[LARTC] outbound shaping

[LARTC] outbound shaping

[nix4me]

Well it appears i have no clue what im doing.  I thought i had the below 
script working to shape outbound ftp traffic....however, it is shaping 
inbound traffic too.  I have NO clue why.
 
Please comment if anyone has any ideas why this doesnt work.  I want to 
shape only outbound ftp traffic and not inbound or lan traffic.


#!/bin/bash
#shaping passive and active outbound ftp traffic on an internal computer 
without affecting inbound and lan speed

# mark the outbound passive ftp packets on ports 50000-51000
iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null > 
/dev/null
iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
 
iptables -t mangle -N MYSHAPER-OUT
iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT

iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK 
--set-mark 20
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK 
--set-mark 20
iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26
# clear it
tc qdisc del dev eth0 root

#add the root qdisk
tc qdisc add dev eth0 root handle 1: htb default 26

#add main rate limit class
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit

#add leaf classes
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 40kbps
tc class add dev eth0 parent 1:1 classid 1:26 htb rate 100mbit

#filter traffic into classes
tc filter add dev eth0 parent 1:0  prio 0 protocol ip handle 20 fw 
flowid 1:20
tc filter add dev eth0 parent 1:0  prio 0 protocol ip handle 26 fw 
flowid 1:26
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[Stef Coene]

On Wednesday 24 November 2004 04:23, nix4me wrote:
> Well it appears i have no clue what im doing.  I thought i had the below
> script working to shape outbound ftp traffic....however, it is shaping
> inbound traffic too.  I have NO clue why.
Me neither.  What's your setup?  Where is eth0 connected to ?

Stef

-- 
stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[nix4me]

Stef Coene wrote:

>On Wednesday 24 November 2004 04:23, nix4me wrote:
>  
>
>>Well it appears i have no clue what im doing.  I thought i had the below
>>script working to shape outbound ftp traffic....however, it is shaping
>>inbound traffic too.  I have NO clue why.
>>    
>>
>Me neither.  What's your setup?  Where is eth0 connected to ?
>
>Stef
>
>  
>
The machine is a local machine behind a router.
Mark
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[gypsy]

nix4me wrote:
> 
> Stef Coene wrote:
> 
>>On Wednesday 24 November 2004 04:23, nix4me wrote:
>>
>>>Well it appears i have no clue what im doing.  I thought i had the below
>>>script working to shape outbound ftp traffic....however, it is shaping
>>>inbound traffic too.  I have NO clue why.
>>>
>>Me neither.  What's your setup?  Where is eth0 connected to ?
>>
>>Stef
>>
> The machine is a local machine behind a router.
> Mark

Mark,

<SCOLD>
Learn how to answer the question, damnit!  I have been watching you
repeatedly post this with NO information and ignoring you because of
that.

Explain in words and with a diagram what your setup is and why you are
specifiying those "fifty thousand series" port numbers (my FTP server
returns data on any high port the receiver can get data on).

We are not psychic.
</SCOLD>

gypsy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] outbound shaping

[nix4me]

24.xxx.xxx.xxx
       |router|
192.168.1.1
       |switch|
192.168.1.100 & 192.168.1.101

I am running proftpd on (192.168.1.101) with the port set to 65437 and 
with passive ports set to 50000-51000.  Proftpd allows you to specify a 
range of ports to use on passive transfers.  I need to be able to limit 
my outbound ftp traffic to 40 Kbytes per second.
The only way I can see to do this is limit by marking packets with 
iptables.  I am marking traffic on 65436 which is the active ftp data 
port (65437-1) and 50000-60000.  Outbound shaping is working 
fine....however....inbound ftp traffic is also being shaped to 40K.  I 
have no idea why.

Seems to me the below rules should mark outbound packets and shape only 
outbound packets.  I dont understand why inbound packets are getting shaped.
 
