nat routing
Hi guys,
i am pretty new to linux, but I installed fedora 3 at the server right now. I enabled internet connection sharing through the following statements: modprobe ipt_MASQUERADE iptables -F; iptables -t nat -F; iptables -t mangle -F iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipadres" echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -P INPUT DROP iptables -A FORWARD -i eth0 -o eth0 -j REJECT Th efirst line fails, but the remaining didn't. It all works, but if I do a speedtest my server is twice as fast as the windows xp clients. I get 930 KByte/sec at the server and 420 KByte/sec at my windows xp client. Can I do something to speed up the internet connection at the clients ??? I have a adsl conenction from demon. Thanxs a lot ... |
You shouldn't use the MASQUERADE module unless you have a changing ip number, eg via dialup..
It takes a lot of time to check the address for each packet.. SNAT and the other modules load automatically, so stay with that.. What's the idea of the FORWARD rule? You will find FC3 has a reverse path filter turned on already to drop those.. Try the rules like this.. Code:
iptables -F |
Re: nat routing
these rules i'm posting are basically the same thing, i just did a little janitorial work on them...
i'm not so sure why any of this would be cutting your bandwidth in half on the clients, though... Code:
modprobe ip_tables |
Re: Re: nat routing
Quote:
I did some cleanup at the clients and managed to speed things up. Speeds are now 730 KBytes/sec. So only 200 Kbytes/sec less than the connection at the server. The firefox browser is helping me with one client to improve the speed with 200 Kbytes/sec, while at the remaining clients it doesn't matter to use either one. Can someone review the comments that I made at the statements. I just installed linux two days ago for my very first time and are still a newby. Are they correct ?? Can I just save this script to make it permanent by doing iptables-save -c > /etc/iptables-save Code:
|
i think you can save it like that, but i'm not sure... what i do is i put all my rules in a shell script and then i run the script at startup... the way to do that kinda varies between distros... on slackware, which is what i use, you just save your firewall script as /etc/rc.d/rc.firewall and that's pretty much it... of course it needs to have the execute permissions set and stuff... anyways, the thing is i don't remember how red hat handles this, so i can't really say, but here's the rules i posted, except now they are in "shell script" format... i also put in a few comments and added conntrack modules for FTP and optionally IRC...
Code:
#!/bin/sh http://www.linuxguruz.com/iptables/ |
The Fedora way of saving is to use the file /etc/sysconfig/iptables
It is created using service iptables save which saves any active rules there.. So you'll need to get the rules in a state like win32sux has them, (not using = as a comment start) and get them loaded once, probably manually, then save them. They are automagically loaded at boot from the /etc/rc.d/rc5.d/ directory.. Also be sure to replace "ipaddress" with the actual eth0 ip address in $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress" As a comment, there are only a few modules which don't autoload when the rule is entered, notably ftp and irc.. Generally, loading modules without knowing what state the rules are in can be considered dangerous.. Generally loading them after the rules are in place is better policy, or at least after they are flushed, when you can be sure of their state.. Likewise the ip_forward.. |
i have updated the script using peter_robb's excellent advice:
Code:
#!/bin/sh |
Ok.. that's good..
May I suggest some final polish.. (the shiny stuff) Change "ipaddress" to a field value and specify it at the beginning of the script.. And drop the first 2 module loads.. (Actually, nat requires conntrack in order to work, but not every system will autoload from that..) And comment out the last 2 policy lines as it's their default already.. Code:
#!/bin/sh |
i went ahead and added a couple things, too...
Code:
#!/bin/sh |
Hi guys,
you should get payed for this ... :D I am very busy at the moment to resolve some of the issues that put me to a hold in some of the oracle api's for AQ (advanced queueing) of xml messages. I learn a lot from you guys, but will review the scripts you made tomorrow and will post if it works for me. Thanxs again for taking the time to teach a newbie ... |
thanxs for your help.
It is working for a while, but any advice or commonts on open ports on the server in this way ? Do you actually use the iptables directly to do all this or is there some tool ? |
fix it ... :)
|
All times are GMT -5. The time now is 06:52 PM. |