Re: DNAT and MASQUERADE

[Erez D]

On Wed, Jan 7, 2015 at 11:41 AM, shimi  wrote:

>
>
> On Wed, Jan 7, 2015 at 11:35 AM, shimi  wrote:
>
>>
>>
>> On Wed, Jan 7, 2015 at 10:16 AM, Erez D  wrote:
>>
>>> hello.
>>>
>>> I have an iptables question
>>>
>>> i have the following
>>>
>>> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 ..
>>> computer99
>>>
>>> i have no control over NAT1.
>>> computer1 also can reach the internet via eth1.
>>>
>>> linux firewall redirects incoming port  from ext_ip to computer1
>>> however i need coputer2 .. computer99 to connect to ext_ip: and also
>>> reach computer1
>>>
>>> so first i did a NAT rule in linux firewall to redirect all packets from
>>> internal to ext_ip:  to computer1. and did an 'ifconfig eth0:1 $ext_ip
>>> up' on computer1.
>>> this works. however it causes computer1 not to be able to access real
>>> ext_ip via eth1 which is connected to the internet as well
>>>
>>> so i though of both doing DNAT and MASQ, which will do the same but will
>>> not require assiging ext_ip to computer1.
>>> howerver i do not know how to do that
>>>
>>>
>> If computer1 can access ext_ip:, all you need is to allow ip_forward
>> (/etc/sysctl.conf for permanent, and echo 1 >
>> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers
>> have a static route to ext_ip via computer1
>>
>> Then, in computer1,
>>
>> iptables -t nat -I POSTROUTING -o  [ -i
>>  ] -s > computers/netmask> -p tcp --dport  -j MASQUERADE
>>
>> should do...
>>
>> (of course, assuming the iptables FORWARD chain is not dropping those
>> packets; otherwise you'ld need an ACCEPT rule there, too...)
>>
>> HTH,
>>
>> -- Shimi
>>
>>
> And on a second read, I think I got you wrong and the purpose was to
> access computer1 port  (hopefully listening on 0.0.0.0) from computersN
> by using the external IP from the inside?
>
yes

>
> If so, did:
>
> couputerN default route is the linux firewall. without any rules on linux
firewall, it will forward packets from computer1 destined to ext_ip  to
NAT1. and they will not reach computer1 att all, so rules on computer 1 are
useless.
Doing a DNAT on linux firewall will direct the packets to computer1,
however computer 1 will know comuterN and will reply directly without going
through linux firewall, and computer1 will not match the packets to the
original connection.



> iptables -I PREROUTING -i  -s  computers/netmask> -p tcp --dport -j REDIRECT --to-port 
>
> not work?
>
> -- Shimi
>
___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: Skimping on AWS EC2 bills

[Vitaly]

Amos,
IMHO, it's not technical, but more  "human" issue. For example, as far as
you decide that you need Jira every last day of month, you can launch
instance automatically.
But typically Jira usage is more random, so I don't think  there is
technical solution exist.
If you're the only Jira user, why don't run it from your own computer for
free?

And, BTW, AWS reserved instances allow you to modify everything; plus
up-front pay isn't must anymore.

regards,
Vitaly

On Thu, Jan 8, 2015 at 4:40 AM, Amos Shapira  wrote:

