From: "Guillermo Javier Nardoni" <gjnardoni@yahoo.com.ar>
To: lartc@mailman.ds9a.nl, netfilter@lists.netfilter.org,
fb-gral@freebaires.org.ar
Subject: [LARTC] I gave up.-...-.-.-.- :'(
Date: Sat, 01 Oct 2005 14:05:19 +0000 [thread overview]
Message-ID: <007101c5c691$2c6f81f0$5b00a8c0@ripst> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 4948 bytes --]
Actually i gave up, i tried and tried and tried so many times, upgrading software falling back to an old version
but it didn't work, that's it.
i can't do work together tc with iptables and iproute2
when i mark a packet with iptables tc doesn't recognize them so it falls at the default leaf of the tc's tree
what i like is to mark packets depending on their ip (the one who make a connetion into de linux (gateway) box) and port.
i'll transcript my script because i really don't know what to do.
p.d. so, what i like to do is just simple, i guess; everything comes from eth1 and goes to eth1 (lan users to linux box services) must be shapped by ipaddres + port (dport i guess INPUT/OUTPUT CHAIN?)
and everything comes from ETH1 goes to ETH0 (Internet Access i guess PREROUTING/POSTROUTING/FORWARD chain) MUST BE SHAPPED BY PORT + IPADDRESS
i have this situation on the linux server:
eth0: (Out to internet)
eth1: (LAN)
configutarion: eth0 (network 200.123.166.72, broadcast: 200.123.166.79; (ip range: 200.123.166.73-77)
eth0 ip: 200.123.166.73
eth0: gw: 200.123.166.78
eth0: netmask: 255.255.255.248
eth dns1: 200.123.166.73
eth0 dns2: 200.123.166.74
configuration: eth1 (network 172.16.0.0 broadcast: 172.16.0.255 (ip range: 172.16.0.1-254)
eth1 ip: 172.16.0.1
eth1: gw: (none)
eth1: netmask: 255.255.0.0
eth1: dns1: 200.123.166.73
eth1: dns2: 200.123.166.74
LINUX BOX SERVING THIS SERVICES: HTTP (PORT 80) SMTP (PORT 25) POP3 (PORT 110) SSH (PORT 22) FTP (PORT 20-21) SMB FS (PORT 136-139) IRC (PORT 6667)
CONFIGURATION OF TC:
tc=/sbin/tc
iptables=/sbin/iptables
echo "Building tc Classes"
IFACE="eth0 eth1"
for i in $IFACE;do
$tc qdisc add dev $i root handle 1: htb default 10
$tc class add dev $i parent 1: classid 1:1 htb rate 2048mbit
$tc class add dev $i parent 1:1 classid 1:10 htb rate 10kbit ceil 128kbit quantum 1514
$tc class add dev $i parent 1:1 classid 1:20 htb rate 10kbit ceil 256kbit quantum 1514
$tc class add dev $i parent 1:1 classid 1:30 htb rate 10kbit ceil 512kbit quantum 1514
$tc class add dev $i parent 1:1 classid 1:40 htb rate 10kbit ceil 1024bit quantum 1514
$tc class add dev $i parent 1:1 classid 1:50 htb rate 10kbit ceil 2048bit quantum 1514
$tc class add dev $i parent 1:1 classid 1:60 htb rate 10kbit ceil 256kbit quantum 1514 # USED FOR HTTP/IRC
$tc class add dev $i parent 1:1 classid 1:70 htb rate 10kbit ceil 128kbit quantum 1514 # USED FOR EMAIL (SMTP/POP3)
$tc qdisc add dev $i parent 1:10 handle 10: sfq perturb 10
$tc qdisc add dev $i parent 1:20 handle 20: sfq perturb 10
$tc qdisc add dev $i parent 1:30 handle 30: sfq perturb 10
$tc qdisc add dev $i parent 1:40 handle 40: sfq perturb 10
$tc qdisc add dev $i parent 1:50 handle 50: sfq perturb 10
$tc qdisc add dev $i parent 1:60 handle 60: sfq perturb 10
$tc qdisc add dev $i parent 1:70 handle 70: sfq perturb 10
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 10 fw flowid 1:10
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 20 fw flowid 1:20
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 30 fw flowid 1:30
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 40 fw flowid 1:40
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 50 fw flowid 1:50
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 60 fw flowid 1:60
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 70 fw flowid 1:70
PORTS="80 6667 20 21"
#ANY IP MUST BE SHAPPED BY THESE PORTS TO THE 1:60 LEAF
for i in $PORTS;do
$iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p tcp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p udp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p tcp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p udp --dport $i -j MARK --set-mark 60
done
SOOOOOOOOOOOOOOOOOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR GOING JUST FALLS ON 1:10 (DEFAULT LEAF)
This is an extract from the script, so it show you the LOCAL PROCESS of information not PREROUTING
PLEASE HELPPPPPPPPP ME I DON'T KNOW WHAT TO DO AND MY SYSTEM IS GOING DOWN FASTER.-
MY CONFIGURATION IS:
ip utility, iproute2-ss050330
tc utility, iproute2-ss050330
iptables v1.3.3
kernel: 2.6.13
patch applied for kernel and iproute and iptables (esfq + wrr)
heeeeeeeeeeeeeeeelp
thank you so much
Guillermo from Argentina
[-- Attachment #1.2: Type: text/html, Size: 9744 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
WARNING: multiple messages have this Message-ID (diff)
From: "Guillermo Javier Nardoni" <gjnardoni@yahoo.com.ar>
To: lartc@mailman.ds9a.nl, netfilter@lists.netfilter.org,
fb-gral@freebaires.org.ar
Subject: I gave up.-...-.-.-.- :'(
Date: Sat, 1 Oct 2005 11:05:19 -0300 [thread overview]
Message-ID: <007101c5c691$2c6f81f0$5b00a8c0@ripst> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 4948 bytes --]
Actually i gave up, i tried and tried and tried so many times, upgrading software falling back to an old version
but it didn't work, that's it.