Here is the script:
#!/bin/bash
#shaping passive and active outbound ftp traffic on an internal computer 
without affecting inbound and lan speed

# mark the outbound passive ftp packets on ports 50000-51000
iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null > 
/dev/null
iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null

iptables -t mangle -N MYSHAPER-OUT
iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT

iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK 
--set-mark 20
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK 
--set-mark 20
iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26
# clear it
tc qdisc del dev eth0 root

#add the root qdisk
tc qdisc add dev eth0 root handle 1: htb default 26

#add main rate limit class
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit

#add leaf classes
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 40kbps
tc class add dev eth0 parent 1:1 classid 1:26 htb rate 100mbit

#filter traffic into classes
tc filter add dev eth0 parent 1:0  prio 0 protocol ip handle 20 fw 
flowid 1:20
tc filter add dev eth0 parent 1:0  prio 0 protocol ip handle 26 fw 
flowid 1:26

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[nix4me]

gypsy wrote:

>nix4me wrote:
>  
>
>>Stef Coene wrote:
>>
>>    
>>
>>>On Wednesday 24 November 2004 04:23, nix4me wrote:
>>>
>>>      
>>>
>>>>Well it appears i have no clue what im doing.  I thought i had the below
>>>>script working to shape outbound ftp traffic....however, it is shaping
>>>>inbound traffic too.  I have NO clue why.
>>>>
>>>>        
>>>>
>>>Me neither.  What's your setup?  Where is eth0 connected to ?
>>>
>>>Stef
>>>
>>>      
>>>
>>The machine is a local machine behind a router.
>>Mark
>>    
>>
>
>Mark,
>
><SCOLD>
>Learn how to answer the question, damnit!  I have been watching you
>repeatedly post this with NO information and ignoring you because of
>that.
>
>Explain in words and with a diagram what your setup is and why you are
>specifiying those "fifty thousand series" port numbers (my FTP server
>returns data on any high port the receiver can get data on).
>
>We are not psychic.
></SCOLD>
>
>gypsy
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>  
>
I apolozize for not providing enough information.  My next post will 
explain exactly what i am trying to do.
 
Mark
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[gypsy]

nix4me wrote:
> 24.xxx.xxx.xxx
>        |router|
> 192.168.1.1
>        |switch|
> 192.168.1.100 & 192.168.1.101

So can we assume that 192.168.1.1 has 2 NICs, eth0 facing 24.x.x.x/32
and eth1 facing 192.168.1.0/24?
 
> I am running proftpd on (192.168.1.101) with the port set to 65437 and
> with passive ports set to 50000-51000.  Proftpd allows you to specify a
> range of ports to use on passive transfers.  I need to be able to limit
> my outbound ftp traffic to 40 Kbytes per second.
> The only way I can see to do this is limit by marking packets with
> iptables.  I am marking traffic on 65436 which is the active ftp data
> port (65437-1) and 50000-60000.  Outbound shaping is working
> fine....however....inbound ftp traffic is also being shaped to 40K.  I
> have no idea why.
> 
> Seems to me the below rules should mark outbound packets and shape only
> outbound packets.  I dont understand why inbound packets are getting shaped.
> 
> Here is the script:
> #!/bin/bash
> #shaping passive and active outbound ftp traffic on an internal computer
> without affecting inbound and lan speed
> 
> # mark the outbound passive ftp packets on ports 50000-51000
> iptables -t mangle -N MYSHAPER-OUT
> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
> 
> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK
> --set-mark 20
> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
> --set-mark 20
> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26

1) Are you sure these rules are correctly marking and that the marks
exist at the time the tc filter sees the packet?  My hunch is NOT. 
ASIDE: We _really_ need a way for filters to report hit counts!

2) Since 1:26 is htb default, why is it necessary to '--set-mark 26'?

gypsy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[nix4me]

gypsy wrote:

>nix4me wrote:
>  
>
>>24.xxx.xxx.xxx
>>       |router|
>>192.168.1.1
>>       |switch|
>>192.168.1.100 & 192.168.1.101
>>    
>>
>
>So can we assume that 192.168.1.1 has 2 NICs, eth0 facing 24.x.x.x/32
>and eth1 facing 192.168.1.0/24?
>  
>
Yes.  Although I am not running the script on this box.  Its  a plain 
Ipcop linux firewall.

