VP.'s questions

I have the following rule for PORT FORWARDING:

root@foo:~# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING  -p udp -m udp --dport 1:1024 -j DNAT --to-destination 192.168.100.10
-A PREROUTING  -p tcp -m tcp --dport 1:1024 -j DNAT --to-destination 192.168.100.10

running an iperf (tcp connection), I get a 10 x worse result than without Port Forwarding, just with routing. Because I couldn't find any real benchmark, i ask it here: Is that normal a so huge drop in the thoughput using iptables DNAT? Is that possible to optimize it?

I'm trying to test a network device (firewall) using a Linux box, with two network cards, one interface connected to the WAN zone and another interface to LAN zone.

The configuration is similar with that

|ETH0| <-> | FW | <-> ETH1

So from both interfaces I'm able to ping the respective firewall interface. But i'm not able to fire something like:

 ping -I eth0 ip.from.eth1 

and to get any answer.

Is that possible or should I use the linux network namespace solution or any user level tcp stacks (VMs are out of question)

i'm just wondering if it's possible. i don't want to hear about other solutions, since i know them. I just want to know if ISC dhcpd (or any other open source dhcp server) implement it.

Imagine that i have a subnet configured in my dhcpd and as part of this subnet i have two ip ranges/pools (A and B) with the same allocation policy. Is that true, that in this scenario, the dhcpd will do a round-robin for the address allocation?

Another question is: is that possible to assing to an ip pool two routers with different metrics?

My idea is: to have two ip pools, in the same subnet, allocating ip in a round-robing fashion from those pools and with two gateways using different metrics.

so for a subnet 192.168.100.0/24:

i will have two pools. Pool A (192.168.100.10-119) and Pool B (192.168.100.120-254). For the pool A i want to give router 192.168.100.1 metric 10 and 192.168.100.2 metric 20 and for ips from the pool B, router 192.168.100.2 metric 10 and 192.168.100.1 metric 20.

is that possible?

I'm having some problems to install some packages in a Debian box. The problem is more related with the error message interpretation. I'm trying to install the libssl-dev. So I fired a shell and I typed:

apt-get install libssl-dev

For my surprise i've got the following error:

libssl-dev: Depends: libssl0.9.8 (= 0.9.8o-4squeeze1) but 0.9.8o-6 is to be installed
E: Broken packages

So what exactly it means? It depends the libssl0.9.8 ( the squeeze1 version) but the 0.9.8o-6 will be installed? Is this minor number (the "o-6") a blocking for apt-get? Can I force it (I did try with the -f, but it didn't work)?

I'm trying to install under RVM the Ruby Enterpise (REE) under debian

My debian is squeeze (uname -r)

2.6.18-194.26.1.el5.028stab070.14xen

i did try to install ree but it complains that it is missing libssl-dev and libreadline5-dev. I did update my lenny to squeeze, but i didn't update the kernel, since its a production server.

The operational system is already updated and upgraded

sources.list:

deb http://ftp.de.debian.org/debian/ squeeze main contrib non-free
deb-src http://ftp.de.debian.org/debian/ squeeze main contrib non-free
deb http://security.debian.org/ squeeze/updates main 
deb-src http://security.debian.org/ squeeze/updates main

I did try to install it using the following command:

apt-get install libssl-dev libreadline5-dev

But unfortunately i'm getting the following problems:

The following packages have unmet dependencies:
  libreadline5-dev: Depends: libncurses5-dev but it is not going to be installed
  libssl-dev: Depends: libssl0.9.8 (= 0.9.8o-4squeeze1) but 0.9.8o-6 is to be installed
E: Broken packages

I was thinking to reinstall those packages and install again, but it has too many dependencies, and it is a production server, that i would like to know if there is any other way to fix it. Or at least to double check if it is necessary to reinstall both :-/

i have a small network, with one valid IP and a firewall with 3 network interfaces (LAN, WAN, DMZ).

• I want to enable PAT on this valid IP to redirect http traffic to a server in my DMZ. (done)
• I want to enable MASQ on this ip from traffic that comes from my LAN (done)
• I want from my LAN as well to access my http server at DMZ. (partially)

Question:

in the above scenario, i cannot from my LAN, to access my http server in the DMZ, since it has the IP used by the MASQ (the only valid ip that i have). What would be the best option to solve this problem?

network interfaces:

• eth0 (WAN)
• eth1 (DMZ)

• eth2 (LAN)

  /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  /sbin/iptables -A FORWARD --o eth1 -d 2.2.2.2 -p tcp --dport 80 -j ACCEPT

  /sbin/iptables -t nat -A PREROUTING -i eth0 -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to 2.2.2.2

  /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

  /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

  /sbin/iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT

i want to configure a linux as gateway (dhcp and nat) and i would like to add 802.1x as authentication protocol. My question is, i remember in the past, that it has a strong connection with the port (read physical port) it means, if I have a switch connected to my FW and the first use authenticate on that, it means that all other uses on this switch (or all traffic that comes from this port), will be authenticated.. is that true?

I'm configuring a bastion host with Linux. It will run DHCP and DNS (resolver, recursive and cache)

The solutions that I'm considering are:

• djbdns
• powerdns
• isc dns
• unbound

For DHCP I'm thinking about ISC DHCPD.

Something that I found interesting is dnsmasq. What do you like?

i did install the openldap server using the following command:

sudo apt-get install slapd ldap-utils

it did install successfully. Funny thing thought is that it didn't provide me an init.d file.

tuba@foobar:~$ sudo /etc/init.d/slapd restart
sudo: /etc/init.d/slapd: command not found
tuba@pfoobar:~$ 

Am I missing something? I was looking the "ubuntu howto" for this version https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html and all schemas that i should load, located on /etc/ldap/schema/* doesn't exist, but the directory does.

tuba@foobar:~$ ls -l /etc/ldap/schema/
total 0
tuba@foobar:~$ 

So Am I missing something? I'm using ubuntu 10.04

i'm facing a strange LDAP configuration. Some admin, just created users as OU in OpenLDAP. To do it, the admin, changed some attributes in the OU like posixAccount, inetOrgPerson, organizationalPerson and person.. my question is what is the advantage to do it? It works, but i would like to know the drawbacks about it.

I would like to test a firewall solution. For that i would like to create a virtual network, without contact with my network and configure two virtual ethernet cards in my firewall. is that possible? say that my virtual machine has two ethernets? If with virtualbox is not possible, is it possible with any VM solution? To create virtual network and virtual devices in my virtual operational system