Differences

This shows you the differences between two versions of the page.

--- unix:gateway [2010/01/13 20:31]
robm
+++ unix:gateway [2013/10/13 12:32]
robm [IP Forwarding and NAT]
@@ Line 21: / Line 21: @@
 	node [shape=record]
 	modem [label="{Modem|{<wan>WAN|<lan>LAN}}"]
-	gateway [label="{Gateway|{<lan>eth1|<uplink>eth0}}"]
+	gateway [label="{Gateway|<eth0>eth0}"]
 	switch [label="Switch"]
 }
@@ Line 31: / Line 31: @@
 	modem:lan:e -> switch
 	lan -> switch
-	switch -> gateway:lan:w
+	switch -> gateway:eth0:w
-	gateway:uplink:e -> switch
 }
@@ Line 40: / Line 39: @@
 ^ Device ^ Notes ^
 | modem | ADSL modem with 1x phone line socket and 1x ethernet socket. Tends to get clogged for some reason (high latency, but connection stays up) |
-| gateway | Fast desktop PC with two network adaptors, loads of RAM and nothing much to do |
+| gateway | Linux host with *one* network adaptor, and nothing much to do |
 | LAN | 4 or so PCs, Wii, Xbox, couple of Nintendo DS consoles, etc |
@@ Line 63: / Line 62: @@
 	subgraph cluster_gateway_pc
 	{
-		gateway_pc [shape=record,label="{<uplink>eth0: 192.168.1.3|{DNS|Traffic Shaping}|<lan>eth1: 192.168.1.2}"]
+		gateway_pc [shape=record,label="{DNS|Traffic Shaping|<eth0>eth0: 192.168.1.2}"]
 		label="Gateway PC"
 	}
@@ Line 73: / Line 72: @@
 {
 edge [arrowhead=none]
-internet -> gateway_modem:wan
+internet -> gateway_modem:eth0
-gateway_modem:lan-> gateway_pc:uplink
+gateway_modem:eth0-> gateway_pc:eth0
-gateway_pc:lan -> lan [label="DNS, IP traffic"]
+gateway_pc:eth0 -> lan [label="DNS, IP traffic"]
-gateway_modem:len -> lan [label="DHCP Only"]
+gateway_modem:eth0 -> lan [label="DHCP Only"]
 }
@@ Line 86: / Line 85: @@
   - PC broadcasts via DHCP for an IP address
   - Modem (LAN, 192.168.1.1) responds with an IP address + static settings
-    * Gateway IP = Gateway (eth1, 192.168.1.2)
+    * Gateway IP = Gateway (eth0, 192.168.1.2)
-    * Primary DNS = Gateway (eth1, 192.168.1.2)
+    * Primary DNS = Gateway (eth0, 192.168.1.2)
     * Secondary DNS = Modem (LAN, 192.168.1.1)
   - User of PC starts to browse example.com
   - PC queries Gateway (eth1) for IP of example.com (1.2.3.4)
     * If Gateway's DNS service does not know the IP it will contact the internet via Modem, as below
-  - PC connects to example.com (1.2.3.4) via Gateway (eth1, 192.168.1.2)
+  - PC connects to example.com (1.2.3.4) via Gateway (eth0, 192.168.1.2)
   - Gateway applies traffic shaping
-  - Gateway (eth0) forwards the shaped traffic to Modem (LAN)
+  - Gateway forwards the shaped traffic to Modem (LAN)
   - Modem (WAN) forwards connection to ISP
   - ISP do their thing
   - ISP sends response to Modem (WAN)
-  - Modem (LAN) forwards response to Gateway (eth0)
+  - Modem (LAN) forwards response to Gateway
-  - Gateway (eth1) applies traffic shaping and forwards response to PC
+  - Gateway applies traffic shaping and forwards response to PC
 ===== Configuration =====
@@ Line 164: / Line 163: @@
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
-.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0
+.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
-.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth1
 .0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
 </code>
 Important features:
-  * The modem is always accessed via interface ''eth0''
+  * All LAN traffic goes via ''eth0''
-  * All other LAN traffic goes via ''eth1''
   * The rest (internet traffic) should be forwarded through 192.168.1.1 (Modem LAN)
