search for: mingching

Does anyone know if load balancing and DNAT work well together? I know that load balancing and NAT do not, but what about a simple port forward? I can''t apply Julian Anastasov''s patches, because they don''t work with PPTP patches. :/ Anyhow, a simple: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport xxx -j DNAT --to yyy:xxx iptables -I FORWARD -i eth0 -d yyy -p

...more specific than "Re: Contents of LARTC digest..." Today''s Topics: 1. Drop packets using tc ? (Ming-Ching Tiew) ---------------------------------------------------------------------- Message: 1 Date: Thu, 12 Oct 2006 10:52:28 +0800 From: "Ming-Ching Tiew" <mingching.tiew@redtone.com> Subject: [LARTC] Drop packets using tc ? To: <lartc@mailman.ds9a.nl> Message-ID: <00ad01c6eda9$74606c50$0100a8c0@newlife> Content-Type: text/plain; charset="iso-8859-1" I have a linux bridge in an embedded system with limited tools. I want to...

The LARTC howto correctly describes load balancing and split access for traffic from a machine with multiple ISP connections (http://www.lartc.org/lartc.html#LARTC.RPDB.MULTIPLE-LINKS) -- *provided* the traffic originates from the machine itself (i.e. traffic regularly handled by the INPUT and OUTPUT chains of iptables). When forwarding traffic from an attached local network, the following

I have tried using iptraf for my NAT firewall to analyse the IP traffic. Basically I am faced with this difficulty of related the source IP to the outgoing interface to the internet, so I am wondering if anyone has a suggestion for a different ways to do it, or a suggestion for a better tool. Details :- Supposed : eth0 - LAN eth1 - WAN1 eth2 - WAN2 And then

Anyone has idea of what would be the best way to track connection time some a particular user to the internet ? Imagine a wifi network where the users will connect to the system via DHCP ( there is no PPPOE session involved ). If there is a need to track internet usage based on connection time ( to the internet ), what would be the best way to track it ? Appreciate any input or ideas.

I have a linux bridge in an embedded system with limited tools. I want to drop these packets from flowing across the bridge, NETBEUI - TCP port 135-139 UDP port 137-139 TCP/UDP port 445 Also all broadcast and multicast. Is there a way to accomplish it using ''tc'' ? If the packets cannot be dropped, I will be happy

Subject almost says it all, I wonder if there is a way for me to use iptables matches like l7 and/or ipp2p match in a bridge ( one ethernet in and one ethernet out ) ? Regards.

Normally when we talk about traffic control, we are talking about doing traffic control (tc) using a router, ie packets into an interface and based on routing, they goes out to somewhere else. However I have a box with two interfaces, eth0 and eth1 added to a bridge br0 and I would like to perform traffic control via the two interfaces. Is that supposed to work the same as the router

I am machines on IPsec VPN which is a subnet of my bigger LAN ( ie I have machines on the LAN which is not in the VPN ), specifically :- 192.168.132.0/29:0 -> internet ---> 192.168.1.192/27:0 ( local subnet ---> internet--> remote subnet ) # ip route list ... 192.168.1.192/27 via 21x.18x.11x.8x dev ipsec0 192.168.1.0/24 via 192.168.15.146 dev eth0 ... Now, the machines in the

Correct me if I am wrong, RIP is kind least hop routing, but is there a way for me to have best throughput routing or least latency routing ? _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

OK I have sufficient evidence now that my split route ( multipath routing ) is inducing kernel panic and also frequent connection lost. The split route may not be the culprit but I can safely say that without using the split route, my system is perfectly stable. I have set up the split route according to http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html I could use

I have a Linux with 3 LAN interfaces doing multipath NAT to two internet links via ADSL. The question I have is after I added the default route on each of the routing table, I can''t ping the external interfaces of the Linux from the LAN ( pinging from the Linux itself is OK ). But pinging beyond the two external interfaces ( eg the default route ) is OK. I use symbolic names here :-

After many attempts to get weight multipath routing to work reliable on my NAT firewall, I am beginning to think, maybe it simply does not make sense to combine them together. I get various kinds of problems with this configuration, especially with long-connecting session ( eg PcAnywhere ). After various investigations, my conclusion is that PcAnyWhere has a mechanism to "detect"

I have many iptables setmark commands, but as soon as there is one match, I would like to skip all the rest. How to do this. -------not-working-not-mark-zero-is-not-accepted--------- iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... iptables -t mangle -A PREROUTING -m MARK ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... iptables -t mangle -A

Perhaps someone will help me on this :- I have read a lot of examples of syn flood protect on the INPUT chain. That I have no question at all. I wonder if it make sense to perform syn flood protection at the FORWARD chain ? If packets are originated from a LAN worm, and are not targetted at the firewall itself, but rather at hosts in the internet, will it cause problem with the firewall itself,

Assuming if I have rules matching the same packet, the one chosen is the lower preference value or the high ? For example # ip rule list .... 100 from 192.168.1.0/24 lookup main 200 from all fwmark 5 lookup first ..... Packet is matching both rules, the one with priority/preference 100 or 200 is selected ? _______________________________________________ LARTC mailing list /

I have a requirement which I guess it is not too unusually, however I haven''t quite figured out how to do it and couldn''t find any examples which handle that. I have made myself a Linux-based bridge, eth0 bridged with eth1 to form br0. In this bridge, I run ''tc'' script to handle QoS. So far nothing unusual. However, what''s different is that this

As you are probably aware, this is a ever green topic. I have personally tried doing it, testing it and verifying it and I am myself finding this problem challenging and frustrating. Most of the scripts will recommend some form of rate limiting ( or policing ) on the download. But the challenge is how to determine the correct value for the policing ? Lot of the recommendation says use x %

This problem is driving nuts, so I am seeking help here. Your help will be deeply appreciated. I have made myself a Linux bridge with eth1 and eth0 to form br0. Then I run a script to configure tc with htb on it. But I can never match non-icmp traffic ( such as tcp and udp ) with TOS or DSCP values such as 0x68. The full story as follows :- 1. On the source testing machine, I do this to set