[LARTC] PAT HOW to - IPTABLES
Hi, I have a box running with iptables and iproute2. it has 3 ethernet cards. One for the internet. another for LAN and yet another for DMZ. @ DMZ ZONE I have 3 web servers. But I have only one real ip on my firewall. Now , I want to forward port 80 to theese 3 web servers. How can I do it? I searched a lot from google. But, still no luck. -- Thank you Indunil Jayasooriya ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
you can use squid as reverse proxy .. see cache_peer !! squid can load balance between 3 servers and cache it !! run squid on your box with real ip.. here you can see examples http://under-linux.org/7964-squid-atuando-como-proxy-reverso.html (pt-br) Indunil Jayasooriya wrote: Hi, I have a box running with iptables and iproute2. it has 3 ethernet cards. One for the internet. another for LAN and yet another for DMZ. @ DMZ ZONE I have 3 web servers. But I have only one real ip on my firewall. Now , I want to forward port 80 to theese 3 web servers. How can I do it? I searched a lot from google. But, still no luck. -- Thank you Indunil Jayasooriya ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
see cache_peer !! squid can load balance between 3 servers and cache it !! run squid on your box with real ip.. Thanks for your quick answer. I know about reverse proxy. I wanted to know that without squid, whether iptables it self can handle this situation. Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation as before? in that case, What can I do? Hope to hear form you. -- Thank you Indunil Jayasooriya ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] How to fight with encrypted p2p
Hi, We had similiar problem with p2p, used ipp2p and L7filter together before and worked well until clients( mostly clever ones) started getting around it with encryption. We have about 700 wireless clients hitting our network and our network was taking big knocks with guys using couple of gigs day on entry level packages. Was going to use Ipoque, but was quite pricy for us, Only solutions for us to use a daily limit of eg 500MB, then they get slowed down to slower speeds, This worked like a charm Out of interest we used freeradius / pptpd|pppd with some custom perl scripts and tc rules Sew On Dec 3, 2007 9:33 PM, Andrew Beverley [EMAIL PROTECTED] wrote: I believe fighting is the wrong approach. Badly shaping the wrong traffic is just as bad, if not worse IMO. An ISP in my neck of the woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a result of their P2P fight. Needless to say we no longer use them, and we encourage clients, friends, and colleagues not to as well. I don't use P2P but I do use ssh, imaps, sftp, and https daily. Screwing with these services is not useful. Using the rules in the example previously given specifically steers well clear of these services. Limiting your rules to specific ports is pretty useless. This has been done before, and it failed miserably. Agreed. For me, if P2P does not belong at all, for instance on a corporate network, then a default deny on the outbound works much better. We then only allow specific connections on a case by case basis. I have seen this work very well on corporate networks, and would recommend this approach where possible. Unfortunately though, on a normal home user network, there are so many different possibilities that this isn't very practical. For instances where I am not able to block p2p, I define specific rules for high and low priority, and leave everything else in the default. If the end user wants to use the bulk of his or her bandwidth for P2P, so be it. Of course in this case bandwidth accounting is far more useful. Again, this depends on the circumstances. If you only have 2Mbit/s to share between 100 users then each user cannot have their own 'share' of the connection. Equally, people downloading in a responsible way are lumped into the same category as p2p users, which is not fair. Bandwidth accounting is a possibility, and something I haven't investigated. For those who want to fairly share bandwidth beween users, I would recommend the ESFQ patches. These allow bandwidth sharing to be done on an IP address basis, rather than per connection. This prevents the hundreds of p2p connections from drowning out single downloads. I would also encourage your users to use software that is or can be well behaved. Software that allows you set a proper TOS for instance. If possible work with the end users. I have personally found that the best solutions are not tech solutions. Having a well defined Acceptable Use Policy, plus a constructive dialogue with my users has been far more effective than any shaping routine I/we could come up with. Agreed. However, in a situation where you have a lot of users coming and going, it is not easy to educate the many hundreds of users. I guess it all boils down to your own situation. Traffic shaping on a corporate network or on a network where your users are static can be done using the above techniques. However, sharing a small connection between hundreds of regularly changing users is difficult, and I have found the 'blunt' rules previously described to work very well with no complaints. Regards, Andy Beverley ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
On Mon, Dec 10, 2007 at 04:09:52PM +0530, Indunil Jayasooriya wrote: see cache_peer !! squid can load balance between 3 servers and cache it !! run squid on your box with real ip.. Thanks for your quick answer. I know about reverse proxy. I wanted to know that without squid, whether iptables it self can handle this situation. Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation as before? in that case, What can I do? your could use exim/postfix and route the mail to the right server, but I guess you are trying to find out how to have port 25 on the real ip nat'ed to one of the 3 dmz'ed ip based upon the destination mail address short answer you can't as far as I know, iptables only looks at src ip / src port dest ip/dest port. You could write your own plugin module to look into the tcp stream. Hope to hear form you. -- Thank you Indunil Jayasooriya ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] regarding implementation of queue in linux
Can somebody tell me where is the source code implementation of Queue at Network Layer level in Linux OS. I mean .C and .h files regarding implementation of Queue. - Looking for last minute shopping deals? Find them fast with Yahoo! Search.___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation as before? in that case, What can I do? your could use exim/postfix and route the mail to the right server, but I guess you are trying to find out how to have port 25 on the real ip nat'ed to one of the 3 dmz'ed ip based upon the destination mail address short answer you can't as far as I know, iptables only looks at src ip / src port dest ip/dest port. You could write your own plugin module to look into the tcp stream. based upon destination email address/domain could be done by postfix and transports for selected mail/domain to selected server. but there is also a possibility of load balancing and failover for set of domains with all servers working with all the domains for HA and flexibility of computing power, then id say take a look at keepalived for both those features. for http traffic its actually the same, and also you can consider apache reverse proxy feature. -- Radek aka Goblin ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