-{{:unix:eth1_lan.png|GNOME Network Manager settings for eth1 (LAN)}}
+Desired DNS server list:
+<code>
+# Generated by NetworkManager
+nameserver 127.0.0.1
+nameserver 192.168.1.1
+</code>
+Configuration files to edit:
+''/etc/dhcp3/dhclient.conf''((The ''<hostname>'' text is literal, it seems that dhclient expands this at the right time somehow)):
+<code>
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+send host-name "<hostname>";
+send dhcp-requested-address 192.168.1.2;
+supersede domain-name "local robmeerman.co.uk";
+supersede routers 192.168.1.1;
+prepend domain-name-servers 127.0.0.1;
+request subnet-mask, broadcast-address, time-offset, routers,
+        domain-name, domain-name-servers, domain-search, host-name,
+        netbios-name-servers, netbios-scope, interface-mtu,
+        rfc3442-classless-static-routes, ntp-servers;
+</code>
+==== IP Forwarding and NAT ====
+On-the-fly:
+Taken from [[http://www.technize.com/2007/05/03/configuring-a-nat-gateway-in-linux/]]
+<code sh>
+echo 1 > /proc/sys/net/ipv4/ip_forward
+</code>
+Persistent:
+Edit **/etc/sysctl.conf**:
+<code>
+# Uncomment the next line to enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+</code>
+=== Disabling ICMP Host Redirection ===
+As you probably noticed from the physical topology diagram, there is only one network interface on the gateway PC, and so you may find that the gateway PC informs all of its clients that they can talk to the modem directly:
+<code>
+PING google.com (173.194.37.104) 56(84) bytes of data.
+From skuld.local (192.168.1.2): icmp_seq=1 Redirect Host(New nexthop: 192.168.1.1)
+bytes from lhr14s02-in-f104.1e100.net (173.194.37.104): icmp_seq=1 ttl=57 time=15.4 ms
+</code>
+This can be disabled on-the-fly via:
+<code>
+echo 0 | sudo tee /proc/sys/net/ipv4/conf/*/accept_redirects
+echo 0 | sudo tee /proc/sys/net/ipv4/conf/*/send_redirects
+</code>
+**Update 2013-10:** This guide used to update ''/proc/sys/net/ipv4/conf/all/accept_redirects'', but now uses ''*'' in place of ''all''. That was bad as the ''all'' configuration merely sets the default, but won't alter any existing interfaces. Thanks to [[http://unix.stackexchange.com/a/58081/22537|unix.stackexchange.com]] for this tip.
+Or permanently by adding the following to ''/etc/sysctl.conf''. Again, be on the safe side and explicitly name your interfaces:
+<code>
+net/ipv4/conf/all/accept_redirects = 0
+net/ipv4/conf/all/send_redirects = 0
+net/ipv4/conf/eth0/accept_redirects = 0
+net/ipv4/conf/eth0/send_redirects = 0
+</code>
+See http://www.itsyourip.com/Security/how-to-disable-icmp-redirects-in-linux-for-security-redhatdebianubuntususe-tested/
+==== DNS Service ====
+<code>sudo aptitude install bind9</code>
+  - Enable caching
+    * ''sudoedit /etc/bind/named.conf.options''
+    * Uncomment ''forwarder'' section and add ISP DNS server IPs: <code>
+    forwarders {
+.159.13.49;
+.159.13.50;
+    };
+</code>
+    * ''sudo service bind9 restart''
+  - Alias ''ikari.robmeerman.co.uk'' (real public domain name) to a private IP. (This is not required if you have ''search robmeerman.co.uk'' in ''/etc/resolv.conf'')
+    * ''sudoedit /etc/bind/named.conf.local''
+    * <code>
+// LAN hosts
+zone "ikari.robmeerman.co.uk" {
+    type master;
+    file "/etc/bind/db.lan.ikari";
+};
+</code>
+    * ''sudoedit /etc/bind/db.lan.ikari''
+    * <code>
+;
+; BIND data file for local area network (LAN)
+;
+$TTL    604800
+@       IN      SOA     ns.localhost. root.localhost. (
+         ; Serial
+         ; Refresh
