About this list Date view Thread view Subject view Author view Attachment view

From: Chuck (chuck_at_sbbsnet.net)
Date: Tue 27 Sep 2005 - 12:46:25 BST


On Tuesday 27 September 2005 03:31 am, Dennis Roos wrote:
> On Sun, 2005-09-25 at 14:47 -0400, Chuck wrote:
> > On Saturday 24 September 2005 03:39 pm, Chuck wrote:
> >
> > Finally, with the help of the docs Bert pointed me to, and the help of
someone
> > in the Gentoo network forum, it all works properly. The contents of the
> > things I had to do is listed below in case anyone else runs into the same
> > problem. I could not find any way to add the rules to the /etc/conf.d/net
> > config file, so i created a run script to do it.
> >
> >
> > I added the 3 values below to /etc/iproute2/rt_tables
> >
> > 34 34net
> > 39 39net
> > 172 pvtnet
> >
> > -----------------------
> >
> > prometheus ~ # cat /etc/conf.d/net
> > modules=( "iproute2" )
> >
> > config_eth0=( "64.113.34.5 netmask 255.255.255.0 broadcast
64.113.34.255" )
> > routes_eth0=( "64.113.34.0/24 src 64.113.34.5 table 34net" )
> > routes_eth0=( "default via 64.113.34.1 table 34net" )
> >
> >
> > config_eth1=( "172.30.0.50 netmask 255.255.255.0 broadcast 172.30.0.255" )
> > routes_eth1=( "172.30.0.0/24 src 172.30.0.50 table pvtnet" )
> > routes_eth1=( "default via 172.30.0.1 table pvtnet" )
> >
> > config_eth2=( "64.113.39.254 netmask 255.255.255.0 broadcast
64.113.39.255" )
> > routes_eth2=( "64.113.39.0/24 src 64.113.39.254 table 39net" )
> > routes_eth2=( "default via 64.113.39.1 table 39net" )
> >
> > --------------------------
> > script "iprules"
> > placed in /etc/init.d and added to default runlevel
> >
> > #!/sbin/runscript
> >
> > depend() {
> > need net
> > before svscan
> > }
> >
> > start() {
> > ebegin "Setting iproute2 rules."
> > #set up system default gateway
> > /sbin/ip route add default via 64.113.34.1
> > # set up rules
> > /sbin/ip rule add from 64.113.34.5 table 34net
> > /sbin/ip rule add from 172.30.0.50 table pvtnet
> > /sbin/ip rule add from 64.113.39.254 table 39net
> > eend 0
> > }
> If I am not mistaking you're missing 3 default gateways ;)
> The 'set up system default gateway is the main gateway (when no other
> rules apply).
>

hmm. i was under the impression the std routing table goes screwey with 3
default gateways... so i set them up via tables.

routes_eth1=( "default via 172.30.0.1 table pvtnet" )

but i had to learn the basics of iproute2 in literally a day which was only
truly enough to get this running. i will add the 2 other system default
gateways and see how it goes.. i have to dig into routing in a big way in
the next few months, so it looks like i am going to be doing LOTS of
studying :)

btw, i have a way now of putting all rules inside the /etc/conf.d/net file now
so i abandoned the iprule script. if you are interested in that i will post
it. the code to do so was given to me by one of the gentoo developers when i
filed a 'suggestion bug'. i didnt even know you could put code into the net
file:)

so i can now do something like this:

config_eth1=( "172.30.0.50 netmask 255.255.255.0 broadcast 172.30.0.255" )
routes_eth1=( "172.30.0.0/24 src 172.30.0.50 table pvtnet" )
routes_eth1=( "default via 172.30.0.1 table pvtnet" )
rules_eth1=( "from 172.30.0.0/24 table pvtnet" )

> To choose a different default path per table one might use the following
> rules:
> ---%<-- cut here -->%----
> # Restrict traffic from 34net to table 34net
> ip rule add from 64.113.34.0/24 table 34net
> # Restrict traffic from 34net to table 34net and eth0
> ip route add 64.113.34.0/24 dev eth0 table 34net

the above methods in the net file now add the dev ethx to each line in their
parsing code.

> # Set default route for table 34net
> ip route add default via 64.113.34.1 dev eth0 table 34net
> ---%<-- cut here -->%----
>
> And repeat these rules for all tables used.
>
> <SNIP>
>
> > > start() {
> > > ebegin "Setting /proc options."
> > > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> > > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
> > > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
> > > /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> > > /bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies
> > > eend 0
> > > }
> You could add all these to /etc/sysctl.conf (which loads at boot time):
> ---%<-- cut here -->%----
> #/etc/sysctl.conf
> net.ipv4.icmp_echo_ignore_broadcasts 1
> net.ipv4.conf.all.accept_source_route = 0
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.tcp_syncookies = 1
> # END
> ---%<-- cut here -->%----
>
>
> A few others I use:
> ---%<-- cut here -->%----
> # /etc/sysctl.conf:
>
> # Disable packet forwarding
> net.ipv4.ip_forward = 0
>
> # Disable IP dynaddr
> net.ipv4.ip_dynaddr = 0
>
> # Disable ECN
> net.ipv4.tcp_ecn = 0
>
> # Enable source route verification
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.all.accept_source_route = 0
>
> # Disable ICMP echo-request altogether (use only if DOS'ed):
> #net.ipv4.icmp_echo_ignore_all = 1
>
> # Enable syn-cookies (prevent syn-flood attacks):
> net.ipv4.tcp_syncookies = 1
>
> # Reduce number of possible SYN Floods:
> net.ipv4.tcp_max_syn_backlog = 1024
>
> # Disable ICMP echo-request to broadcast addresses (Smurf amplifier):
> net.ipv4.icmp_echo_ignore_broadcasts = 1
>
> # Enable defrag error protection:
> net.ipv4.icmp_ignore_bogus_error_responses = 1
>
> # Enable time-wait assassination hazards in tcp (RFC 1337):
> net.ipv4.tcp_rfc1337 = 1
> net.ipv4.tcp_timestamps = 0
>
> # Disable ICMP Redirect accept/send:
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
>
> # Log spoofed, source routed and redirect packets:
> net.ipv4.conf.all.log_martians = 1
>
> # Disables the magic-sysrq key
> #kernel.sysrq = 0
> kernel.vshelper = /usr/lib/util-vserver/vshelper
> ---%<-- cut here -->%----

cool! ill add this to my notes and begin using this file. much more convenient
than stuffing an init script into the works..

>
> Just my $0.02

thank you for the suggestions and information! and its more like $2mil
worth :)

Chuck

>
> --
> Regards,
> Dennis Roos
>
> Network Engineer @ InTouch N.V.
> Middenweg 76
> 1097 BS Amsterdam
> Tel: +31 (0)20 6752060
> Fax: +31 (0)20 6758429
>
> -=[Assumption is the mother of all f*ckups]=-
>
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
>

-- 

Chuck

"...and the hordes of M$*ft users descended upon me in their anger, and asked 'Why do you not get the viruses or the BlueScreensOfDeath or insecure system troubles and slowness or pay through the nose for an OS as *we* do?!!', and I answered...'I use Linux'. " The Book of John, chapter 1, page 1, and end of book

_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 27 Sep 2005 - 12:46:55 BST by hypermail 2.1.3