> 
>  
>
>>I am running proftpd on (192.168.1.101) with the port set to 65437 and
>>with passive ports set to 50000-51000.  Proftpd allows you to specify a
>>range of ports to use on passive transfers.  I need to be able to limit
>>my outbound ftp traffic to 40 Kbytes per second.
>>The only way I can see to do this is limit by marking packets with
>>iptables.  I am marking traffic on 65436 which is the active ftp data
>>port (65437-1) and 50000-60000.  Outbound shaping is working
>>fine....however....inbound ftp traffic is also being shaped to 40K.  I
>>have no idea why.
>>
>>Seems to me the below rules should mark outbound packets and shape only
>>outbound packets.  I dont understand why inbound packets are getting shaped.
>>
>>Here is the script:
>>#!/bin/bash
>>#shaping passive and active outbound ftp traffic on an internal computer
>>without affecting inbound and lan speed
>>
>># mark the outbound passive ftp packets on ports 50000-51000
>>iptables -t mangle -N MYSHAPER-OUT
>>iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
>>
>>iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK
>>--set-mark 20
>>iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
>>--set-mark 20
>>iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26
>>    
>>
>
>1) Are you sure these rules are correctly marking and that the marks
>exist at the time the tc filter sees the packet?  My hunch is NOT. 
>ASIDE: We _really_ need a way for filters to report hit counts!
>
>  
>
No, I am not sure.  I have used the command 'watch -n1 tc -s class ls 
dev eth0' to see the packets flying but i dont really know how to make 
sure they are being marked correctly.  I must assume that ALL packets on 
ports 65436 and 50000-510000 are being marked because they are being 
shaped.  Just not sure why incoming packets are being markek and 
shaped.  Outbound shaping is working just fine.

>2) Since 1:26 is htb default, why is it necessary to '--set-mark 26'?
>
>  
>
I thought it was necessary.

>gypsy
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>  
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[Andy Furniss]

>>> I am running proftpd on (192.168.1.101) with the port set to 65437 and
>>> with passive ports set to 50000-51000.  Proftpd allows you to specify a
>>> range of ports to use on passive transfers.  I need to be able to limit
>>> my outbound ftp traffic to 40 Kbytes per second.

Could you post the bits of the proftpd config that do this - I have (but 
rarely use) proftpd and could test.

>>> The only way I can see to do this is limit by marking packets with
>>> iptables.  I am marking traffic on 65436 which is the active ftp data
>>> port (65437-1) and 50000-60000.  Outbound shaping is working
>>> fine....however....inbound ftp traffic is also being shaped to 40K.  I
>>> have no idea why.

Is this when there is ftp traffic both ways or just inbound?

>>>
>>> Seems to me the below rules should mark outbound packets and shape only
>>> outbound packets.  I dont understand why inbound packets are getting 
>>> shaped.
>>>
>>> Here is the script:
>>> #!/bin/bash
>>> #shaping passive and active outbound ftp traffic on an internal computer
>>> without affecting inbound and lan speed
>>>
>>> # mark the outbound passive ftp packets on ports 50000-51000
>>> iptables -t mangle -N MYSHAPER-OUT
>>> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
>>>
>>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK
>>> --set-mark 20
>>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
>>> --set-mark 20
>>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK 
>>> --set-mark 26
>>>   
>>
>>
>> 1) Are you sure these rules are correctly marking and that the marks
>> exist at the time the tc filter sees the packet?  My hunch is NOT. 
>> ASIDE: We _really_ need a way for filters to report hit counts!
>>
>>  
>>
> No, I am not sure.  I have used the command 'watch -n1 tc -s class ls 
> dev eth0' to see the packets flying but i dont really know how to make 
> sure they are being marked correctly.  I must assume that ALL packets on 
> ports 65436 and 50000-510000 are being marked because they are being 
> shaped.  Just not sure why incoming packets are being markek and 
> shaped.  Outbound shaping is working just fine.

You can see counters for iptables rules with iptables -t mangle -L -v -n

Andy.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[nix4me]

Andy Furniss wrote:

>
>>>> I am running proftpd on (192.168.1.101) with the port set to 65437 and
>>>> with passive ports set to 50000-51000.  Proftpd allows you to 
>>>> specify a
>>>> range of ports to use on passive transfers.  I need to be able to 
>>>> limit
>>>> my outbound ftp traffic to 40 Kbytes per second.
>>>
>
> Could you post the bits of the proftpd config that do this - I have 
> (but rarely use) proftpd and could test.
>
PassivePorts        50000 51000
# Port 21 is the standard FTP port.
Port                65437

>>>> The only way I can see to do this is limit by marking packets with
>>>> iptables.  I am marking traffic on 65436 which is the active ftp data
>>>> port (65437-1) and 50000-60000.  Outbound shaping is working
>>>> fine....however....inbound ftp traffic is also being shaped to 40K.  I
>>>> have no idea why.
>>>
>
> Is this when there is ftp traffic both ways or just inbound?
>
Both ways.