> Yes I'm well aware of the RI option. It can save up to %70 for high-load
> (i.e. machines which are up 24/7), but much less saving compared to
> something that you can keep bringing up and down on demand.
> Also the up-front cost is not cheap, and commits you to that type of
> instance (as far as I remember, you can't buy switch or upgrade an RI slot,
> what's paid is paid).
>
> On 8 January 2015 at 12:47, Aviram Jenik  wrote:
>
>> I'm not an AWS expert and would love to hear from those who are. But we
>> do have a few (dozen) instances on AWS.
>>
>> We have them running 24/7. I get that you could start and stop on demand,
>> but don't get how you would do that without changing the way you work in a
>> drastic way (compared to a physical machine). To save costs, buy a
>> 'reserved instance'. You are paying up front for 1-3 years (I recommend 3
>> years) and then paying a very very low cost per hour. If your load is low,
>> buy the 'low load' machine to save even more costs (but then you pay hire
>> fees if you cross the threshold). I don't know how this works well enough -
>> we always buy the 'high load' instance and buy them for 3 years; the total
>> average cost is equivalent to what we would have paid for the hosting and
>> so the hardware is "free".
>>
>>
>> - Aviram
>>
>>
>>
>> On Wed, Jan 7, 2015 at 7:33 PM, Amos Shapira 
>> wrote:
>>
>>> Hi,
>>>
>>> Do people here keep EC2 instances running?
>>> Do you leave it running 24/7 or do you fire them up when you need them?
>>>
>>> I'd like to run my own EC2 instance running $10 Jira + $10 Confluence
>>> (+$10 some extra useful add-ons) (to clarify - these are one-off $10 for
>>> each product), but can't justify running a $30/month small EC2 (and perhaps
>>> more, Jira alone requires 1.5-2GB of RAM) just to be used at most a few
>>> hours a month if not less.
>>>
>>> But logging in to the console to fire it up (or through aws cli, or
>>> using an Android based app) every time I want to access it also would be
>>> inconvenient.
>>>
>>> So is there another way?
>>>
>>> Thanks,
>>>
>>> --Amos
>>>
>>>
>>> ___
>>> Linux-il mailing list
>>> Linux-il@cs.huji.ac.il
>>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>>>
>>>
>>
>
>
> --
> 
>
> ___
> Linux-il mailing list
> Linux-il@cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
>
___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: Skimping on AWS EC2 bills

[Amos Shapira]

I was thinking about running it on my own laptop, and perhaps I will.

But that would mean leaving it on around the clock which I don't want to
(I'm very conscious of power consumption, both economically and
environmentally), and I don't carry it with me most of the time but would
like to have access to my server from both my mobile and workplace.

On 8 January 2015 at 19:59, Vitaly  wrote:

> Amos,
> IMHO, it's not technical, but more  "human" issue. For example, as far as
> you decide that you need Jira every last day of month, you can launch
> instance automatically.
> But typically Jira usage is more random, so I don't think  there is
> technical solution exist.
> If you're the only Jira user, why don't run it from your own computer for
> free?
>
> And, BTW, AWS reserved instances allow you to modify everything; plus
> up-front pay isn't must anymore.
>
> regards,
> Vitaly
>
> On Thu, Jan 8, 2015 at 4:40 AM, Amos Shapira 
> wrote:
>
>> Yes I'm well aware of the RI option. It can save up to %70 for high-load
>> (i.e. machines which are up 24/7), but much less saving compared to
>> something that you can keep bringing up and down on demand.
>> Also the up-front cost is not cheap, and commits you to that type of
>> instance (as far as I remember, you can't buy switch or upgrade an RI slot,
>> what's paid is paid).
>>
>> On 8 January 2015 at 12:47, Aviram Jenik  wrote:
>>
>>> I'm not an AWS expert and would love to hear from those who are. But we
>>> do have a few (dozen) instances on AWS.
>>>
>>> We have them running 24/7. I get that you could start and stop on
>>> demand, but don't get how you would do that without changing the way you
>>> work in a drastic way (compared to a physical machine). To save costs, buy
>>> a 'reserved instance'. You are paying up front for 1-3 years (I recommend 3
>>> years) and then paying a very very low cost per hour. If your load is low,
>>> buy the 'low load' machine to save even more costs (but then you pay hire
>>> fees if you cross the threshold). I don't know how this works well enough -
>>> we always buy the 'high load' instance and buy them for 3 years; the total
>>> average cost is equivalent to what we would have paid for the hosting and
>>> so the hardware is "free".
>>>
>>>
>>> - Aviram
>>>
>>>
>>>
>>> On Wed, Jan 7, 2015 at 7:33 PM, Amos Shapira 
>>> wrote:
>>>
 Hi,

 Do people here keep EC2 instances running?
 Do you leave it running 24/7 or do you fire them up when you need them?

