Re: [LARTC] Fwmark and REDIRECT rules

From: Enrico Demarin <enricod@videotron.ca>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Fwmark and REDIRECT rules
Date: Mon, 22 Mar 2004 17:38:04 +0000	[thread overview]
Message-ID: <1079977084.4233.17.camel@localhost.localdomain> (raw)
In-Reply-To: <1079966148.4228.11.camel@localhost.localdomain>

Ok. I am marking because I will also add rules for a second ethernet
interface, eth2, which serves a 10.2.0.0/24 segment, and i want to split
the internet feed ( 10 megabits ) in 2 5 megabits links : i need marking
to mark all the traffic coming to eth1 to it's 5 megabit classes  and
the traffic coming from eth2 to the other tree  ( i would define 2 root
classes of 5 megabits, with separate leafs ).

- Enrico

On Mon, 2004-03-22 at 12:18, Roy wrote:
> first you should mark packets in postrouting chain for what you need
> forward chain dont touch local trafic, which is your proxy.
> 
> next, since you redirect packets to port 3128 you should match on this port
> not on 80.
> but then you will mark all packets from port 3128 no matter they are
> redirected or not.
> (all proxy trafic will be marked)
> 
> Also you can simply match with tc on port 80, since tc is after nat and it
> will see the same port the user will see.
> for such simple setup no marking is nesecary.
> 
> ----- Original Message ----- 
> From: "Enrico Demarin" <enricod@videotron.ca>
> To: <lartc@mailman.ds9a.nl>
> Sent: Monday, March 22, 2004 4:35 PM
> Subject: [LARTC] Fwmark and REDIRECT rules
> 
> 
> > Hi ,
> >
> > this is the situation , I am using a Linux gateway to shape the outbound
> > traffic coming from a LAN, configured ( for example ) as following (
> > using htb ):
> >
> >
> > ETH0 ( public interface )
> >
> >
> > 1 ROOT class rate 10240 kbit, ceil 10240
> >
> > 2 LEAF class rate 8192, ceil 8192
> >
> > 3 LEAF class rate 2048 , ceil 2048
> >
> > ETH1 ( LAN )
> >
> > Then i define the following rules :
> >
> > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw
> > flowid 1:2
> >
> > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw
> > flowid 1:3
> >
> > And set the iptables rules to assign the fwmarks :
> >
> > /sbin/iptables -t mangle -F mygroup
> > /sbin/iptables -t mangle -X mygroup
> > /sbin/iptables -t mangle -N mygroup
> >
> > /sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup
> >
> > /sbin/iptables -t mangle -A mygroup   -p tcp -m tcp --dport 80  -j MARK
> > --set-mark 0x20
> > /sbin/iptables -t mangle -A mygroup   -p tcp -m tcp --dport 80  -j
> > RETURN
> >
> > /sbin/iptables -t mangle -A mygroup   -j MARK --set-mark 0x10
> > /sbin/iptables -t mangle -A mygroup   -j RETURN
> >
> > In theory , this should assign all packets with dest port 80 forwarded
> > from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class.
> >
> > And it  works, until i do something like this :
> >
> > iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j
> > REDIRECT --to-ports 3128
> >
> > to set up transparent proxy redirection to the local squid ( 10.1.0.0/24
> > is the subnet of eth1 ).
> >
> > The redirection works but no packets end up in the 0x20 class.
> >
> > Any way to shape even transparent-proxied traffic ?
> >
> > thanks,
> > Enrico
> >
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/