>>>>
>>>> Seems to me the below rules should mark outbound packets and shape 
>>>> only
>>>> outbound packets.  I dont understand why inbound packets are 
>>>> getting shaped.
>>>>
>>>> Here is the script:
>>>> #!/bin/bash
>>>> #shaping passive and active outbound ftp traffic on an internal 
>>>> computer
>>>> without affecting inbound and lan speed
>>>>
>>>> # mark the outbound passive ftp packets on ports 50000-51000
>>>> iptables -t mangle -N MYSHAPER-OUT
>>>> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
>>>>
>>>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK
>>>> --set-mark 20
>>>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
>>>> --set-mark 20
>>>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK 
>>>> --set-mark 26
>>>>   
>>>
>>>
>>>
>>> 1) Are you sure these rules are correctly marking and that the marks
>>> exist at the time the tc filter sees the packet?  My hunch is NOT. 
>>> ASIDE: We _really_ need a way for filters to report hit counts!
>>>
>>>  
>>>
>> No, I am not sure.  I have used the command 'watch -n1 tc -s class ls 
>> dev eth0' to see the packets flying but i dont really know how to 
>> make sure they are being marked correctly.  I must assume that ALL 
>> packets on ports 65436 and 50000-510000 are being marked because they 
>> are being shaped.  Just not sure why incoming packets are being 
>> markek and shaped.  Outbound shaping is working just fine.
>
>
> You can see counters for iptables rules with iptables -t mangle -L -v -n
>
> Andy.
>
Thanks for helping.

> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[Andy Furniss]

nix4me wrote:
> Andy Furniss wrote:
> 
>>
>>>>> I am running proftpd on (192.168.1.101) with the port set to 65437 and
>>>>> with passive ports set to 50000-51000.  Proftpd allows you to 
>>>>> specify a
>>>>> range of ports to use on passive transfers.  I need to be able to 
>>>>> limit
>>>>> my outbound ftp traffic to 40 Kbytes per second.
>>>>
>>>>
>>
>> Could you post the bits of the proftpd config that do this - I have 
>> (but rarely use) proftpd and could test.
>>
> PassivePorts        50000 51000
> # Port 21 is the standard FTP port.
> Port                65437
> 
>>>>> The only way I can see to do this is limit by marking packets with
>>>>> iptables.  I am marking traffic on 65436 which is the active ftp data
>>>>> port (65437-1) and 50000-60000.  Outbound shaping is working
>>>>> fine....however....inbound ftp traffic is also being shaped to 40K.  I
>>>>> have no idea why.
>>>>
>>>>
>>
>> Is this when there is ftp traffic both ways or just inbound?
>>
> Both ways.

You need to add another rule to stop the acks for the upload getting put 
in the queue for the outbound.

Just marking on size would be OK for you I think, as a test try adding -

iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK 
--set-mark 26 .

Andy.








_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[gypsy]

Andy Furniss wrote:
> 
> >>> I am running proftpd on (192.168.1.101) with the port set to 65437 and
> >>> with passive ports set to 50000-51000.  Proftpd allows you to specify a
> >>> range of ports to use on passive transfers.  I need to be able to limit
> >>> my outbound ftp traffic to 40 Kbytes per second.
> 
> Could you post the bits of the proftpd config that do this - I have (but
> rarely use) proftpd and could test.
> 
> >>> The only way I can see to do this is limit by marking packets with
> >>> iptables.  I am marking traffic on 65436 which is the active ftp data
> >>> port (65437-1) and 50000-60000.  Outbound shaping is working
> >>> fine....however....inbound ftp traffic is also being shaped to 40K.  I
> >>> have no idea why.
> 
> Is this when there is ftp traffic both ways or just inbound?
> 
> >>>
> >>> Seems to me the below rules should mark outbound packets and shape only
> >>> outbound packets.  I dont understand why inbound packets are getting
> >>> shaped.
> >>>
> >>> Here is the script:
> >>> #!/bin/bash
> >>> #shaping passive and active outbound ftp traffic on an internal computer
> >>> without affecting inbound and lan speed
> >>>
> >>> # mark the outbound passive ftp packets on ports 50000-51000
> >>> iptables -t mangle -N MYSHAPER-OUT
> >>> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
> >>>
> >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK
> >>> --set-mark 20
> >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
> >>> --set-mark 20
> >>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK
> >>> --set-mark 26
> >>>
> >>
> >>
> >> 1) Are you sure these rules are correctly marking and that the marks
> >> exist at the time the tc filter sees the packet?  My hunch is NOT.
> >> ASIDE: We _really_ need a way for filters to report hit counts!
> >>
> >>
> >>
> > No, I am not sure.  I have used the command 'watch -n1 tc -s class ls
> > dev eth0' to see the packets flying but i dont really know how to make
> > sure they are being marked correctly.  I must assume that ALL packets on
> > ports 65436 and 50000-510000 are being marked because they are being
> > shaped.  Just not sure why incoming packets are being markek and
> > shaped.  Outbound shaping is working just fine.
> 
> You can see counters for iptables rules with iptables -t mangle -L -v -n
> 
> Andy.

