Hi!

I have a machine whit a poll of 20 public ip adress.
I have only one Networks interface, eth0. i have 19 ip alliases.
eth0:1 to eth0:19

On this machine, i have installed squid(http proxy) and ss5(SOCK5 proxy) proxy servers.
It work fine, i can connect to the remote server either whit squid and ss5.
The problem is that the remote server always sees the firts ip adress (the one set in eth0).

this wont be my final setup, but to make the problem easier, i have only ss5
bind to 42.42.42.108:1234 (eth0:7)

now, the remote servers sees the ip addres 42.42.42.101 (eth0)

Of corse those are not my real ip address.

ok, now i had been told the way to fix this was to do some routing.
but i never did any kind of routing.

i did my best googling aroud and here is waht i came up whit!

iptables -A PREROUTING -i eth0 -t mangle -p tcp -s 42.42.42.108 \
-j MARK --set-mark 1

### my tables
ip route add 113.113.1.64/26 dev eth0 src 42.42.42.108 table T108
ip route add default via 113.113.1.65 table T108

### main table
ip route add 113.113.1.64/26 dev eth0 src 42.42.42.101

### default table
ip route add default via 113.113.1.65

### the rules to select the right table
ip rule add fwmark 1 table T108
ip rule add from 42.42.42.108 table T108


ip route flush cache
ip rule flush

of course since i am here its because it does not work!

i will rely apreciate some help here!
tanks!

-----------------------
ip rule show
0: from all lookup local
32763: from 43.43.43.108 lookup T108
32764: from all fwmark 0x1 lookup T108
32765: from 43.43.43.108 lookup T108
32766: from all lookup main
32767: from all lookup default


-------------------------

ip route show table T108
113.113.1.64/26 dev eth0 scope link src 43.43.43.108
default via 113.113.1.65 dev eth0


--------------------------------------

iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


??? should i see something in there?


is the solution realy whit ip tables ?.....
any sugestion in an other avenue to o what i need to do?

no body?????

please!!!!

Seen your post a few days ago but wanted to gather some info before posting. I know what you are after but have never done this with a linux machine acting as a multiple IP router. Check here for a start.

http://iptables-tutorial.frozentux.n...DMZFIREWALLTXT

Also read other sections of this link while your there. The rc.DMZ.firewall.txt file there is a iptables script and describes multiple external IP's but of course does not describe in detail how to setup the nic to understand all the IP. This should answer 1/2 your question.

Now the only way I done what you are trying to to is with simple Cisco routers. I know it possible to do what you want and my first option is have the ISP provider assign you a subnet of IPs. Of course you will lose 2 of them. One is the broadcast and other is the network address. But anything in between is up for grabs. Now I do not know how to implement that type of setup. I would sure like to learn how to do that. Some customers are not willing to pay for a cisco upfront. Linux box would fit the bill perfectly for this.

Now the second option mentioned is 1 -1 nat. I think this is more what you are after, but not sure how to setup. Not really sure if they are virtual IPs or IP aliasing like your trying will work. Only issue of my thinking is that I am not sure if iptables can really work with ip aliasing. I have seen conflicted post over the years.

Some of the following links my stray from what you are after.

A few other links of iptables with multiple ext IP's.
http://www.sentry.net/~obsid/IPTable...s.dir/current/
http://sentry.sourceforge.net/docs.html#howto

Only other app I could find was one called Zebra.
http://www.zebra.org/

IProute2
http://www.policyrouting.org/

If you get it configured up I would sure like know how it can be done and I am sure others here would be interested. I would like to implement this at home but never seem to have time for my own stuff. This might be a good project for me over the Holidays to tactical. I will look through some of my tcpip / linux books and maybe there is something in there. I have seen a book called setting up ISP on linux somewhere or something like that. You might search Amazon.com or local bookstores on the subject. It might have been called RedHat Linux on Internet Server. Not sure whats all in it.

