LARTC - Apr 2001 - Masquerading as a certain IP

Hi all,
I was just wondering if there''s any way to specify what something is
masqueraded AS. Usually it ends up that packets are rewritten with the
primary address of the interface that the data goes out of, but is there any
way to have them rewritten with the IP of an aliased interface, or the IP of
another network card?

Thanks,
Joel

Hi all,

We will be having a couple co-location customers in a few months and would
like to start work on how to throttle bandwidth per co-located customer needs
and requirements.  I have download and read the Linux 2.4 Advanced Routing
HOWTO, but I still could not digest the whole thing clearly.

Could anyone of you gurus run-down the steps I need to effectively configure
or put together a QoS box?  My box will be a Pentium 233 with 128M of RAM
and 4 interface cards.  Is this a sufficient setup?  Thanks for you help.

Daniel

Hi joel ,

The ip is not masqueraded as the primary address of the interface but it get
masqueraded as ip to which the gateway of the machine is specified i.e. to
the ip/nic from which it leaves the machine .

And yes I would also like to know if its possible to specify to what ip it
gets masqueraded as i also wanted to do the same for some application
scenario.

Regards

Deepak
----- Original Message -----
From: <Joel@airnet.com.au>
To: <lartc@mailman.ds9a.nl>
Sent: Thursday, April 05, 2001 6:59 AM
Subject: [LARTC] Masquerading as a certain IP

> Hi all,
> I was just wondering if there''s any way to specify what something
is
> masqueraded AS. Usually it ends up that packets are rewritten with the
> primary address of the interface that the data goes out of, but is there
any
> way to have them rewritten with the IP of an aliased interface, or the IP
of
> another network card?
>
> Thanks,
> Joel
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/
>

If you want to specify the address to use, you have to do source NAT (or 
SNAT). With a 2.4.x kernel and iptables you can do this, I am not sure
whether real NAT is possible with 2.2.x kernels and ipchains.

In fact masquerading is a special case of source NAT, where you do not 
have to specify the IP address to use, but where automatically the 
address of the outgoing interface is used.

With iptables, you have to use the SNAT target instead of the MASQUERADE 
target. You can read the iptables HOWTO or the iptables man page for 
more information.

Guy

Deepak singhal wrote:
> Hi joel ,
> 
> The ip is not masqueraded as the primary address of the interface but it
get
> masqueraded as ip to which the gateway of the machine is specified i.e. to
> the ip/nic from which it leaves the machine .
> 
> And yes I would also like to know if its possible to specify to what ip it
> gets masqueraded as i also wanted to do the same for some application
> scenario.
> 
> Regards
> 
> Deepak
> ----- Original Message -----
> From: <Joel@airnet.com.au>
> To: <lartc@mailman.ds9a.nl>
> Sent: Thursday, April 05, 2001 6:59 AM
> Subject: [LARTC] Masquerading as a certain IP
> 
> 
> 
>> Hi all,
>> I was just wondering if there''s any way to specify what
something is
>> masqueraded AS. Usually it ends up that packets are rewritten with the
>> primary address of the interface that the data goes out of, but is
there
> 
> any
> 
>> way to have them rewritten with the IP of an aliased interface, or the
IP
> 
> of
> 
>> another network card?
>> 
>> Thanks,
>> Joel
>> 
>> _______________________________________________
>> LARTC mailing list / LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> 
> http://ds9a.nl/2.4Routing/
> 
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/

Hi,
> I was just wondering if there''s any way to specify what something
is
> masqueraded AS.
Yes, it is described in the ip-cref documenation which is distributed with the
ip program. As far as I remeber it is done by setting up special NAT rules
which NATs to the local address that you want to use for masqgrading.


Christian

On Thu, Apr 05, 2001 at 02:23:12PM -0000, worm@dkik.dk
wrote:
> Hi,
> 
> > I was just wondering if there''s any way to specify what
something is
> > masqueraded AS.
> 
> Yes, it is described in the ip-cref documentation which is distributed with
the
> ip program. As far as I remember it is done by setting up special NAT rules
> which NATs to the local address that you want to use for masqgrading.
Ahh, but this is not MASQ, which deals with multiple MASQed hosts on the
local lan.

You would have to be more specific on how you want to distribute the
traffic.  Here''s an example:

src lan dest port 80 mark 1 on incoming chain

mark 1 use table 5

ip ro add default  via gw src ip table 5

<repeat>

this would put outgoing traffic on the ip you specify.  Note that this
won''t
work on traffic generated by the gateway computer.

Also, this is untested, YMMV.

