|
Virtual interface Routing
Hola,
I need to make some solution for my home network, i have a linux server which is: Quote:
Also, after that, i have two questions: Quote:
Thanks in davance ... |
# first make the virtual interface
vconfig add eth0 200 # assume modem has 192.167.200.1/24 ip a a 192.168.200.2/24 dev eth0.200 ip link set eth0.200 up ip route del default ip route add default via 192.168.200.1 # now the bandwith limitation on outgoing only (so downloadspeed for the connected computer) tc qdisc add dev eth0.200 handle 1:0 root dsmark indices 1 default_index 0 tc qdisc add dev eth0.200 handle 2:0 parent 1:0 tbf burst 1024 limit 20480 mtu 1514 rate 1024kbps more info you'll find in LARTC (lartc.org/manpages) correction: in the tc command you need to substitute the eth0.200 to the device where the other pc is connected not the one of the adsl router |
cool, thanks my friend ...
I need to ask you about how to route my proxy server via DHCP ??? |
I don't really understand your question. you like dhcp to configure your client to use a proxy? What do you like
to have as a result? |
Quote:
My solution is to make some rate limiting to use bandwidth of my network. |
Thabks for all, but really i need to know what is the bebefits for all of these commands:
Quote:
Quote:
Quote:
|
the vconfig creates the vlan interface
ip a a (addr add) adds an ip address to that interface ip link .. enables the interface (so it can be used) if the adsl router is connected to that vlan is has to be used in the default route so remove the existing one, and add the adsl modem as a default gateway The tc command is explained in the LARTC mentioned above, this token bucket filter (TBF) is not very advanced and in most cases you will probably prefer HTB combined with a way to select for each computer after this one. I can't explain all details here so I think you'll need to look for details into this LARTC guide. |
cool, but really i'm very confused about my diagram, where my diagram is:
Virtual Interface: eth0:5 ip address: 10.10.10.1/24 Default GW: 196.xxx.xxx.xxx/30 Also, i need to ask about some GUI that can maanage these options in an ease fashion ??? so, really i'm confused, please help me ... |
Virtual Interface: eth0:5
ip address: 10.10.10.1/24 Default GW: 196.xxx.xxx.xxx/30 the first is easy, this creates eth0.5 # vconfig add eth0 5 The default gateway would be the ipaddress of you adsl router, but here are some options: 1) home / small networks will probably have an external address (in your case in the range 196.xxx.xxx.xxx/30 ??) but maybe they have also on the inside network a private range and they handle the NAT (network address translation) in this case you need to know this private address maybe it will be in this 10.10.10.0/24 range 2) bigger networks where you adsl router has a public IP and your network also has public IP's in this case 4 but that is a bit optimistic anyway 196.xxx.xxx.xxx/30 -> 32-30 means the last 2 bits are 'for you' 00 -> network 01 -> gateway (probably the adsl router) 10 -> your pc ( the only really usable) 11 -> broadcast of you /30 network this means your default route has to be the ip address 196.xxx.xxx.xxx with last 2 bits 01 the ip of your pc the one with the last bits 10 now the question is how is this router connected? - to your eth0 ? - to your eth0.5 ? first case : eth0 # ip addr add 196.x.x.x01/30 dev eth0 # ip link set eth0 up second case eth0.5 #vconfig add eth0 5 #ip addr add 196.x.x.x01/30 dev eth0.5 #ip link set eth0.5 up My question is, why do you want to use VLAN's here? does you pc only has one network interface? does it have to integrate into something extisting? since my rough guess that a network card will cost less than 10USD/EUR whatever and to your ADSL router you don't need the best at all, most cards will offer 100Mbit and that will be far more than the speed your ADSL can handle in the real world I think. the TC commands you need to use on the other interface the the modem so eth0.5 or eth0. you limit the speed from your server to the client behind it. This will limit the download speed which is probably what you like to achieve. Tell me if the explanation above is a bit understandable, I don't know about tools for this. I'd put it in some init script and let it start with the server. |
I'm really sorry, I have some mis-understand to my issue
first, i need to protect my ADSL router by makeing some bridging between eth0 and eth0:5, and my ADSL router is connected to my eth0. so my DHCP server is working in eth0:5 and give customers this range: Quote:
About your question that is: Quote:
Thanks for you, waiting your help :D |