If I come up with any other thoughts or ideas I will post back.
Hope this gives you a start.
Brian1

I am really interested in doing this myself now. Still working on it but here are some more Links:
http://www.ibiblio.org/pub/Linux/doc...l#WHAT-IS-MASQ
http://www.suse.de/~mha/linux-ip-nat/diplom/nat.html
http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html
http://www.homenethelp.com/web/howto...e-internet.asp
https://www.redhat.com/archives/fedo.../msg04163.html
edit:
The last link here has an interesting setup on ifcfg-eth0-range0. Tried it on one machine and amazed how easy it creates all virtual IP.
edit

edit2:
This post helps iptables to understand virtual IP. Thanks to Cap_Caveman there. http://www.linuxquestions.org/questions/history/66791
I was pretty sure iptables did not work with virtual ip aliasing like eth0:0, eth0:1 and so on. To get around this from what I can tell in post #12 is create your eth0:0 and so on as normal but use the ip address instead of eth0:0. I think this might be the way to go. I will give my provider a call and see if he can add additonal IP on my wireless connection. Let you know how it goes.
edit2

edit3
Look at other router apps but many are no longer under devolment like the linuxrouter.org project.
edit3

Hope some of this helps.
Brian1

Tanks a lot Brian1, but i faund my way.

i had mange to do it,

i will right a tutorial soon.

but meanwhile this may help you.

ok first remembe i am talking of a proxy, not a routeur or a fierwall.

This means packet does not flow throw. packets arive to the proxy, and proxy recreates new packets that he send to the destination.

so when you are manipulating outgoing packets, you have no way of knowing on what ip adress the proxy receive it.

so here is my current working solution (it may not be the il explain later what would be the best solution).

ok ...

so i created 1 users by ip address (i have 20)
prox0 UID (user id) 500
prox1 UID 501
prox2 UID 502
.....
then i started 1 instances of my proxy server for every single ip adress, each one running under a diffrent users, each one listening to a different ip adress.
(starting 20 instances of SS5 (SOCK5) was easy, but 20 instances of squid was more difficult, but i wont explain here how i did it)

and finaly

i am marking the packets depending on what user created created it, and i do some SNAT (SOURCE NETWORK ADDRESS TRANSLATION) to set it to the desired ip address.

iptables -t mangle -A OUTPUT -m owner --uid-owner 500 -j MARK --set-mark 100
iptables -t nat -A POSTROUTING -m mark --mark 910 -j SNAT --to-source 135.135.135.1

iptables -t mangle -A OUTPUT -m owner --uid-owner 501 -j MARK --set-mark 200
iptables -t nat -A POSTROUTING -m mark --mark 200 -j SNAT --to-source 135.135.135.1
.........

it work like a dream!

now i said that this solution is not the best here why.

technicaly if the proxy is well coded he should create his packet whit the SRC = ip adress he was bind to.
(the routing table will later reright it whit the default(first) ip address).

so in theory, we could mark the packet acording to the SRC header, then after the routing tables has made his stuff,
reright the src header to what it was originaly.

this method would not save from starting 20 instances of my proxy, but i would not need to start every single of them under a different user.


but i failed trying to process this way. it may be one of the falowing reason:
-the proxy is bad coded and does not put a SRC header, or the first ip adress in it (eth0).
-before doing this project i did not know nothing about routing, so i may simply fail because of my lack of experience.
-iptables may be bugged and fails on detecting the src header of outgoing packets.


while i am writing this i realise that acording the graphic i have beside me, there is noting betwen 'local process' and 'routing decision', so that may be it.







whit any of those technique, i could send the packet to diferent routing tables insted of doing SNAT, i dont see why sending packets do different tables would be better ... or worse....

any way, my technique involves less keystroke!

i hope this helps!

i see you have a lot of links to tutorials, when throw a lot myself, but here is the one that helped me the mos!, i dont know if it is already part of your list.

http://iptables-tutorial.frozentux.n...-tutorial.html


By the way, you are not alowed to use this knowledge, unless you claim aroud the world that i am a genius!

by the way, method #2 would work perfectly for a firewall or a routeur,
since i could mark the ip packets in any table before 'local process'

but whit the proxy the packet is created in the local process.

Never really got into proxies much, but I see where your with this. Can't wait to see your tutorial. Didn't get a chance to get a few extra IP to play with from my provider. He is a good friend on mine but was out town today.

Glad to be of help, later SuperJohnSmith
Brian1

Hi, I have the same problem. Please SuperJohnSmith can you post the manual?

Thanks

You'll be lucky -don't knock it, if it works- if the OP from 5 years ago responds quickly with a direct answer. I could never quite understand the OPs actual question, so if you don't get a good response by this necropostology, you may want to start your own thread, explaining your problem clearly.

Super John Smith
can u write a tutorial how u started multiple instance of ss5

Super John Smith
can u write a tutorial how u started multiple instance of ss5