iptables a ipsec

Libor Chocholaty libor_ml1 na mts.cz
Úterý Leden 17 16:11:47 CET 2006 

Libor Chocholaty wrote:

>>> http://www.sibbald.com/unixutil/iptables-firewall.html
>>> http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm
>>> http://usenet.jyxo.cz/cz.comp.linux/0206/fwd-lartc-iptables-diagram.html 
>>>
>>> http://www.fi.muni.cz/~kas/p090/referaty/2005-podzim/ct/firewall.html
>>> http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-5.html
>>>  
>>>
>> Pekny odkazy, ale co kdyz pouzivam IMQ a pakety posilam do IMQ v 
>> mangle-postrouting. Vubec jsem nenasel, kde se nachazi 
>> mangle-postrouting.
>> Pouzivam IMQ pro shaping pres vice rozhrani a _skoro_ vse funguje jak 
>> ma. Jen pakety, na ktere se aplikuje NAT 1:1 se zda, ze do IMQ vubec 
>> neprijdou. Pravidla mam nasledujici:
>>
>> heaven:~# iptables -t mangle -L -v
>> ---kraceno---
>> Chain POSTROUTING (policy ACCEPT 630M packets, 407G bytes)
>> target  prot opt in     out     source    destination
>> IMQ     all  --  any    eth1    anywhere  anywhere    IMQ: todev 0
>> IMQ     all  --  any    eth2    anywhere  anywhere    IMQ: todev 0
>> IMQ     all  --  any    eth4    anywhere  anywhere    IMQ: todev 0
>>
>> a onen NAT:
>> heaven:~# iptables -t nat -L -v
>> Chain PREROUTING (policy ACCEPT 11M packets, 851M bytes)
>> target  prot opt in    out  source    destination
>> DNAT    all  --  eth0  any  anywhere  vlada_pub   to:vlada_lan
>> DNAT    all  --  eth0  any  anywhere  marvin_pub  to:marvin_dummy
>>
>> Chain POSTROUTING
>> target  prot opt in   out   source      destination
>> SNAT    all  --  any  eth0  vlada_lan   anywhere    to:vlada_pub
>> SNAT    all  --  any  eth0  marvin_if1  anywhere    to:marvin_pub
>> SNAT    all  --  any  eth0  marvin_if2  anywhere    to:marvin_pub
>>
>> Muzete me nekdo nasmerovat?
>>
> Odpovim si sam. Je to zpusobene pouzitim spatneho hooku pro IMQ:
> .config obsahuje: CONFIG_IMQ_BEHAVIOR_BA=y
> a kernel:
> #if defined(CONFIG_IMQ_BEHAVIOR_BA) || defined(CONFIG_IMQ_BEHAVIOR_BB)
>       printk(KERN_INFO "\tHooking IMQ before NAT on PREROUTING.\n");
>
Tak tim to nebylo, protoze politika BA (before-after) se zahakne _pred_ 
NAT v PREROUTING a _za_ NAT v POSTROUTING, coz by melo byt ok a shapovat 
spravne podle lokalnich adres(eth0 je do internetu a eth1,2,4 do lokalni 
site), ale nefunguje to. Navic je divne, ze vsechen provoz, na ktery se 
uplatni MASQUERADE (v puvodnim vypisu nebylo) se shapuje spravne. 
Maskarada a DNAT chodi jinudy?
DNAT se uplatnuje v PREROUTING, takze cokoli za nim by melo videt lokani 
(neverejne adresy), tj. i IMQ device.
Ale neco je spatne...

Libor

Další informace o konferenci Linux