NAT & bash questions
Jordi Ferrando Fabra
jferrando at netplc.com
Fri Jan 27 09:37:06 UTC 2006
I use an own-written init script to enable iptables at start-up:
/etc/init.d/iptables_tc:
/#!/bin/sh/
/#/
/# iptables_tc - ipables/tc init script/
/#/
/# wRitten by Jordi Ferrando/
/# Debian.etch/
/# jferrando at netplc.com/
TC="/sbin/tc"
IPTABLES="/sbin/iptables"
*start()* *{*
*echo* "Starting outbound shaping..."
/# Reset everything to a known state (cleared)/
/#flush de reglas/
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
/#Borrar clase entera/
$TC qdisc del dev eth0 root
/#Router linux con firewall y traffic shaping/
/#(c)NETPLC, J.Ferrando, Ene-2005/1-Dic-2005/
/#Interfaz eth0 192.168.7.5/255.255.255.248 (192.168.7.1 .. 192.168.7.6, broadcast 192.168.7.7, 192.168.7.0/29)/
/# eth1 192.168.8.5/255.255.255.0 (192.168.8.0/24, LAN)/
/#Default gateway 192.168.7.1/
/#DNAT tables/
/#HTTP tcp/80/
iptables --table nat --append PREROUTING -i eth0 -d 192.168.7.5 -p tcp --dport 80 -j DNAT --to 192.168.8.5
(...)
/#ROUTER SNAT para la LAN/
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/#Firewall red 192.168.8.0/24/
iptables -A FORWARD -s 192.168.8.5 -j ACCEPT
iptables -A INPUT -s 192.168.8.5 -j ACCEPT
/#servicios a la red local surera/
/#DNS/
iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p udp --dport 53 -j ACCEPT
(...)
/#Acceso internet/
/#portpascual/
iptables -A FORWARD -s 192.168.8.70 -i eth1 -m mac --mac-source 00:08:0D:C8:CE:D9 -j ACCEPT
(...)
/#Acceso al servidor/
/#particularidades ordenadores/
/#portpascual/
iptables -A INPUT -s 192.168.8.70 -i eth1 -m mac --mac-source 00:08:0D:C8:CE:D9 -j ACCEPT
(...)
/#Default policy INPUT/
iptables -A INPUT -s 192.168.8.0/24 -i eth1 -j DROP
/#Default polity FORWARD/
iptables -A FORWARD -s 192.168.8.0/24 -i eth1 -j DROP
/#Filtrado de red 192.168.7.0/248/
iptables -A INPUT -s 192.168.7.1 -i eth0 -m mac --mac-source 00:13:49:19:BE:A4 -j ACCEPT
iptables -A INPUT -s 192.168.7.0/29 -i eth0 -j DROP
*echo* 1 *>* /proc/sys/net/ipv4/ip_forward
/#tc "Traffic Control"/
/#This command attaches queue discipline HTB to eth0 and gives it the "handle" 1:0/
/#This is just a name or identifier with which to refer to it below. The default 20 means that /
/#any traffic that is not otherwise classified will be assigned to class 1:20/
tc qdisc add dev eth0 root handle 1:0 htb default 20
/#tc class add dev eth0 parent 1:0 classid 1:1 htb rate 576kbit ceil 576kbit prio 1 burst 32k cburst 32k/
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 576kbit ceil 576kbit prio 1 burst 32k cburst 3200
/#tc class add dev eth0 parent 1:1 classid 1:5 htb rate 384kbit ceil 576kbit prio 5 burst 16k cburst 16k/
tc class add dev eth0 parent 1:1 classid 1:5 htb rate 384kbit ceil 576kbit prio 5 burst 16k cburst 1600
/#tc class add dev eth0 parent 1:1 classid 1:10 htb rate 256kbit ceil 576kbit prio 10 burst 8k cburst 8k/
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 256kbit ceil 576kbit prio 10 burst 8k cburst 800
/#tc class add dev eth0 parent 1:1 classid 1:15 htb rate 128kbit ceil 576kbit prio 15 burst 4k cburst 4k/
tc class add dev eth0 parent 1:1 classid 1:15 htb rate 128kbit ceil 576kbit prio 15 burst 4k cburst 400
/#tc class add dev eth0 parent 1:1 classid 1:20 htb rate 64kbit ceil 576kbit prio 20 burst 2k cburst 2k/
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 64kbit ceil 576kbit prio 20 burst 2k cburst 200
/#tc class add dev eth0 parent 1:1 classid 1:25 htb rate 8kbit ceil 16kbit prio 25 burst 1k cburst 1k/
tc class add dev eth0 parent 1:1 classid 1:25 htb rate 2kbit ceil 4kbit prio 25 burst 8 cburst 8
/#/
tc qdisc add dev eth0 parent 1:5 handle 5:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:10 handle 10:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:15 handle 15:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:20 handle 20:0 sfq perturb 10
iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --sport 80 -j MARK --set-mark 10
iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --dport 80 -j MARK --set-mark 10
iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --sport 443 -j MARK --set-mark 10
iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --dport 443 -j MARK --set-mark 10
/#Privileged computers (Whitelist)/
/#surera/
iptables -A OUTPUT -t mangle -o eth0 --source 192.168.7.5 -j MARK --set-mark 5
(...)