Mike

Hi,
> > > I was just wondering if there''s any way to specify what
something is
> > > masqueraded AS.
> > 
> > Yes, it is described in the ip-cref documentation which is distributed
with the
> > ip program. As far as I remember it is done by setting up special NAT
rules
> > which NATs to the local address that you want to use for masqgrading.
> 
> Ahh, but this is not MASQ, which deals with multiple MASQed hosts on the
> local lan.
Yes, but can be set up with nat rules according to ip-cref. And this is quite
intuitive: If  you nat the source of a packet to your own address it seems
reasonable to masqgrade it.


Christian

On Fri, 6 Apr 2001, Mike Fedyk wrote:
> On Thu, Apr 05, 2001 at 02:23:12PM -0000, worm@dkik.dk wrote:
> > Hi,
> >
> > > I was just wondering if there''s any way to specify what
something is
> > > masqueraded AS.
> >
> > Yes, it is described in the ip-cref documentation which is distributed
with the
> > ip program. As far as I remember it is done by setting up special NAT
rules
> > which NATs to the local address that you want to use for masqgrading.
>
> Ahh, but this is not MASQ, which deals with multiple MASQed hosts on the
> local lan.
>
> You would have to be more specific on how you want to distribute the
> traffic.  Here''s an example:
>
> src lan dest port 80 mark 1 on incoming chain
>
> mark 1 use table 5
>
> ip ro add default  via gw src ip table 5
>
> <repeat>
>
> this would put outgoing traffic on the ip you specify.  Note that this
won''t
> work on traffic generated by the gateway computer.
>
> Also, this is untested, YMMV.
FWIW, we have it set up this way and it works as you say. we use the
firewall marks and iproute2 tables to send some traffic out a 192k dsl
connection for recreational use and some traffic out a t1 for work-related
use. the traffic is routed based on source ip address, and all ips to be
masq''d are on the same 192.168/24 network.

a single, simple masquerade rule in iptables picks the right source
address based on whichever gateway is used. i don''t notice and loss in
throughput on either connection.

there are the commands that we use:

ip rule add fwmark 5 lookup dsl_out
ip route add default via $DSL_OUT_GW table dsl_out
ip route flush cache

for i in 52 55 101 102 103 104 (etc...); do
 # workstations using the 192k DSL
 iptables -t mangle -A PREROUTING \
          -s 192.168.5.${i}/24 -d ! $REAL_NET  \
          -j mark --set-mark 5
done
# all others use T1 (which is the default gw)

iptables -t nat -A POSTROUTING \
         -s 192.168.5.0/24 -d ! $REAL_NET \
         -j MASQUERADE

where $REAL_NET is our assigned routable ip block

hope this helps...

The setup :

   T1    eth0 |---------| eth1     /---
--------------|  LINUX  |-----<HUB>----  company offices (private
addresses)
   1536kbps   |---------|          \---
    192KBps        | eth2
                   | DMZ (mail, web, ...)
                   | 1.2.3.0/24
              The DMZ-zone needs to have at least 256kbps (32KBps)

Let''s asume you have 3 company offices :
- 10.10.10.0/24
- 10.10.20.0/24
- 10 10.30.0/24
Each office has a maximum of 128kbps (16KBps)

Let''s do it for the downstream direction of your T1 line :
<cut>
#!/bin/sh
OPTION="allot 1514 maxburst 20 avpkt 1000 prio 4"
DEV="dev eth0"

# First we have to throttle the total bandwidth of eth0 (10mbps) to
192KBps (I don''t know it''s the correct speed of a T1 line)
tc qdisc del $DEV root handle 10:
tc qdisc add $DEV root handle 10: cbq bandwidth 10mbit avpkt 1000
tc class add $DEV parent 10:0 classid 10:2 cbq bandwidth 10mbit rate
192kbps $OPTION isolated bounded
tc qdisc add $DEV parent 10:2 handle 20: cbq bandwidth 192kbps allot
1514 avpkt 1000

# DMZ needs at least 16kbps so the rest is 192kbps for the offices (160
+ 32 = 192 ! ! !) :
tc class add $DEV parent 20: classid 20:10 cbq bandwidth 192kbps rate
32kbps $OPTION
  tc qdisc add $DEV parent 20:10 handle 210: cbq bandwidth 32kbps allot
1514 avpkt 1000 
tc class add $DEV parent 20: classid 20:20 cbq bandwidth 192kbps rate
160kbps $OPTION
  tc qdisc add $DEV parent 20:20 handle 220: cbq bandwidth 160kbps allot
1514 avpkt 1000

