On Thu, 11 Jan 2001, Willis Yonker wrote:> Hello all, > > I just got the 2.4.0 kernel and built in masquerading into the kernel (not > as a module). When you do that, it takes away the option to act as > ipchains did in 2.2. > > Okay, that''s fine with me. I just have no idea how to setup masquerading > (or for that matter port forwarding either) using the 2.4 way. Can > someone point me to some documentation I can use to acomplish this?Check out Rusty Russel''s Linux 2.4 NAT HOWTO on http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there''s nobody watching
Hello all, I just got the 2.4.0 kernel and built in masquerading into the kernel (not as a module). When you do that, it takes away the option to act as ipchains did in 2.2. Okay, that''s fine with me. I just have no idea how to setup masquerading (or for that matter port forwarding either) using the 2.4 way. Can someone point me to some documentation I can use to acomplish this? Thank you for your help.
Cool. That worked great. I have one more question please. What is the replacement for ipmasqadm and where can I find some documentation on it? This is great. I can finally get my network working the way it should be! On 11 Jan 2001, at 15:45, Arthur van Leeuwen wrote:> On Thu, 11 Jan 2001, Willis Yonker wrote: > > > Hello all, > > > > I just got the 2.4.0 kernel and built in masquerading into the > > kernel (not as a module). When you do that, it takes away the > > option to act as ipchains did in 2.2. > > > > Okay, that''s fine with me. I just have no idea how to setup > > masquerading (or for that matter port forwarding either) using the > > 2.4 way. Can someone point me to some documentation I can use to > > acomplish this? > > Check out Rusty Russel''s Linux 2.4 NAT HOWTO on > http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html > > Doei, Arthur. > > -- > /\ / | arthurvl@sci.kun.nl | Work like you don''t need > the money > /__\ / | A friend is someone with whom | Love like you have never > been hurt > / \/__ | you can dare to be yourself | Dance like there''s nobody > watching
On Thu, 11 Jan 2001 wyonker@dcsnow.com wrote:> On 11 Jan 2001, at 15:45, Arthur van Leeuwen wrote: > > > Check out Rusty Russel''s Linux 2.4 NAT HOWTO on > > http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html> Cool. That worked great. I have one more question please.> What is the replacement for ipmasqadm and where can I find some > documentation on it?If you had really read the Linux 2.4 NAT HOWTO, you would''ve known that the PREROUTING and POSTROUTING tables also handle port forwarding. And that the 2.4 NAT HOWTO describes *that* as well. Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there''s nobody watching
Well I guess I deserved that. I saw my mistake after I sent this message but of course it was too late by then. Sorry. On 11 Jan 2001, at 22:30, Arthur van Leeuwen wrote:> On Thu, 11 Jan 2001 wyonker@dcsnow.com wrote: > > > On 11 Jan 2001, at 15:45, Arthur van Leeuwen wrote: > > > > > Check out Rusty Russel''s Linux 2.4 NAT HOWTO on > > > http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html > > > Cool. That worked great. I have one more question please. > > > What is the replacement for ipmasqadm and where can I find some > > documentation on it? > > If you had really read the Linux 2.4 NAT HOWTO, you would''ve known > that the PREROUTING and POSTROUTING tables also handle port > forwarding. And that the 2.4 NAT HOWTO describes *that* as well. > > Doei, Arthur. > > -- > /\ / | arthurvl@sci.kun.nl | Work like you don''t need > the money > /__\ / | A friend is someone with whom | Love like you have never > been hurt > / \/__ | you can dare to be yourself | Dance like there''s nobody > watching
Here is the final piece to my puzzle. I''ll buy someone a beer if they can help me with this. I have two connections to the internet. I would like all traffic on port 27015 to go out on the 2nd connection (which is eth1 on the router) and all traffic from one client also. Oh and I would like to force all traffice going to specific hosts (myisp.com and myisp2.com) to go over their respective interfaces because they block traffic from anywhere else. Now, to do the part with the client I can just do the following right? echo 200 John >> /etc/iproute2/rt_tables ip rule add from 10.0.0.10 table John ip route add default via 195.96.98.253 dev ppp2 table John ip route flush cache I copied that from the advanced routing Howto. So can I just add the port to the ''ip rule add'' line? Like this? ip rule add from 10.1.1.10:27015 table John As always, any help would be appreciated. On 11 Jan 2001, at 10:12, Willis Yonker wrote:> Hello all, > > I just got the 2.4.0 kernel and built in masquerading into the kernel > (not as a module). When you do that, it takes away the option to act > as ipchains did in 2.2. > > Okay, that''s fine with me. I just have no idea how to setup > masquerading (or for that matter port forwarding either) using the 2.4 > way. Can someone point me to some documentation I can use to > acomplish this? > > Thank you for your help. > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://ds9a.nl/2.4Routing/