+         ; Retry
+                        2419200         ; Expire
+)       ; Negative Cache TTL
+;
+@       IN      NS      ns.localhost.
+@       IN      A       192.168.1.2 ; Zone's address
+*       IN      A       192.168.1.2 ; Wildcard (all sub-domains)
+</code>
+==== Traffic Shaping ====
+<code sh>
+sudo aptitude install wondershaper
+# Assuming downlink == 3712 kbps / uplink == 448 kbps
+sudo wondershaper eth0 $((3712*1000)) $((448*1000))
+</code>
+I used to use Ubuntu's stock ''wondershaper'' package, but now use my own adaptation of it that does *not* shape or police LAN traffic. This allows my gateway PC to double as a file server: internet traffic is shaped and policed to match my ADSL line speeds, while file-server (local) traffic runs at gigabit speeds.
+<code sh>
+#!/bin/sh
+# Adapted from http://lartc.org/wondershaper/
+DOWNLINK=$2
+UPLINK=$3
+DEV=$1
+if [ "x$DEV" = "x" ]
+then
+    echo "Usage: $0 (DEV) [ 'clear' | (DOWNLINK UPLINK) ]"
+    exit 0
+fi
+# Display status when DOWNLINK/UPLINK are ommitted
+if [ "x$DOWNLINK" = "x" ]
+then
+    tc -s qdisc ls dev $DEV
+    tc -s class ls dev $DEV
+    exit 0
+fi
+# Clear both IN and OUT
+tc qdisc del dev $DEV root    2> /dev/null > /dev/null || true
+tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null || true
+if [ "x$DOWNLINK" = "xclear" ]
+then
+    echo "Cleared traffic rules on $DEV"
+    exit 0
+fi
+###############################################################################
+# UPLINK
+# Set root Queuing Discipline (qdisc) to Class Based Queuing (cbq)
+tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 1000mbit
+# Traffic is either headed to the gateway (i.e. internet traffic) or not.
+# Internet uplink is scarse, so aggresively shape it. LAN uplink is plentiful,
+# do not restrict it.
+# =============================================================================
+# INTERNET GATEWAY: Shape to $UPLINK speed, this prevents huge queues in the
+# DSL modem that cause massive latency
+tc class add dev $DEV parent 1: classid 1:1 cbq rate ${UPLINK}kbit \
+    allot 1500 prio 5 bounded isolated
+# High priority internet traffic
+tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit \
+   allot 1600 prio 1 avpkt 1000
+# .. and its actual queue that holds the packets
+tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
+# Default priority internet traffic, bulk transfers.
+tc class add dev $DEV parent 1:1 classid 1:20 cbq rate $((9*$UPLINK/10))kbit \
+   allot 1600 prio 2 avpkt 1000
+# .. and its actual queue that holds the packets
+tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
+# Low priority traffic.
+tc class add dev $DEV parent 1:1 classid 1:30 cbq rate $((8*$UPLINK/10))kbit \
+   allot 1600 prio 2 avpkt 1000
+# .. and its actual queue that holds the packets
+tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
+# =============================================================================
+# LAN
+tc class add dev $DEV parent 1: classid 1:40 cbq rate 1000mbit \
+    allot 1500 prio 5 borrow sharing
+tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
+# =============================================================================
+# Filters
+# LAN traffic -----------------------------------------------------------------
+tc filter add dev $DEV parent 1:0 protocol ip prio 1 u32 \
+    match ip dst 192.168.0.0/16 flowid 1:40
+tc filter add dev $DEV parent 1:0 protocol ip prio 1 u32 \
+    match ip dst 10.0.0.0/8 flowid 1:40
