX beeing the MAC address of eth0 >>which should attract all the traffic for 217.33.42.211 >>to your host and then the routing table jumps in. >> >>Don't forget to set an entry in the FORWARD table via >>iptables. > > Does DL support IP aliases? That's how my SnapGear linux > based firewall does it, just set two IP's on eth0, then > add a forwarding rule to the NAT. I suppose it does the > same thing but seems a bit cleaner somehow. Of course it does support ip aliases. Just create ifcfg-eth0:0 and set "DEVICE=eth0:0" in there. But besides setting an ip alias they will need two iptables rules instead of one, one in the PREROUTING table and the other one like me in the FORWARD table. And of course the routing entry mentioned above. Or am I wrong here? If they do it like that then this is basically the same a saying "why do it the easy way if we can do it the complicated one" ;-) [translated saying from German] -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock Linux Services Lobenstock URL: http://www.lsl.at/ Email: fl...@fl... ____________________________________________________________________ |
From: <Her...@sp...> - 2004-02-11 08:24:36
|
Hi all Maybe I'm blind, but I was not able to find an MD5 sum for DL V 1.0.4... How can I verify the package? Regards, Herbert |