 I'd like to run my own EC2 instance running $10 Jira + $10 Confluence
 (+$10 some extra useful add-ons) (to clarify - these are one-off $10 for
 each product), but can't justify running a $30/month small EC2 (and perhaps
 more, Jira alone requires 1.5-2GB of RAM) just to be used at most a few
 hours a month if not less.

 But logging in to the console to fire it up (or through aws cli, or
 using an Android based app) every time I want to access it also would be
 inconvenient.

 So is there another way?

 Thanks,

 --Amos


 ___
 Linux-il mailing list
 Linux-il@cs.huji.ac.il
 http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il


>>>
>>
>>
>> --
>> 
>>
>> ___
>> Linux-il mailing list
>> Linux-il@cs.huji.ac.il
>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>>
>>
>


-- 

___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Re: DNAT and MASQUERADE

[shimi]

On Thu, Jan 8, 2015 at 10:43 AM, Erez D  wrote:

>
>
> On Wed, Jan 7, 2015 at 11:41 AM, shimi  wrote:
>
>>
>>
>> On Wed, Jan 7, 2015 at 11:35 AM, shimi  wrote:
>>
>>>
>>>
>>> On Wed, Jan 7, 2015 at 10:16 AM, Erez D  wrote:
>>>
 hello.

 I have an iptables question

 i have the following

 ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 ..
 computer99

 i have no control over NAT1.
 computer1 also can reach the internet via eth1.

 linux firewall redirects incoming port  from ext_ip to computer1
 however i need coputer2 .. computer99 to connect to ext_ip: and
 also reach computer1

 so first i did a NAT rule in linux firewall to redirect all packets
 from internal to ext_ip:  to computer1. and did an 'ifconfig eth0:1
 $ext_ip up' on computer1.
 this works. however it causes computer1 not to be able to access real
 ext_ip via eth1 which is connected to the internet as well

 so i though of both doing DNAT and MASQ, which will do the same but
 will not require assiging ext_ip to computer1.
 howerver i do not know how to do that


>>> If computer1 can access ext_ip:, all you need is to allow ip_forward
>>> (/etc/sysctl.conf for permanent, and echo 1 >
>>> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers
>>> have a static route to ext_ip via computer1
>>>
>>> Then, in computer1,
>>>
>>> iptables -t nat -I POSTROUTING -o  [ -i
>>>  ] -s >> computers/netmask> -p tcp --dport  -j MASQUERADE
>>>
>>> should do...
>>>
>>> (of course, assuming the iptables FORWARD chain is not dropping those
>>> packets; otherwise you'ld need an ACCEPT rule there, too...)
>>>
>>> HTH,
>>>
>>> -- Shimi
>>>
>>>
>> And on a second read, I think I got you wrong and the purpose was to
>> access computer1 port  (hopefully listening on 0.0.0.0) from computersN
>> by using the external IP from the inside?
>>
> yes
>
>>
>> couputerN default route is the linux firewall. without any rules on linux
> firewall, it will forward packets from computer1 destined to ext_ip  to
> NAT1. and they will not reach computer1 att all, so rules on computer 1 are
> useless.
>
>
> Doing a DNAT on linux firewall will direct the packets to computer1,
> however computer 1 will know comuterN and will reply directly without going
> through linux firewall, and computer1 will not match the packets to the
> original connection.
>

But if you create a static route on computerN towards the external IP via
computer1 like I suggested, then these connections will not get to linux
firewall at all, rather then get to computer1 (I'm assuming they're on the
same L2 and share IP addresses in the same IP subnet) - so rules on
computer1 will apply, wouldn't they?

What am I missing?

-- Shimi
___
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il