+tc filter add dev $DEV parent 1:0 protocol ip prio 1 u32 \
+    match ip dst 172.16.0.0/12 flowid 1:40
+# Internet traffic ------------------------------------------------------------
+# TOS Minimum Delay (ssh, NOT scp) in 1:10:
+tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
+      match ip tos 0x10 0xff  flowid 1:10
+# ICMP (ip protocol 1) in the interactive class 1:10 so we
+# can do measurements & impress our friends:
+tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 \
+        match ip protocol 1 0xff flowid 1:10
+# pablo.iranzo@uv.es provided a patch for the MLDonkey system
+# The MLDonkey uses small UDP packets for source propogation
+# which floods the wondershaper out.
+tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
+   match ip protocol 17 0xff \
+   match ip sport 4666 0xffff \
+   flowid 1:30
+# prioritize small packets (<64 bytes)
+tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \
+   match ip protocol 6 0xff \
+   match u8 0x05 0x0f at 0 \
+   match u16 0x0000 0xffc0 at 2 \
+   flowid 1:10
+#for a in $NOPRIOPORTDST
+#do
+#	tc filter add dev $DEV parent 1: protocol ip prio 14 u32 \
+#	   match ip dport $a 0xffff flowid 1:30
+#done
+#
+#for a in $NOPRIOPORTSRC
+#do
+# 	tc filter add dev $DEV parent 1: protocol ip prio 15 u32 \
+#	   match ip sport $a 0xffff flowid 1:30
+#done
+#
+#for a in $NOPRIOHOSTSRC
+#do
+# 	tc filter add dev $DEV parent 1: protocol ip prio 16 u32 \
+#	   match ip src $a flowid 1:30
+#done
+#
+#for a in $NOPRIOHOSTDST
+#do
+# 	tc filter add dev $DEV parent 1: protocol ip prio 17 u32 \
+#	   match ip dst $a flowid 1:30
+#done
+# Internet traffic catch-all: bulk.
+tc filter add dev $DEV parent 1: protocol ip prio 18 u32 \
+   match ip dst 0.0.0.0/0 flowid 1:20
+###############################################################################
+# DOWNLINK
+#
+# Limit downloads to slightly less than the maximum achievable speed. This
+# prevents a queues building up in the ISP (which is typically a huge FIFO),
+# and so reduces round-trip time; effectively reducing latency.
+# Ingress policer
+# (FYI: The term "shaping" only applied to egress traffic, "policing" is the
+# ingress equivalent)
+tc qdisc add dev $DEV handle ffff: ingress
+# LAN traffic is exempt from policing
+tc filter add dev $DEV parent ffff: protocol ip prio 40 u32 \
+    match ip src 192.168.0.0/16 \
+    police pass \
+    flowid :1
+tc filter add dev $DEV parent ffff: protocol ip prio 40 u32 \
+    match ip src 10.0.0.0/8 \
+    police pass \
+    flowid :1
+tc filter add dev $DEV parent ffff: protocol ip prio 40 u32 \
+    match ip src 172.16.0.0/12 \
+    police pass \
+    flowid :1
+# Internet traffic that arrives too fast should be discarded
+tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 \
+    match ip src 0.0.0.0/0 \
+    police rate ${DOWNLINK}kbit burst 10k drop \
+    flowid :1
+</code>
+==== Transparent Web Proxy ====
+<code>sudo aptitude install squid</code> to install Squid v2.7.
+Then edit ''/etc/squid/squid.conf'' so that
+  - the ''http_port'' tag is set to ''http_port 3128 transparent''
+  - the ''http_access allow localnet'' is uncommented
+Restart Squid (''sudo service squid restart'') and then foribly redirect web traffic to the proxy:
-{{:unix:eth0_plusnet.png|GNOME Network Manager settings for eth0 (WAN)}}
+<code>iptables -t nat -A PREROUTING ! -d 192.168.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128</code>
 ===== The 1 NIC problem =====

RobMeerman.co.uk

User Tools

Site Tools

Differences

Page Tools