Friday, May 26, 2006

bond0 interface

In the example below, the bond0 interface is the master (MASTER) while eth0 and eth1 are slaves (SLAVE). Notice all slaves of bond0 have the same MAC address (HWaddr) as bond0 for all modes except TLB and ALB that require a unique MAC address for each slave.

# /sbin/ifconfig
bond0 Link encap:Ethernet HWaddr 00:C0:F0:1F:37:B4
inet
addr:XXX.XXX.XXX.YYY Bcast:XXX.XXX.XXX.255 Mask:255.255.252.0
UP BROADCAST
RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:7224794 errors:0
dropped:0 overruns:0 frame:0
TX packets:3286647 errors:1 dropped:0
overruns:1 carrier:0
collisions:0 txqueuelen:0

eth0 Link
encap:Ethernet HWaddr 00:C0:F0:1F:37:B4
inet addr:XXX.XXX.XXX.YYY
Bcast:XXX.XXX.XXX.255 Mask:255.255.252.0
UP BROADCAST RUNNING SLAVE
MULTICAST MTU:1500 Metric:1
RX packets:3573025 errors:0 dropped:0 overruns:0
frame:0
TX packets:1643167 errors:1 dropped:0 overruns:1 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0x1080

eth1 Link encap:Ethernet HWaddr 00:C0:F0:1F:37:B4
inet
addr:XXX.XXX.XXX.YYY Bcast:XXX.XXX.XXX.255 Mask:255.255.252.0
UP BROADCAST
RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:3651769 errors:0
dropped:0 overruns:0 frame:0
TX packets:1643480 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:9 Base
address:0x1400

Monday, May 22, 2006

squid and iptables - revisited

One of best combinations for internet connected LAN is squid, a proxy server and iptables, a packet filtering ruleset. To make it useful, this combination is used to configure transparent proxy for a LAN or more.

iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
Above command is for LAN (192.168.0.0/24) connecting to the internet via proxy server running on port 3128.

To make https proxied( it is not actually because we can't proxied encrypted packets but they are just forwarded), the command is as below :
iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3128
You can NOT do the same for ftp (port 21). For ftp, you have manually inserted the proxy address for ftp protocol in your browser connection setting.

By above command executed on a proxy server (a.k.a firewall), the PCs in the LAN need not be configured one by one to use the proxy server. Less work for system/network administrator :). They are said to be connected to the internet using proxy server transparently. Now you got it? :)

There's one more way to handle https connection. Instead of going through squid, you can also NAT it. Drop the above https command and use this :

iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -p tcp --dport 443 -j SNAT --to 111.222.333.444
where 111.222.333.444 is your proxy server public IP address.

It is up to you which way you want to use. I can say that from my experience, there's no noticeable difference in terms of performance. If you do not agree, please do not hesitate to write comment and state your experience.