I'm sorry, but when you bridge eth0 and eth0.5 it will be like your 'customers' are connected to eth0. Since you can consider eth0.5 similar to eth5 but with the weird situation that it shares the same cable as eth0. If you bridge between eth0 and eth0.5 it would be like placing a switching hub (= network switch) between eth0 and this assumed eth5 so this will not give
any protection at all to you router. BUT I think you just formulated in the wrong way. My guess is that you want a network on eth0.5 with 10.10.10.0/24 that is NATed to your ADSL router. + ------------+ +--------------+ 196.x.x.x/30 | +---- 10.10.10.x/24 (eth0.5) | ADSL router |--------------------+ ROUTING PC | +--------------+ | +-----10.20.10.x/24 +-------------+ Is this a bit what you have in mind? I can imagine you have 2 networks that are not supposed to see each other. but until now I only read here above about the 196.x.x.x/30 public network and the 10.10.10.0/24 private network What about the third network that I just invented as 10.20.10.x/24 ? for this to work it is important to enable your kernel as router # cat /proc/sys/net/ipv4/ip_forward when this does return a 0 set it to 1 # echo 1 > /proc/sys/net/ipv4/ip_forward then the next step would be to handle the NAT, with a postrouting rule, like the one below. iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE Does this look to what you are looking for? I could probably refine the firewall a bit for this. But I think we first need to agree on what the desired situation is. |
1 Attachment(s)
Thanks a lot for your efforts, but really i make some attachement for my network and what i need to do protecting my biz. network.
So i think you prefere to install a new NIC to my server, i will do it, but i need to make routing between two networks. By the time, i'm don't using iptables, it is disabled on my server. :D Thanks in advance :D |
hola, to all
i make all of this, but i add some new real NIC, but no client can go for the internet, here is my client config: Quote:
Thanks in advance ... |
to allow 'Server' to forward traffic between eth1 and eth0 and vice versa you'll need to make sure there is the 1 in /proc/sys/net/ipv4/ip_forward as I explained before.
Then with a program like wireshark or simply tcpdump you can see probably what is going on when you type on a machine in the customers network 'ping 8.8.8.8' type on the server first: tcpdump -i eth1 icmp when you see the request arriving you know that part is ok (I expect it is like that) Then you use tcpdump -i eth0 icmp here you will see the problem (is see 2 options) 1) maybe you don't see anything ( no 1 in ...ip_forward) 2) the origin of the request is 10.10.10.x (no NAT) and not 192.168.1.x ( same as Server) Since you want to have NAT you'll need the iptables command to enable it, it also has to be enabled in the kernel but I think centos will have this enabled when you have this command which you'll need anyway, you can clean the firewall and retry tcpdump if it showed no good results iptables -t nat -F iptables -F iptables -t mangle -F and check again with tcpdump |
Really Thanks, but i need to say that all is fine and i need to ask you what happean if my iptables is disabled ??? as i do now ???
so, i will try and tell you the result :D |
What do you mean with disabled?
- no iptables package installed? - not enabled during building the kernel the first will be easy to fix I think, the second is a bit harder or do you mean something else? |
Quote:
I mean : Quote:
also selinux is disabled... |
ok if the iptables command works you can try this command
put a ping on a customer machine for example $ for ((;;)) ; do sleep 2; ping -c 3 -w 2 8.8.8.8;done this will keep it running check with 'tcpdump' on the server # tcpdump -i eth0 icmp # iptables -t nat -A POSTROUTING -s 10.10.10.0/24 --d ! 10.10.10.0/24 o eth0 -j MASQUERADE then try again the tcpdump command from above do you see any difference, if the iptables command shows the stuff from before then it is fine. That service is probably just configuring iptables. I don't remember but i think there as some wrapper scripts on redhat that will also exist on centos. but first try to get it working before trying to make it persistent does the ping work after the iptables line above (the part after the # symbol that I put there to show it needs to be executed as root. |
Thanks a lot
but i need to say it works when i add the rule for natting by: Quote:
Quote:
Quote:
|
so it works but is not persistent?
I found this page: http://www.cyberciti.biz/faq/rhel-fe...tion-tutorial/ it contains:this command that can solve the problem: # /sbin/service iptables save |
Really Thanks for all, the problem is solved and all is OK now...
|
| All times are GMT -5. The time now is 10:34 PM. |