I have been thinking about this without getting much of anywhere, but
here's what I think.

Let me start by paraphasing your setup:
You have a cable modem that is connecting to a NATting box that runs
only IPCOP.  This IPCOP box forwards everything to the LAN.  On the LAN
side of IPCOP all the packets you wish to shape have an IP  ending
1.101.  The computer with IP 1.100 can be ignored for shaping purposes.

If you MARK in iptables on IPCOP, I think the mark is internal only so
that 101 will never see the mark.  You may not even be able to MARK on
the IPCOP box (I know nothing of IPCOP).  If you are able to on the
IPCOP machine, consider setting the TOS field in the mangle table for
externally initiated FTP such that either all bits are on or all are off
(or some other unique value); then on 101 examine TOS and MARK
appropriately on the 101 machine or, preferably, just u32 match the TOS
there.  

If mangling TOS on IPCOP is possible and fruitful, be sure to do your
homework regarding mangle and PREROUTING (or whatever chain does what
you need).

The IPCOP computer will "know" by the interface and --dport / --sport
which FTP sessions were initiated from the internet versus those
initiated on your LAN, but I can't see how 101 ever could.  IPCOP might
also run one or more of netfilter's conntracks for FTP if that were
needed.

If I come up with anything after sleeping on this, I'll let you know. 
But for now the above is all I can conceive.

gyxpy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[nix4me]

gypsy wrote:

>Andy Furniss wrote:
>  
>
>>>>>I am running proftpd on (192.168.1.101) with the port set to 65437 and
>>>>>with passive ports set to 50000-51000.  Proftpd allows you to specify a
>>>>>range of ports to use on passive transfers.  I need to be able to limit
>>>>>my outbound ftp traffic to 40 Kbytes per second.
>>>>>          
>>>>>
>>Could you post the bits of the proftpd config that do this - I have (but
>>rarely use) proftpd and could test.
>>
>>    
>>
>>>>>The only way I can see to do this is limit by marking packets with
>>>>>iptables.  I am marking traffic on 65436 which is the active ftp data
>>>>>port (65437-1) and 50000-60000.  Outbound shaping is working
>>>>>fine....however....inbound ftp traffic is also being shaped to 40K.  I
>>>>>have no idea why.
>>>>>          
>>>>>
>>Is this when there is ftp traffic both ways or just inbound?
>>
>>    
>>
>>>>>Seems to me the below rules should mark outbound packets and shape only
>>>>>outbound packets.  I dont understand why inbound packets are getting
>>>>>shaped.
>>>>>
>>>>>Here is the script:
>>>>>#!/bin/bash
>>>>>#shaping passive and active outbound ftp traffic on an internal computer
>>>>>without affecting inbound and lan speed
>>>>>
>>>>># mark the outbound passive ftp packets on ports 50000-51000
>>>>>iptables -t mangle -N MYSHAPER-OUT
>>>>>iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
>>>>>
>>>>>iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK
>>>>>--set-mark 20
>>>>>iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
>>>>>--set-mark 20
>>>>>iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK
>>>>>--set-mark 26
>>>>>
>>>>>          
>>>>>
>>>>1) Are you sure these rules are correctly marking and that the marks
>>>>exist at the time the tc filter sees the packet?  My hunch is NOT.
>>>>ASIDE: We _really_ need a way for filters to report hit counts!
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>No, I am not sure.  I have used the command 'watch -n1 tc -s class ls
>>>dev eth0' to see the packets flying but i dont really know how to make
>>>sure they are being marked correctly.  I must assume that ALL packets on
>>>ports 65436 and 50000-510000 are being marked because they are being
>>>shaped.  Just not sure why incoming packets are being markek and
>>>shaped.  Outbound shaping is working just fine.
>>>      
>>>
>>You can see counters for iptables rules with iptables -t mangle -L -v -n
>>
>>Andy.
>>    
>>
>
>I have been thinking about this without getting much of anywhere, but
>here's what I think.
>
>Let me start by paraphasing your setup:
>You have a cable modem that is connecting to a NATting box that runs
>only IPCOP.  This IPCOP box forwards everything to the LAN.  On the LAN
>side of IPCOP all the packets you wish to shape have an IP  ending
>1.101.  The computer with IP 1.100 can be ignored for shaping purposes.
>
>If you MARK in iptables on IPCOP, I think the mark is internal only so
>that 101 will never see the mark.  You may not even be able to MARK on
>the IPCOP box (I know nothing of IPCOP).  If you are able to on the
>IPCOP machine, consider setting the TOS field in the mangle table for
>externally initiated FTP such that either all bits are on or all are off
>(or some other unique value); then on 101 examine TOS and MARK
>appropriately on the 101 machine or, preferably, just u32 match the TOS
>there.  
>
>If mangling TOS on IPCOP is possible and fruitful, be sure to do your
>homework regarding mangle and PREROUTING (or whatever chain does what
>you need).
>
>The IPCOP computer will "know" by the interface and --dport / --sport
>which FTP sessions were initiated from the internet versus those
>initiated on your LAN, but I can't see how 101 ever could.  IPCOP might
>also run one or more of netfilter's conntracks for FTP if that were
>needed.
>
>If I come up with anything after sleeping on this, I'll let you know. 
>But for now the above is all I can conceive.
>
>gyxpy
>
>  
>
You are correct on my setup.
 