i can't do work together tc with iptables and iproute2
when i mark a packet with iptables tc doesn't recognize them so it falls at the default leaf of the tc's tree
what i like is to mark packets depending on their ip (the one who make a connetion into de linux (gateway) box) and port.
i'll transcript my script because i really don't know what to do.
p.d. so, what i like to do is just simple, i guess; everything comes from eth1 and goes to eth1 (lan users to linux box services) must be shapped by ipaddres + port (dport i guess INPUT/OUTPUT CHAIN?)
and everything comes from ETH1 goes to ETH0 (Internet Access i guess PREROUTING/POSTROUTING/FORWARD chain) MUST BE SHAPPED BY PORT + IPADDRESS
i have this situation on the linux server:
eth0: (Out to internet)
eth1: (LAN)
configutarion: eth0 (network 200.123.166.72, broadcast: 200.123.166.79; (ip range: 200.123.166.73-77)
eth0 ip: 200.123.166.73
eth0: gw: 200.123.166.78
eth0: netmask: 255.255.255.248
eth dns1: 200.123.166.73
eth0 dns2: 200.123.166.74
configuration: eth1 (network 172.16.0.0 broadcast: 172.16.0.255 (ip range: 172.16.0.1-254)
eth1 ip: 172.16.0.1
eth1: gw: (none)
eth1: netmask: 255.255.0.0
eth1: dns1: 200.123.166.73
eth1: dns2: 200.123.166.74
LINUX BOX SERVING THIS SERVICES: HTTP (PORT 80) SMTP (PORT 25) POP3 (PORT 110) SSH (PORT 22) FTP (PORT 20-21) SMB FS (PORT 136-139) IRC (PORT 6667)
CONFIGURATION OF TC:
tc=/sbin/tc
iptables=/sbin/iptables
echo "Building tc Classes"
IFACE="eth0 eth1"
for i in $IFACE;do
$tc qdisc add dev $i root handle 1: htb default 10
$tc class add dev $i parent 1: classid 1:1 htb rate 2048mbit
$tc class add dev $i parent 1:1 classid 1:10 htb rate 10kbit ceil 128kbit quantum 1514
$tc class add dev $i parent 1:1 classid 1:20 htb rate 10kbit ceil 256kbit quantum 1514
$tc class add dev $i parent 1:1 classid 1:30 htb rate 10kbit ceil 512kbit quantum 1514
$tc class add dev $i parent 1:1 classid 1:40 htb rate 10kbit ceil 1024bit quantum 1514
$tc class add dev $i parent 1:1 classid 1:50 htb rate 10kbit ceil 2048bit quantum 1514
$tc class add dev $i parent 1:1 classid 1:60 htb rate 10kbit ceil 256kbit quantum 1514 # USED FOR HTTP/IRC
$tc class add dev $i parent 1:1 classid 1:70 htb rate 10kbit ceil 128kbit quantum 1514 # USED FOR EMAIL (SMTP/POP3)
$tc qdisc add dev $i parent 1:10 handle 10: sfq perturb 10
$tc qdisc add dev $i parent 1:20 handle 20: sfq perturb 10
$tc qdisc add dev $i parent 1:30 handle 30: sfq perturb 10
$tc qdisc add dev $i parent 1:40 handle 40: sfq perturb 10
$tc qdisc add dev $i parent 1:50 handle 50: sfq perturb 10
$tc qdisc add dev $i parent 1:60 handle 60: sfq perturb 10
$tc qdisc add dev $i parent 1:70 handle 70: sfq perturb 10
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 10 fw flowid 1:10
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 20 fw flowid 1:20
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 30 fw flowid 1:30
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 40 fw flowid 1:40
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 50 fw flowid 1:50
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 60 fw flowid 1:60
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 70 fw flowid 1:70
PORTS="80 6667 20 21"
#ANY IP MUST BE SHAPPED BY THESE PORTS TO THE 1:60 LEAF
for i in $PORTS;do
$iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p tcp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p udp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p tcp --dport $i -j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p udp --dport $i -j MARK --set-mark 60
done
SOOOOOOOOOOOOOOOOOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR GOING JUST FALLS ON 1:10 (DEFAULT LEAF)
This is an extract from the script, so it show you the LOCAL PROCESS of information not PREROUTING
PLEASE HELPPPPPPPPP ME I DON'T KNOW WHAT TO DO AND MY SYSTEM IS GOING DOWN FASTER.-
MY CONFIGURATION IS:
ip utility, iproute2-ss050330
tc utility, iproute2-ss050330
iptables v1.3.3
kernel: 2.6.13
patch applied for kernel and iproute and iptables (esfq + wrr)
heeeeeeeeeeeeeeeelp
thank you so much
Guillermo from Argentina
[-- Attachment #1.2: Type: text/html, Size: 9744 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next reply other threads:[~2005-10-01 14:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-01 14:05 Guillermo Javier Nardoni [this message]
2005-10-01 14:05 ` I gave up.-...-.-.-.- :'( Guillermo Javier Nardoni
2005-10-02 6:50 ` [LARTC] " Stef Coene
2005-10-02 11:36 ` Andy Furniss
2005-10-02 11:36 ` Andy Furniss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='007101c5c691$2c6f81f0$5b00a8c0@ripst' \
--to=gjnardoni@yahoo.com.ar \
--cc=fb-gral@freebaires.org.ar \
--cc=lartc@mailman.ds9a.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.