# qdisc 220 contains the office.  For each office we need a new class
and I attache a tbf qdisc to limit the bandwidth :
tc class add $DEV parent 220: classid 220:10 cbq bandwidth 160kbps rate
16kbps $OPTION
  tc qdisc add $DEV parent 220:10 handle 2210: cbq bandwidth 16kbps
allot 1514 avpkt 1000
  tc qdisc add $DEV parent 2210: tbf rate 16kbps buffer 20Kb/8 limit
15Kb
tc class add $DEV parent 220: classid 220:20 cbq bandwidth 160kbps rate
16kbps $OPTION
  tc qdisc add $DEV parent 220:20 handle 2220: cbq bandwidth 16kbps
allot 1514 avpkt 1000
  tc qdisc add $DEV parent 2220: tbf rate 16kbps buffer 20Kb/8 limit
15Kb
tc class add $DEV parent 220: classid 220:30 cbq bandwidth 160kbps rate
16kbps $OPTION
  tc qdisc add $DEV parent 220:30 handle 2230: cbq bandwidth 16kbps
allot 1514 avpkt 1000
  tc qdisc add $DEV parent 2230: tbf rate 16kbps buffer 20Kb/8 limit
15Kb

# Now we have to say wich traffic belongs to wich class.  We use
ipchains (or netfilter for kernel 2.4) to mark the packets.  Each class
has his mark : (Notic I mark the office packets on the input of eth1. 
When you use NAT, you can''t say at the ouput of eth2 what''s
coming from
where.)
ipchains -A input -i eth1 -p tcp -d 10.10.10.0/24 -m 1        # Office 1
ipchains -A input -i eth1 -p tcp -d 10.10.20.0/24 -m 2        # Office 2
ipchains -A input -i eth1 -p tcp -d 10.10.30.0/24 -m 3        # Office 3
ipchains -A input -i eth2 -p tcp -d 1.2.3.0/24    -m 4        # DMZ

# Putting the packets in the rigth classes :
tc filter add $DEV parent 10: protocol ip prio 3 handle 1 fw classid
10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 2 fw classid
10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 3 fw classid
10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 4 fw classid
10:2

tc filter add $DEV parent 20: protocol ip prio 3 handle 1 fw classid
20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 2 fw classid
20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 3 fw classid
20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 4 fw classid
20:10

tc filter add $DEV parent 220: protocol ip prio 3 handle 1 fw classid
220:10
tc filter add $DEV parent 220: protocol ip prio 3 handle 2 fw classid
220:20
tc filter add $DEV parent 220: protocol ip prio 3 handle 3 fw classid
220:30
</cut>

That''s all.  I copy/pasted it to a file and I had no errors, so I
suppose I made no error.  You can adapt these lines to your needs.  You
can play with the different rates as long as ( sum (sub_class_rates)
<parent_class_rate ).

For the upstream direction, you can of course using the same setup to
throttle the output bandwidth of eth1 and eth2.  But you can''t use them
together : you can''t say that eth2 needs allways 75% of upstream of the
T1.



Staf

Daniel Camacho wrote:
> 
> Stef,
> 
> Thank you so much for having to go through all this. I also want to know
> what do I need to enable in the kernel to have this working.  I''m
using
> 2.4 kernel.
No problem, just cut-and-past from one of my scripts.  Realy, if you
wanna learn about, take a few PC''s, put Linux on them and try ot out. 
For fast setup, download my scripts (see link below) and adabt them to
your needs like I did in my previous mail.

Enable everything in the kernel (as module or build-in).  You can find
it as the last option in submenu "Networking Options".
> 
> I''m a little confused to your following statement.  Do you mean I
can''t
> throttle incoming bandwidth at the same time as the outgoing bandwidth?
> 
>  >For the upstream direction, you can of course using the same setup to
>  >throttle the output bandwidth of eth1 and eth2.  But you
can''t use them
>  >together : you can''t say that eth2 needs allways 75% of
upstream of the
>  >T1.
You can control outgoing bandwidth.  But when you are looking at the
upstream traffic, the data to the DMZ-zone is going out on the eth2 NIC
and the data to the office is going out on the eth1 NIC.  You can
control the data that''s going out on ONE NIC, but you can''t
manage the
data together.  You can''t say that the outgoing data on eth2 has to be
at least 75% of the data that''s going out on NIC eth1. 
There''s no way
you can manage the two NIC''s together.  You can try to control the
incoming data on NIC eth0 (with a few patches, you can do this with QOS,
but I never tried), but when you use NAT, you don''t know wich data
coming in on NIC eth0 is going out on wich NIC because they are all
coming in to the ip-adres of NIC eth0.

Hop you understand what I''m trying to say.


-- 

Staf

More QOS info : http://users.belgacom.net/staf/