iptables a ipsec
Libor Chocholaty
libor_ml1 na mts.cz
Úterý Leden 17 16:11:47 CET 2006
Libor Chocholaty wrote:
>>> http://www.sibbald.com/unixutil/iptables-firewall.html
>>> http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm
>>> http://usenet.jyxo.cz/cz.comp.linux/0206/fwd-lartc-iptables-diagram.html
>>>
>>> http://www.fi.muni.cz/~kas/p090/referaty/2005-podzim/ct/firewall.html
>>> http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-5.html
>>>
>>>
>> Pekny odkazy, ale co kdyz pouzivam IMQ a pakety posilam do IMQ v
>> mangle-postrouting. Vubec jsem nenasel, kde se nachazi
>> mangle-postrouting.
>> Pouzivam IMQ pro shaping pres vice rozhrani a _skoro_ vse funguje jak
>> ma. Jen pakety, na ktere se aplikuje NAT 1:1 se zda, ze do IMQ vubec
>> neprijdou. Pravidla mam nasledujici:
>>
>> heaven:~# iptables -t mangle -L -v
>> ---kraceno---
>> Chain POSTROUTING (policy ACCEPT 630M packets, 407G bytes)
>> target prot opt in out source destination
>> IMQ all -- any eth1 anywhere anywhere IMQ: todev 0
>> IMQ all -- any eth2 anywhere anywhere IMQ: todev 0
>> IMQ all -- any eth4 anywhere anywhere IMQ: todev 0
>>
>> a onen NAT:
>> heaven:~# iptables -t nat -L -v
>> Chain PREROUTING (policy ACCEPT 11M packets, 851M bytes)
>> target prot opt in out source destination
>> DNAT all -- eth0 any anywhere vlada_pub to:vlada_lan
>> DNAT all -- eth0 any anywhere marvin_pub to:marvin_dummy
>>
>> Chain POSTROUTING
>> target prot opt in out source destination
>> SNAT all -- any eth0 vlada_lan anywhere to:vlada_pub
>> SNAT all -- any eth0 marvin_if1 anywhere to:marvin_pub
>> SNAT all -- any eth0 marvin_if2 anywhere to:marvin_pub
>>
>> Muzete me nekdo nasmerovat?
>>
> Odpovim si sam. Je to zpusobene pouzitim spatneho hooku pro IMQ:
> .config obsahuje: CONFIG_IMQ_BEHAVIOR_BA=y
> a kernel:
> #if defined(CONFIG_IMQ_BEHAVIOR_BA) || defined(CONFIG_IMQ_BEHAVIOR_BB)
> printk(KERN_INFO "\tHooking IMQ before NAT on PREROUTING.\n");
>
Tak tim to nebylo, protoze politika BA (before-after) se zahakne _pred_
NAT v PREROUTING a _za_ NAT v POSTROUTING, coz by melo byt ok a shapovat
spravne podle lokalnich adres(eth0 je do internetu a eth1,2,4 do lokalni
site), ale nefunguje to. Navic je divne, ze vsechen provoz, na ktery se
uplatni MASQUERADE (v puvodnim vypisu nebylo) se shapuje spravne.
Maskarada a DNAT chodi jinudy?
DNAT se uplatnuje v PREROUTING, takze cokoli za nim by melo videt lokani
(neverejne adresy), tj. i IMQ device.
Ale neco je spatne...
Libor
Další informace o konferenci Linux