Forum Replies Created
From the image you linked to it looks like you found one of the documents I have been learning from. 🙂
I haven’t played much with the nat tables so I don’t have personal experience with the REDIRECT target. I did find this however: http://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html and it says
The REDIRECT target is used to redirect packets and streams to the machine itself.
So it would seem that filter target is not doing what you want. I am guessing, and I emphasize the word guessing, that you would need to NAT those packets to get them to your desired destination and also to have the returned packets get back to your original LAN client machine. Not sure if masquerade or SNAT is needed. (Like I wrote, I haven’t done much with NAT other than follow a couple of cookbooks.)
And I don’t see how using alternative ports actually fixes your problem.
Thanks. I should practice my reading skills… the thing about the redirect target was clearly on the manual.
Using alternative ports MIGHT have an impact… I know it’s possible to have a some kind of redirector addon on Firefox. I click a link “www.zeroshell.net” and the redirector changes the address to “www.zeroshell.net:1235”. If the requests that have port 1235 as a destination port are matched to go out of a specific gateway and then destination port changed back to 80 -> I have a functionality to manually select static target gateway.
I think that SNAT in postrouting won’t work… because I don’t know the destination IP address and I have dynamic WAN IP addresses.
I only want to modify the outgoing IP packet’s destination port field.
I could use some help with the iptables. As in can it do the routing I described on the first post on this thread.
I don’t know much about iptables, but I have some spare time so tinkering around with iptables is an option to pass the time…
Please point out the faults why this wouldn’t work:
– I type http://www.google.com:1235 on a web browser
– ZS receives the request (random source port, destination port 1235)
– Using above packet flow diagram, I’d suspect that first the packet is checked against mangle table’s prerouting chain.
– Prerouting chain jumps to NetBalancer chain
– NetBalancer chain marks the connection (source: LAN IP address, destination anywhere, protocol tcp, destination port 1235) to go out of specified gateway
– Next the packet is matched against nat table’s prerouting chain, which has a rule in the vein of:
iptables -t nat -A PREROUTING -p tcp -i ETH00 -s [lan ip address] –dport 1235 -j REDIRECT –to-ports 80
The HTTP request now should leave out as “www.google.com:80”
The above iptables command doesn’t work though… but why doesn’t it?
In another thread ppalias said he used a set of NetBalance rules to basically divide the IP address range into two halves when considering HTTP/S connections. One half he always routes through one interface, the other half through the other.
As long as the rules for HTTP are the same as for HTTPS then the site would see the same IP from you for both protocols.
You have three interfaces which does not work into powers of two very well. But maybe dividing things like this might work:
IP range: 0.0.0.0/2 use interface 1
IP range: 184.108.40.206/2 use interface 2
IP range: 220.127.116.11/2 use interface 3
IP range: 192.0.0.0/4 use interface 1
IP range: 18.104.22.168/4 use interface 2
IP range: 22.214.171.124/4 use interface 3
IP range: 240.0.0.0/4 pick an interface
(I hope I have those subnet ranges close.)
Anyway that would roughly spread your HTTP/S traffic equally among the three interfaces based on the destination address. (5/16s of the traffic on two interfaces and 6/16s of the traffic on the third).
Assuming that the HTTPS and HTTP servers are in the same general part of the IP address range, what ever route is picked for your HTTPS session would be the same route for the HTTP session.
I hope that we can figure out how to make routing decisions for destinations “sticky” which would solve this problem for everyone without resorting to this type of hack.
Well, that would work but doesn’t it nullify the point of having a load balancer 😕 Except in that case that connections are spread evenly on 0.0.0.0-255.255.255.255 range.
I thought about adding a third NIC in the ZS box, which would have been statically routed to use a specific connection. But then I’d have to fiddle with gateway settings every time that I want to use this “sticky” connection. And then ALL traffic would have been routed through this connection. As far as I know, I can’t bind any web browser to use certain network interface…
But the manual gateway switching has some applications. If I could specify the target gateway from LAN, for example I could start 3 parallel downloads from certain services that don’t allow parallel downloads.
Wouldn’t it just be easier to have a pre-routing rule that looks at the destination IP and port (80) and sets the fwmark associated with routing to your gateway of choice? If rapidshare uses more than on IP address and they are all in in a small range then you could open up that IP address to be a subnet.
This list http://forums.peerblock.com/read.php?12,3963 seems to be quite valid.
It is possible to enter all ip ranges in net balancer config but even so, only rapidshare will work. Some forums will also need the ip address to be “static”. I think it would be smarter to have a way of choosing the gateway per request.
But is this even a iptables/routing question (as in “Can it do it”?) or do I need to consider somekind of proxying?
I am new to zeroshell, but not to Linux or kernel compiling. Therefore I can only offer generic advice, but I noticed that you have not received a reply, so, here it goes.
The first thing you need to ask is: what is your hardware that you are compiling the kernel for?
If it does not match the unit you are compiling from, then you will need a cross-compiler. Also, not so much with the kernel, but if you are not using the same version of linux to compile with, then you will most likely need a tool-kit and the appropriate libraries to match the version of zeroshell you are using.
Very often, new users will find it easier to recompile the kernel and other software directly on the target system. This can take *forever* if it is an embedded system, but will almost always give you the correct software, linked to the correct libraries. In the kernel’s case, it can be *much* easier than setting up the cross compiler for the novice.
If you are certain that you are compiling for the correct architecture, then check to ensure that you are starting from the correct configuration file. Copy the original configuration file (usually aptly named in the distributions kernel source package) to .config and then do your make menuconfig. Check to make sure that all your target hardware is supported. It looks to me from your error messages that it is not finding your root file system – which is either a problem with the bootloader/kernel boot parameters, or with your inital ramdisk, or with the kernel itself not having the correct devices loaded. If they are not compiled monolithicly into the kernel, then you have to be sure they are loaded into the initrd *and* the root file system, and that the initrd loads them properly, or else it will never find the root file system.
I realize that this is pretty generic, and may not be much help, but I hate seeing posts with no reply.
Thank you for your reply.
Earlier problem was simple – just forgot to issue the rdev command so kernel tried to boot from wrong partition.
Recompiling the kernel wasn’t much of an use though… The problem lies on libc/gcc utilities. My findings are reported here.http://zeroshell.net/eng/forum/viewtopic.php?t=1997
I dived some dumpsters and luckily I found a working PII MMX cpu and mobo. As it’s i686 – zeroshell runs fine with it.
OK, this is actually NOT a bug…
Kernel works fine (probably it has a i386 support), recompiling it for K6-2 doesn’t make a difference. We have a crash upon running init.
K6-2 machine is a i586 architecture machine, and doesn’t have the CMOV instruction. The libc and gcc utils are builded for a i686 architecture and they use the CMOV-instructions which results to a hang or a kernel panic in i586 machines.
So AFAIK, all K6(-II/-III) machines and VIA C3 -machines and all the other processor without CMOV-instruction won’t work. This information should be in the “hardware compatibility” list.
As a feature request, it shouldn’t be impossible to recompile stuff for i586/i386 and someone really should make a howto for it…
Seems like i have copied some wrong files…
After make i did
make modules_install INSTALL_MOD_PATH=/someDir
Then i copied the files from /someDir to the /isoRoot/modules/…
Seems like the trouble is now on the initrd file… upon boot i get the error message “kernel panic – not syncing: VFS unable to mount root fs on unknown block (5,8)”
I have replaced the loop.ko file in initrd, but what else should I modify there (except the sata and usb modules)? Should I use the GCC from the zeroshell page or what am I missing?