I am currently trying the addition that Andy recommended and it appears 
to be working.  I am marking the ACK packets from the uploader and it 
seems to be fine now.  No slow down for uploads and outbound is shaped 
nicely.  I will continue to test to make sure everything is AOK.
Mark
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[nix4me]

>>
>>  
>>
> You are correct on my setup.
>
> I am currently trying the addition that Andy recommended and it 
> appears to be working.  I am marking the ACK packets from the uploader 
> and it seems to be fine now.  No slow down for uploads and outbound is 
> shaped nicely.  I will continue to test to make sure everything is AOK.
> Mark
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
Sorry for the reply to myself.
 
There are some drawbacks to the method i am using, im just not sure if 
they will actually affect anything.  With this method, ANY traffic on 
ports 50000-51000 leaving my box will be shaped.  Not sure if there is 
any other programs out there that use these ports.

I have found an excellent utility to do the shaping also.  Its called 
'pyshaper'.  I am testing it also.  It seems to work nicely.  I have it 
set to shape outbound connections based on username.  It runs netstat 
every 15 seconds and picks the transfers on certain usernames and shapes 
them on the fly.  Works very well in my situation.  I will continue to 
test both options to see which is best for me.

Thanks for all the help.
 
Mark
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] outbound shaping

[Jason Boxman]

On Saturday 27 November 2004 09:01, nix4me wrote:
<snip>
> I have found an excellent utility to do the shaping also.  Its called
> 'pyshaper'.  I am testing it also.  It seems to work nicely.  I have it
> set to shape outbound connections based on username.  It runs netstat
> every 15 seconds and picks the transfers on certain usernames and shapes
> them on the fly.  Works very well in my situation.  I will continue to
> test both options to see which is best for me.

You could also use Netfilter and the owner match module.

-- 

Jason Boxman
Perl Programmer / *NIX Systems Administrator
Shimberg Center for Affordable Housing | University of Florida
http://edseek.com/ - Linux and FOSS stuff

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] outbound shaping

[Daniel Bartlett]

Hi,
I have a setup with 2 ISPs and 2 LANs, with a /29 subnet on each ISP and a /24 on the LANS.
The gateway box is setup to equally load balance over the ISPs using an IP address from each.
The other 4 IPs are added as virtual devices on the external interfaces.

The problem arises when external A connects to ISP1_IP2_Port_25, works fine first time, but then if I try from A to connect to ISP2_IP6_Port_25 the routing is all wrong and doesn't connect.

Anyone got any suggestions on how to deal with this issue?

I've been tearing my hair out.

Regards,
Daniel.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/