On Thu, 11 Jan 2001 wyonker@dcsnow.com wrote:> Here is the final piece to my puzzle. I''ll buy someone a beer if they > can help me with this. > > I have two connections to the internet. I would like all traffic on port > 27015 to go out on the 2nd connection (which is eth1 on the router) > and all traffic from one client also. Oh and I would like to force all > traffice going to specific hosts (myisp.com and myisp2.com) to go > over their respective interfaces because they block traffic from anywhere > else.> Now, to do the part with the client I can just do the following right? > > echo 200 John >> /etc/iproute2/rt_tables > ip rule add from 10.0.0.10 table John > ip route add default via 195.96.98.253 dev ppp2 table John > ip route flush cache > > I copied that from the advanced routing Howto.Right so far.> So can I just add the port to the ''ip rule add'' line? Like this? > > ip rule add from 10.1.1.10:27015 table JohnNope. You''ll have to mark the packets with ipchains (or, in your case iptables) first (the -m option for ipchains, --mark for iptables). Then you add a rule matching on that fwmark (ip rule add fwmark 0xf00 table John). Note that you have to specify the marks in hexadecimal, or else it won''t work.> As always, any help would be appreciated.I''ll leave figuring out the ISP-specific routing to your creativity... can''t really spoil all your fun, now can I? :) Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there''s nobody watching
Okay, here is what I got so far. Does this look right? #First turn on NAT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #Now forward www packets to the web server. iptables -A PREROUTING -t nat --dport 80 -j DNAT --to 10.1.1.1:80 #Mark all packets for mygame for later routing iptables -A FORWARD -t nat --dport 27015 -j MARK --set-mark 0xf01 #Mark all packets going to myisp2.com to jump to custom table #Since the default route is myisp1 I don''t have to worry about those. iptables -A FORWARD -t nat -d myisp2.com -j MARK --set-mark 0xf01 #Setup custom table echo 200 John >> /etc/iproute2/rt_tables #Force all traffic from 10.0.0.10 to jump to custom table ip rule add from 10.0.0.10 table John #Force all marked packets to jump to custom table ip rule add fwmark 0xf01 table John #Force all packets that make it to this table to go out on the 2nd interface ip route add default via 195.96.98.253 dev eth1 table John #Fluch the cache when finished ip route flush cache On 12 Jan 2001, at 10:51, Arthur van Leeuwen wrote:> On Thu, 11 Jan 2001 wyonker@dcsnow.com wrote: > > > Here is the final piece to my puzzle. I''ll buy someone a beer if > > they can help me with this. > > > > I have two connections to the internet. I would like all traffic on > > port 27015 to go out on the 2nd connection (which is eth1 on the > > router) and all traffic from one client also. Oh and I would like > > to force all traffice going to specific hosts (myisp.com and > > myisp2.com) to go over their respective interfaces because they > > block traffic from anywhere else. > > > Now, to do the part with the client I can just do the following > > right? > > > > echo 200 John >> /etc/iproute2/rt_tables > > ip rule add from 10.0.0.10 table John > > ip route add default via 195.96.98.253 dev ppp2 table John > > ip route flush cache > > > > I copied that from the advanced routing Howto. > > Right so far. > > > So can I just add the port to the ''ip rule add'' line? Like this? > > > > ip rule add from 10.1.1.10:27015 table John > > Nope. You''ll have to mark the packets with ipchains (or, in your case > iptables) first (the -m option for ipchains, --mark for iptables). > Then you add a rule matching on that fwmark (ip rule add fwmark 0xf00 > table John). Note that you have to specify the marks in hexadecimal, > or else it won''t work. > > > As always, any help would be appreciated. > > I''ll leave figuring out the ISP-specific routing to your creativity... > can''t really spoil all your fun, now can I? :) > > Doei, Arthur. > > -- > /\ / | arthurvl@sci.kun.nl | Work like you don''t need > the money > /__\ / | A friend is someone with whom | Love like you have never > been hurt > / \/__ | you can dare to be yourself | Dance like there''s nobody > watching