In Wikipedia of Netfilter article, there is a figure Packet flow in Netfilter and General Networking.
the hop of "routing decision" and "reroute check" have multi next-hop, and the next-hops are very similer:
Who can tell me why and how to choose the next hop, with example is better.
Thank you.
After my learning about Linux networking,I think the key point is the “bridge device”, it worked on the Link Layer,and used for Virtual machain,Container,tunnel and so on.
If the Host machain communicate with outer network, Only "Network Layer" route will pass though;
IF the Virtual machain communicate with the outer network, Only "Link Layer" route will pass though;
IF Host machain communicate with the Virtual machains、Containers, it will use the route from Link Layer to "Network Layer" or vice versa.
The "Link Layer" stand for data that will use virtual bridge device.
Related
I have a next LAN scheme:
<MyPC 10.220.0.x> --- <WinServ 2008r2 10.220.0.x> --- <Xerox WC 192.168.0.x>
Server has PrintServer role enabled and printer is shared. I want to monitor the printer's state/errors through SNMP but problem is that I haven't acess to printer directly because it is in a different network. I can operate with printer ONLY as a shared i.e. through printserver, so my question is - how I can make SNMP requests to shared printer? Is it possible?
If the device in the middle is routing the relevant traffic and the config on the printer allows it to respond to SNMP requests from outside its subnet then there's nothing to stop it from working.
But those are really big caveats, particularly the first one.
If you are doing any NAT on the box in the middle, then either replace it with a Linux box or proper router or find another problem to solve.
If it's not routing, then you need to set this up (note that you want a STATIC route).
If it is routing already then you probably need to look at the firewall to make sure its allowing the traffic.
If that's all working then you need to look at the SNMP policy on the printer.
Your network diagram is vague enough that they could all be on the same LAN.
If so lucky, then just set a static route to the 192.168 network on "My PC". eg.
route add 192.168.0.0 mask 255.255.0.0 IP-ADDRESS-OF-MY-PC
If you can ping your printer, then you can access it via SNMP, assuming
there are no firewalls on the printer disallowing this.
We're attempting to enable a number of mDNS advertised services on our campus
wide wireless network, most notably airplay. In our case, the airServers would
sit on our wired network, so we need to advertise the services manually either
with DNS-SD or mDNS on the wireless side. We've gotten that working using
static service advertisements in avahi and it's pretty slick, but we have a
scaling problem.
We have potentially 150 AirServer hosts in a variety of classrooms around the
campus. If we were to enable all of them, the list to choose from on iPads
would be outrageously large (to say nothing of students thoroughly enjoying
taking over an AirServer from across campus when a faculty member forgets to
change the password).
What we would like to do is segregate our wireless network on a single vlan per
building basis to form 27 mDNS segments and then run avahi to advertise the
services in each segment, preferably on a single, multi homed host with access
to all of the segments.
I was hoping that avahi-daemon would take a parameter in the avahi-daemon.conf
that points to a unique services directory, so that I could have multiple
config files, each with a different allow-interfaces clause and a pointer to a
different services directory, but that doesn't appear to be a configurable
option.
I was thinking of chroot jailing multiple copies of avahi, but that seems
really kludgy.
Am I missing some more obvious strategy to handle this without creating 27
separate hosts?
Thanks much!
JD
It is possible to achieve what you want if you build your own application for publishing the services in the interfaces you want. This method call is from GNUStep "base" framework, class GSAvahiNetServices (can be used on Linux) and the method is based on the Avahi API.
- (id) initWithDomain: (NSString*)domain
type: (NSString*)type
name: (NSString*)name
port: (NSInteger)port
avahiIfIndex: (AvahiIfIndex)anIfIndex
avahiProtocol: (AvahiProtocol)aProtocol
As you can see it is possible to specify the network interface index you want the service to be published on. You can also limit the protocol (IPv4 or IPv6). If you want one service to be available in more then one interface, just publish it in each interface.
How can i make my laptop to act as a multicast router.
