From: Serdar KOYLU (serdar@uludag.org.tr)
Date: Mon 09 Aug 2004 - 16:14:47 EEST
Selamlar..
Her iki yontem arasinda temel olarak bir fark yok. Dahasi, eger
CPU/Buffer kullanimi gibi bir sorun varsa, routing islevi, hic iptables
vs. karistirmadan kendi de NAT yapabilir.
Cikan sorunlari anlayabilirsek cozumu de bulabiliriz saniyorum.
Saygi ve sevgiler..
> Merhaba,
> Mon, Aug 09, 2004 at 02:09:27PM +0300 Tarihinde Serdar KOYLU Demiki :
> > Selamlar..
> >
> > Bu kadar uzatmadan,
> >
> > iptables -t nat -A PREROUTING -p tcp -s ! proxy.ip --dport 80 -j DNAT
> > --to proxy.ip:3128
>
> DNAT yntemi bildiim kadaryla baz koullarda sorun karta
> biliyor.
> Daha genel bir yntem olduu iin fwmark yntemini kullanmak istiyo
> rum.
>
> > Yapin, sadece gateway uzerinde. Bu yeterli olmasi lazim.
> >
> > iptables -t mangle -A PREROUTING -s proxy -p tcp --dport 80 -j ACCEPT
> >
> > satiri ile, paketi iptables paket yolundan cikariyorsunuz. Bu accept
> > ile, paket kabul ediliyor ve devam eden kurallara bakilmiyor. Sorun
> > burada sanirim.
>
> Bu satr sadece proxy makinadan gelen paketlerin fwmark kuralna
> taklmadan gemesini salyor. Dier makineler bu kurala taklm
> yorlar.
> Zaten iptables'n kural sayalarndan grebildiim kadaryla ku
> rallarda
> bir sorun yok. Paketler dzgn bir ekilde iaretleniyor. Bu yzd
> en
> sorunun routing'de olduunu dnyorum.
>
> >
> > Saygi ve sevgiler..
> >
> > > Amdaki bir makinamda proxy server alyor, gateway maki
> nada
> > > n http
> > > isteklerini proxy makinasna ynlendirerek transparent proxy kurmak
> > > istiyorum.
> > > nce gateway'den u komutlar yazyorum:
> > > iptables -t mangle -A PREROUTING -s proxy -p tcp --dport 80 -j ACCEPT
> > > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
> > > ip rule add fwmark 1 table 42
> > > ip route add default via proxy dev eth1 table 42
> > >
> > > Proxy makinadan da u komutu veriyorum:
> > > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT -to-port
> > > 3128
> > >
> > > Paketler uygun ekilde mark'lanyor, fakat kesinlikle eklediim r
> ule'a
> > > taklmadan normal ekilde proxy'ye uramadan gateway zerinden
>
> > > kp
> > > gidiyorlar.
> > >
> > > ip route flush cache dememe ramen almyor. Paketlerin uyg
> un r
> > > oute
> > > zerinden gitmelerini nasl salarm?
> > >
> > > --
> > > Sevgi Sayg GNU/Linux
> > > ########################################################################
> > > Finagle's First Law:
> > > If an experiment works, something has gone wrong.
> > > ########################################################################
> > > Tongu Yumruk
> > >
> > >
> > > -- Attached file included as plaintext by Ecartis --
> > > -- File: signature.asc
> > > -- Desc: Digital signature
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.4 (GNU/Linux)
> > >
> > > iD8DBQFBF1bA1xWu4MLSyoYRAphMAJ48HPRHby7n3emefHk7XAJvFmFp7gCfcueW
> > > b8lJ4NmKf9RGEKqdKhirYQs
> > > =qHkR
> > > -----END PGP SIGNATURE-----
> > >
> > >
> > >
> >
>
> --
> Sevgi Sayg GNU/Linux
> ########################################################################
> (1) Never draw what you can copy.
> (2) Never copy what you can trace.
> (3) Never trace what you can cut out and paste down.
> ########################################################################
> Tongu Yumruk
>
>
> -- Attached file included as plaintext by Ecartis --
> -- File: signature.asc
> -- Desc: Digital signature
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFBF1791xWu4MLSyoYRArt7AKDvltJF8s33FFe7ngie8sKoe0axawCcCYAY
> 4mRUdRSrUy58XiMAA7Bkzfg
> =KVSX
> -----END PGP SIGNATURE-----
>
>
>