I will give an example of installing and configuring xt_NAT on Ubuntu Server 14.04 with kernel version 4.4.0-142. xt_NAT may not work on newer kernel versions. According to the developer, it should work on Linux Kernel 3.18 and 4.1. To make it work on newer versions of the kernel, you can find patches.
Continue reading “Installing and configuring xt_NAT”Tag Archives: NAT
Blocking SPAM behind a NAT server
In this article I will give an example of detecting and blocking the sending of spam messages behind a NAT server.
Continue reading “Blocking SPAM behind a NAT server”Changing gc_thresh on Linux
In this article I will give an example of changing gc_thresh on Linux, this parameter usually needs to be increased on highly loaded access servers.
Continue reading “Changing gc_thresh on Linux”NAT Modules for VPN, FTP, SIP
Let’s say SNAT or masquerading is configured on a Linux server, for example, as I described in article Ubuntu IP Masquerading (NAT). But if many NAT clients connect to external PPTP, FTP, SIP servers for NAT, then they will have connection problems.
Continue reading “NAT Modules for VPN, FTP, SIP”Port forwarding on Mikrotik routers
To forward a port on the Mikrotik router, you need to open the “IP” – “Firewall” menu, select the “NAT” tab and add a new rule by clicking “Add new” or “+”.
Continue reading “Port forwarding on Mikrotik routers”Configure Hairpin NAT on RouterOS (Mikrotik)
In this article I will give an example of setting Hairpin NAT on RouterOS (Mikrotik).
I happen to have a server or a DVR in the local network, the ports to which are forwarded in the firewall, but you can connect only from other networks, and from the local network it is obtained only by the local IP address, but not external, on the WAN interface of the router.
Continue reading “Configure Hairpin NAT on RouterOS (Mikrotik)”Difference between MASQUERADE and SNAT
In this article I will briefly describe the difference between MASQUERADE and SNAT.
MASQUERADE. Less fast routing than SNAT with mass requests, since for each new connection an IP address on the external network interface (WAN) is determined. Great for home use routers and when changing the IP address on the WAN interface.
Continue reading “Difference between MASQUERADE and SNAT”
Accel-ppp installation
In this article, I’ll give an example of how to build and install accel-ppp in Ubuntu Server.
Continue reading “Accel-ppp installation”The reason for increasing RX overruns on the network adapter
I noticed once on one of the servers that the RX overruns value is growing slightly.
I executed several commands (where p2p1 and p2p2 are the names of network interfaces):
ifconfig p2p1 ifconfig p2p2
Only the value of RX overruns increased by 10 packets every second, with traffic at about 2Gb/s (100,000 packets per second).
The server was equipped with the network adapter “HP NC552SFP 10Gb 2-Port Ethernet Server Adapter” with a network controller from Emulex.
Having looked the size of the maximum and current buffer:
ethtool -g p2p1 ethtool -g p2p2
Found that the buffers are set to maximum, TX buffer is 4096, and the maximum possible RX buffer was only 512.
See also my article – Changing TX and RX network interface buffers in Linux
Having looked at the correct distribution of network card interrupts over the processor cores:
grep p2p1 /proc/interrupts
Found that the network adapter has 4 IRQ interrupts maximum, and irqbalance accordingly allocated them to 4 cores, and the processor cores are 24.
The problem was solved by replacing the network adapter with a more expensive one – “665249-B21 HP 10Gb 2-port 560SFP + Adapter” with an Intel 82599 network controller.
After that, an error was not observed, RX and TX buffers were 4096, and IRQ was distributed to all 24 cores.
After a couple of days, the error counters remained at zero:
p2p1 RX packets:62535001155 errors:0 dropped:0 overruns:0 frame:0
TX packets:36343078751 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:77395016742081 (77.3 TB) TX bytes:10991051263063 (10.9 TB)
p2p2 RX packets:35672087256 errors:0 dropped:0 overruns:0 frame:0
TX packets:58598868464 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10996254475480 (10.9 TB) TX bytes:73378418623349 (73.3 TB)
Probably the previous network adapter was some kind of truncated version, since the price was two times lower, and in general for serious purposes it is better to use network adapters with a controller from Intel.
See also my article – Configuring the Network in Linux
Monitoring Linux ISG in Zabbix
Today I wanted to monitor Linux ISG sessions in Zabbix.
By entering the command on one of the servers:
/opt/ISG/bin/ISG.pl show_count
Saw the following:
Approved sessions count: 2021
Unapproved sessions count: 2
The Zabbix agent on the server has already been installed, so it opened its configuration file (in the nano editor, the Ctrl+X keys for the exit, and y/n for saving or canceling the changes):
nano /etc/zabbix/zabbix_agentd.conf
Invented and added the following code:
UserParameter=isg.approved, /opt/ISG/bin/ISG.pl show_count | grep "Approved sessions count:" | awk '{print $4}'
UserParameter=isg.unapproved, /opt/ISG/bin/ISG.pl show_count | grep "Unapproved sessions count:" | awk '{print $4}'
We will allow Zabbix agent to work as root with the user specifying:
AllowRoot=1
Restart the Zabbix agent to apply the changes:
sudo /etc/init.d/zabbix-agent restart
On the Zabbix server, create an ISG template, add the data elements to it, specifying the type – Zabbix agent, and the keys: isg.approved, isg.unapproved.
Create graphics for the created data items.
Apply the template to the desired nodes of the network.
Done.