peterh - Linux - Blog - routing for a multihomed network

routing for a multihomed network

Thursday, November 8, 2007, 14:52 - Network
Posted by Administrator

Linux connected via two networkcards to two different providers.

You coud use source based routing or if you prefere to route some ports only to on provider
here is my solution. Usefull for a private VOIP-Provider having two links and uses one link for RTP and the other for SIP.

RTP_IF="eth0"
RTP_GW_IP="10.0.1.1"

iptables -F -t mangle

# mark incomming unmarked connection
iptables -t mangle -A PREROUTING -i $RTP_IF -m connmark ! --mark 1 -j CONNMARK --set-mark 0x1


# This is the most important rule for marked incomming and marked outgoing connections to set packet MARK for routing
iptables -t mangle -A OUTPUT -m connmark --mark 1 -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m mark --mark 0x1 -j ACCEPT


# mark outgoing connection and packet (my RTP Ports)
iptables -t mangle -A OUTPUT -p udp --sport 5000:5058 -m connmark ! --mark 1 -j CONNMARK --set-mark 0x1
iptables -t mangle -A OUTPUT -p udp --sport 5000:5058 -m connmark --mark 1 -j MARK --set-mark 0x1


ip route flush table 1
ip route add default dev $RTP_IF via $RTP_GW_IP table 1
ip rule del fwmark 1 table 1
ip rule add fwmark 1 table 1
ip route flush cache

[ view entry ] ( 927 views ) | print article

Internetaccess via Huawei E220 UMTS/GPRS Modem

Monday, August 27, 2007, 16:52 - Network
Posted by Administrator

Kernel < 2.6.20 needs a udev rule:

http://www.kanoistika.sk/bobovsky/archi ... eiAktBbo.c

/etc/udev/rules.d/82-huawei220.rules

ACTION=="add", SUBSYSTEM=="usb_device", \
               ATTRS{idVendor}=="12d1", ATTRS{idProduct}=="1003", \
               RUN+="/usr/sbin/huaweiAktBbo"

/etc/ppp/peers/huawei

ttyUSB0
460800
idle 7200
lock
crtscts
modem
noauth
#usepeerdns    (sometimes i got no dns -> edit /etc/resolv.conf)
replacedefaultroute
defaultroute
noipdefault
noccp
nobsdcomp
novj
user "web"
password "web"
connect /etc/ppp/peers/huawei-chat
disconnect /etc/ppp/peers/disconnect-chat
ipcp-restart 8
ipcp-max-configure 30
ipcp-accept-local
ipcp-accept-remote
noipv6
noipx
mtu 1420
connect-delay 10000
noproxyarp
novjccomp
updetach
debug

/etc/ppp/peers/huawei-chat

exec chat                                   \
  TIMEOUT   5                               \
  ECHO      ON                              \
  ABORT     '\nBUSY\r'                      \
  ABORT     '\nERROR\r'                     \
  ABORT     '\nNO ANSWER\r'                 \
  ABORT     '\nNO CARRIER\r'                \
  ABORT     '\nNO DIALTONE\r'               \
  ABORT     '\nRINGING\r\n\r\nRINGING\r'    \
  ''        \rATZ                           \
  TIMEOUT   3                              \
  SAY       "Press CTRL-C to close the connection at any stage!"  \
  SAY       "\ndefining PDP context...\n"   \
  OK        "AT+CPIN?"                      \
  READY-AT+CPIN="XXXX"- \c                  \
  OK        AT+CPIN?                        \
  READY     \c                              \
  OK        "ATE1V1&D2&C1S0=0+IFC=2,2"      \
  OK        AT+CGDCONT=1,\"IP\",\"fullspeed\" \
  OK        ATD*99***1#                     \
  TIMEOUT   22                              \
  SAY       "\nwaiting for connect...\n"    \
  CONNECT   ""                              \
  SAY       "\nConnected."                  \
  SAY       "\nIf the following ppp negotiations fail,\n"   \
  SAY       "try restarting the phone.\n"

/etc/ppp/peers/disconnect-chat

exec /usr/sbin/chat -V -s -S    \
ABORT           "BUSY"          \
ABORT           "ERROR"         \
ABORT           "NO DIALTONE"   \
SAY             "\nSending break to the modem\n"        \
""              "\K"            \
""              "\K"            \
""              "\K"            \
""              "\d\d+++\d\dATH"        \
SAY             "\nPDP context detached\n"

/etc/network/interfaces

allow-hotplug huawei
iface huawei inet ppp
        provider huawei

http://wwwu.uni-klu.ac.at/agebhard/HuaweiE220/
http://linux.frankenberger.at/Huawei_E220.html
http://oozie.fm.interia.pl/pro/huawei-e220/