I need to stream video content to other computers with in same network. How can i make my laptop to work as a multicast router.
There are some tools like that iou,iou2net.pl
It's simple - write a simple app to recieve multicast on one network card and simply re-send it on another one. One packet in - one packet out. And this way you can make userspace multicast router. Very easy. Just dont forget to register IGMP on these sockets.
This way you can also send it to multiple networks at once, etc etc.
Say you install Cisco IOU on a VM (ubuntu) or directly if you already use ubuntu.
Every instance you run (level 3 bin files for routers and level 2 for switches) is dealt with as a seperate physical machine.
This way you can:
create a network within one machine.
save up on memory as IOUs don't really take that much (64mb by default)
do any type of testing you need locally and for free.
iou2net.pl for instance is a tool you use to link an IOU instance to external networks.
This way you can use a real router/switch or network setting up the IOU either as one or a group or client OR your server itself.
I need to connect to a VPN Server , I can`t use windows Connections , My Application should work independently !
I tested some Components using RAS Api , they works ! but by using windows connections .
how can i do that without any dependency to windows connections ?
The problem with this question
"VPN" stands for "Virtual Private Network". It's a way to make a private network available to your computer, possibly in a secure way, so your computer can use standard IP protocols as if it were physically connected to the private network.
The operating system needs to know about that network, so of course all VPN implementations use "windows connections". From a different perspective: When you're connected to a VPN you can open a TCP connection to an IP on the private network as if it were on your local network. Since it's the operating system's job to set up your TCP connection and route your TCP/IP packets, of course it needs to know about the VPN! If it doesn't, it'll simply forward all your requests for the given IP to it's default router and fail with a "no route to destination" message (or a "time out", if your router is not kind enough to tell your system it has no idea what the private IP is).
Can it be done?
From a theoretical point of view, of course, you can bypass Windows completely, but then you'll have to "roll your own" everything. You can't use the Windows IP services, you'll have to implement your own TCP. I'm sure there are about a million other little things that need re-implementing.
For a starting point I'd look at the Open VPN: it's Open Source and available for Windows. It uses the UDP protocol as the bases for the VPN implementation, unlike the Windows VPN (that one uses GRE - General Routing Encapsulation, protocol 47). Open VPN itself, of course, uses a "windows connection" to do it's job, because it aims to provide a useful service, but you can use the source code as the bases for your own implementation.
I personally wouldn't even think about doing this, I'm just showing you the way and proving it's possible.
What should be done
I assume you want some kind of secure communication channel to your own service. Look into simple secure connections, tunneling protocols and proxies.
If this needs to be done for one service on one server, I'd look into a simple SSL implementation. Even better, look into using HTTPS.
If you need to access many different services on possibly different servers on the given private network I'd look into proxies.
I am willing to build a prototype of network appliance.
This appliance is suppose to transparently manipulate Ethernet packets. It suppose to have two network interface cards having one card connected to the outside leg (i.e. eth0) and the other to the inside leg (i.e. eth1).
In a typical network layout as in the attached image, it will be placed between the router and the LAN's switch.
My plans are to write a software that hooks at the kernel driver level and do whatever I need to do to incoming and outgoing packets.
For instance, an "outgoing" packet (at eth1) would be manipulated and passed over to the other NIC (eth0) which then should be transported over to the next hope
My questions are:
Is this doable?
Those NIC's will have no IP address, is that should be a problem?
Thanks in advance for your answers.
(And no, there is no such device yet in the market, so please, "why reinvent the wheel" style of answers are irrelevant)
typical network diagram http://img163.imageshack.us/img163/1249/stackpost.png
I'd suggest libipq, which seems to do just what you want:
Netfilter provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel.
Apparently, it can be done.
I am actually trying to build a prototype of it using scapy
as long as the NICs are set to promiscous mode, they catch packets on the network without the need of an IP address set on them. I know it can be done as there are a lot of companies that produce the same type of equipment (I.E: Juniper Networks, Cisco, F5, Fortinet ect.)