About this list Date view Thread view Subject view Author view Attachment view

From: Dennis Roos (dennis_at_intouch.net)
Date: Tue 27 Sep 2005 - 08:31:30 BST


On Sun, 2005-09-25 at 14:47 -0400, Chuck wrote:
> On Saturday 24 September 2005 03:39 pm, Chuck wrote:
>
> Finally, with the help of the docs Bert pointed me to, and the help of someone
> in the Gentoo network forum, it all works properly. The contents of the
> things I had to do is listed below in case anyone else runs into the same
> problem. I could not find any way to add the rules to the /etc/conf.d/net
> config file, so i created a run script to do it.
>
>
> I added the 3 values below to /etc/iproute2/rt_tables
>
> 34 34net
> 39 39net
> 172 pvtnet
>
> -----------------------
>
> prometheus ~ # cat /etc/conf.d/net
> modules=( "iproute2" )
>
> config_eth0=( "64.113.34.5 netmask 255.255.255.0 broadcast 64.113.34.255" )
> routes_eth0=( "64.113.34.0/24 src 64.113.34.5 table 34net" )
> routes_eth0=( "default via 64.113.34.1 table 34net" )
>
>
> config_eth1=( "172.30.0.50 netmask 255.255.255.0 broadcast 172.30.0.255" )
> routes_eth1=( "172.30.0.0/24 src 172.30.0.50 table pvtnet" )
> routes_eth1=( "default via 172.30.0.1 table pvtnet" )
>
> config_eth2=( "64.113.39.254 netmask 255.255.255.0 broadcast 64.113.39.255" )
> routes_eth2=( "64.113.39.0/24 src 64.113.39.254 table 39net" )
> routes_eth2=( "default via 64.113.39.1 table 39net" )
>
> --------------------------
> script "iprules"
> placed in /etc/init.d and added to default runlevel
>
> #!/sbin/runscript
>
> depend() {
> need net
> before svscan
> }
>
> start() {
> ebegin "Setting iproute2 rules."
> #set up system default gateway
> /sbin/ip route add default via 64.113.34.1
> # set up rules
> /sbin/ip rule add from 64.113.34.5 table 34net
> /sbin/ip rule add from 172.30.0.50 table pvtnet
> /sbin/ip rule add from 64.113.39.254 table 39net
> eend 0
> }
If I am not mistaking you're missing 3 default gateways ;)
The 'set up system default gateway is the main gateway (when no other
rules apply).

To choose a different default path per table one might use the following
rules:
---%<-- cut here -->%----
# Restrict traffic from 34net to table 34net
ip rule add from 64.113.34.0/24 table 34net
# Restrict traffic from 34net to table 34net and eth0
ip route add 64.113.34.0/24 dev eth0 table 34net
# Set default route for table 34net
ip route add default via 64.113.34.1 dev eth0 table 34net
---%<-- cut here -->%----

And repeat these rules for all tables used.

<SNIP>

> > start() {
> > ebegin "Setting /proc options."
> > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
> > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
> > /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> > /bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies
> > eend 0
> > }
You could add all these to /etc/sysctl.conf (which loads at boot time):
---%<-- cut here -->%----
#/etc/sysctl.conf
net.ipv4.icmp_echo_ignore_broadcasts 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
# END
---%<-- cut here -->%----

A few others I use:
---%<-- cut here -->%----
# /etc/sysctl.conf:

# Disable packet forwarding
net.ipv4.ip_forward = 0

# Disable IP dynaddr
net.ipv4.ip_dynaddr = 0

# Disable ECN
net.ipv4.tcp_ecn = 0

# Enable source route verification
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0

# Disable ICMP echo-request altogether (use only if DOS'ed):
#net.ipv4.icmp_echo_ignore_all = 1

# Enable syn-cookies (prevent syn-flood attacks):
net.ipv4.tcp_syncookies = 1

# Reduce number of possible SYN Floods:
net.ipv4.tcp_max_syn_backlog = 1024

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier):
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable defrag error protection:
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable time-wait assassination hazards in tcp (RFC 1337):
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_timestamps = 0

# Disable ICMP Redirect accept/send:
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Log spoofed, source routed and redirect packets:
net.ipv4.conf.all.log_martians = 1

# Disables the magic-sysrq key
#kernel.sysrq = 0
kernel.vshelper = /usr/lib/util-vserver/vshelper
---%<-- cut here -->%----

Just my $0.02

-- 
Regards,
Dennis Roos

Network Engineer @ InTouch N.V. Middenweg 76 1097 BS Amsterdam Tel: +31 (0)20 6752060 Fax: +31 (0)20 6758429

-=[Assumption is the mother of all f*ckups]=-

_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 27 Sep 2005 - 08:31:59 BST by hypermail 2.1.3