/#/
tc filter add dev eth0 protocol ip parent 1:0 prio 5 handle 5 fw flowid 1:5
tc filter add dev eth0 protocol ip parent 1:0 prio 10 handle 10 fw flowid 1:10
tc filter add dev eth0 protocol ip parent 1:0 prio 15 handle 15 fw flowid 1:15
tc filter add dev eth0 protocol ip parent 1:0 prio 20 handle 20 fw flowid 1:20
tc filter add dev eth0 protocol ip parent 1:0 prio 25 handle 25 fw flowid 1:25
/#Print tc statictics/
/#tc -s -d class show dev eth0/
/#tc -s -d qdisc show dev eth0/
*echo* "Outbound shaping added to surera"
*}*
*stop()* *{*
*echo* "stop ..."
/# Reset everything to a known state (cleared)/
/#flush de reglas/
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
/#Borrar clase entera/
$TC qdisc del dev eth0 root
*echo* "Shaping removed on surera"
*}*
*status()* *{*
*echo* "[iptables]"
$IPTABLES -L -v -n
$IPTABLES -L -v -n -t nat
*echo* "---- qdisc parameters ----------"
tc qdisc *ls* dev eth0
*echo* "---- Class parameters ----------"
tc class *ls* dev eth0
*echo* "---- filter parameters ---------"
tc filter *ls* dev eth0
/#Print tc statictics/
*echo* "---- tc class statistics -------"
tc -s -d class show dev eth0
*echo* "---- tc qdisc statistics -------"
tc -s -d qdisc show dev eth0
*}*
*restart()* *{*
*echo* "restart ..."
start
*}*
*reload()* *{*
*echo* "start ..."
start
*}*
*force_reload()* *{*
*echo* "force-reload ..."
start
*}*
*case* $1* in*
start*)*
start
*;;*
stop*)*
stop
*;;*
status*)*
status
*;;*
restart*)*
restart
*;;*
reload*)*
reload
*;;*
force-reload*)*
force_reload
*;;*
**)*
*echo* "Usage: iptables_tc {start|stop|restart|reload|force-reload|status}"
/#echo "Usage: ${0##*/} {start|stop|restart|reload|status}"/
*;;*
*esac*
*exit* 0
C Hamel wrote:
>(1) I have set up NAT on kubuntu the same as I did on three other distros
>--and was delighted that I didn't have to roll my own kernel, this time! :-)
>The rub lies in the fact that I do not know where to save the iptables file.
>The command, '/etc/init.d/iptables save' yields an error because the
>directory is not there. Obviously, the Debian architecture is different from
>Gentoo/SuSE/Red Hat, et. al., and I am uncertain as to where to save the
>rules. Consequently (for now) I have unlocked root access to VTs & created
>the 'boot.local' file in /etc/init.d with the necessary commands in it which
>symlink resides in /etc/rcS.d (again, for now, hopefully) until I can find
>out where it actually belongs. I didn't find it in the docs. Did I miss
>something?
>
>(2) I like the screen to clear when I log out from a VT. SuSE had a neat
>file in /etc/bash called 'bash_logout' in which one could enter the word
>'clear' and that would happen automagically from then, on. I emulated that
>w/Gentoo but it doesn't seem to work in Debian. Again, no /etc/bash
>directory and when it was created it was ignored.
>
>Anyone able to solve these issues will have my blessing. ;-)
>
>Thanks!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kubuntu-users/attachments/20060127/3867c5f9/attachment.html>
More information about the kubuntu-users
mailing list