Often DNS is not set during PPP connection. A workaround is

/etc/ppp/options:
ipcp-max-failure 30

[ view entry ] ( 907 views ) | print article

blocking ads with squid

Friday, June 22, 2007, 13:50 - Network
Posted by Administrator

/etc/squid/squid.conf

+acl ads dstdom_regex -i "/etc/squid.adservers"
+http_access deny ads

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

update-squid-adservers.sh:

#!/bin/sh

### short script that downloads a list of ad servers for use with
### squid to block ads.
###
### details on configuring squid itself can be found here:
###
###    http://pgl.yoyo.org/adservers/#withsquid
###
### - originally by Stephen Patterson <steve@lexx.uklinux.net>
### - butchered by Peter Lowe <pgl@yoyo.org>
###

## set things
##

# URL of the ad server list to download
#listurl='http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml'
listurl='http://pgl.yoyo.org/adservers/serverlist.php?hostformat=squid-dstdom-regex;showintro=0'
# location of the list of ad servers used by Squid
targetfile='/etc/squid.adservers'

# location of a file where hostnames not listed can be added
extrasfile='/etc/squid-extra.adservers'

# command to reload squid - change according to your system
reloadcmd='/etc/init.d/squid reload'

# temp file to use
tmpfile="/tmp/.adlist.$$"

# command to fetch the list (alternatives commented out)
fetchcmd="wget -q $listurl -O $tmpfile"
#fetchcmd="lynx -dump $listurl > $tmpfile"
#fetchcmd="fetch -qo $tmpfile $listurl"


## do things
##

# get a fresh list of ad server addresses for squid to refuse
$fetchcmd

# add the extras
[ -f "$extrasfile" ] && cat $extrasfile >> $tmpfile

# check the temp file exists OK before overwriting the existing list
if [ ! -s $tmpfile ]
then
        echo "temp file '$tmpfile' either doesn't exist or is empty; quitting"
        exit
fi

# sort and filter out duplicates
sort $tmpfile > $targetfile

# clean up
rm $tmpfile

# delete needed trackers
#sed -i -e '/etracker\\\.de/d' -e '/sitestat\\\.com/d' $targetfile

# restart Squid
$reloadcmd

[ view entry ] ( 1349 views ) | print article

Internetaccess via modem

Thursday, June 21, 2007, 16:59 - Network
Posted by Administrator

apt-get install ppp

edit /etc/ppp/pap-secrets

/etc/network/interfaces

auto modem
iface modem inet ppp
        provider modem

/etc/ppp/peers/modem

ttyS0
38400
connect "/usr/sbin/chat -v -f /etc/ppp/peers/modem.chat"
disconnect "/usr/sbin/chat -v -f /etc/ppp/peers/modem.hangup"

192.168.1.3:192.168.1.1

user USERNAME
noauth
asyncmap 0
crtscts
lock
modem
lcp-echo-interval 30
lcp-echo-failure 4
ipcp-accept-local
ipcp-accept-remote
noproxyarp
noipx
noipv6
nodefaultroute
mru 542

debug
#updetach

demand
idle 120
holdoff 10

/etc/ppp/peers/modem.chat

ABORT        BUSY
ABORT        "NO CARRIER"
ABORT        VOICE
ABORT        "NO DIALTONE"
SAY          "\nConnecing..."
""           ATDTnumber
TIMEOUT      90
CONNECT      ""
SAY          "\nConnected.

/etc/ppp/peers/modem.hangup

"" '\K\d'
"" '+++\d'
"" 'ATH\d'
"" 'ATZ'

[ view entry ] ( 1177 views ) | print article

Internetaccess via ISDN

Thursday, June 21, 2007, 16:09 - Network
Posted by Administrator

apt-get install isdnutils-base

isdnconfig - choose 1, ippp1 to prevent default gateway to ippp0

/etc/isdn/device.ippp1:

edit all lines marked with XXX_:

LOCALIP=
REMOTEIP=AAA.BBB.CCC.DDD
LOCALMSN=''
REMOTEMSN=XXXXX
LEADINGZERO=''
# FIREWALL RULES (start)
iptables -A OUTPUT -o $device -p tcp --dport 22 -j ACCEPT
# FIREWALL RULES (stop)
iptables -D OUTPUT -o $device -p tcp --dport 22 -j ACCEPT

only ssh should trigger a dialout

/etc/isdn/ipppd.ippp1:

-pap
+chap
name USERNAME
noccp
nolzs
noipdefault
nodefaultroute
mru 1524
mtu 1500
ipcp-accept-local
ipcp-accept-remote
useifip

/etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses

USERNAME   *   PASSWORD

[ view entry ] ( 855 views ) | print article

<<First <Back | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | Next> Last>>