[LARTC] simple questions about imq

[LARTC] simple questions about imq

[Tóth Nándor]

Hi!

I have read all informations i could find, but some things are still not 
clear.

My setup is:
  ---INTERNET1(eth0)-\  /- Local net1 (eth2)
                      GW
  ---INTERNET2(eth1)-/  \- Local net2 (eth3)

I have NAT and a working setup using HTB,SFQ, classifying with the 
iptables -j CLASSIFY way. I shape only the traffic coming from the 
internet heading to the intranet.

I would like to have a configuration like this:
  ---INTERNET1(eth0)-\        /- Local net1 (eth2)
                      GW--imq0
  ---INTERNET2(eth1)-/        \- Local net2 (eth3)

I think it can be done this way:
iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0
iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0

But it would include traffic heading to the gateway directly, wouldn't 
it? Can i put these rules to the POSTROUTING chain?

And i can still have my CLASSIFY targets in the POSTROUTING chain, 
because IMQ queing will happen after it according to 
http://lartc.org/howto/lartc.imq.html.
So for example:
$IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY --set-class 1:30
$IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY --set-class 1:30
$IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN

If i managed to do this, i promise, i will document it to the imq wiki.

Any advice/help is appreciated!

-- 
Udv,
   Nandor
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] simple questions about imq

[Andre Correa]

Cool Toth, please let us know if you make it work. Just take care to 
hook IMQ in the right place if you are doing NAT. You can choose to hook 
it after or before NAT.

Good luck!

Andre


Tóth Nándor wrote:
> Hi!
> 
> I have read all informations i could find, but some things are still not 
> clear.
> 
> My setup is:
>  ---INTERNET1(eth0)-\  /- Local net1 (eth2)
>                      GW
>  ---INTERNET2(eth1)-/  \- Local net2 (eth3)
> 
> I have NAT and a working setup using HTB,SFQ, classifying with the 
> iptables -j CLASSIFY way. I shape only the traffic coming from the 
> internet heading to the intranet.
> 
> I would like to have a configuration like this:
>  ---INTERNET1(eth0)-\        /- Local net1 (eth2)
>                      GW--imq0
>  ---INTERNET2(eth1)-/        \- Local net2 (eth3)
> 
> I think it can be done this way:
> iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0
> iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0
> 
> But it would include traffic heading to the gateway directly, wouldn't 
> it? Can i put these rules to the POSTROUTING chain?
> 
> And i can still have my CLASSIFY targets in the POSTROUTING chain, 
> because IMQ queing will happen after it according to 
> http://lartc.org/howto/lartc.imq.html.
> So for example:
> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY --set-class 
> 1:30
> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY --set-class 
> 1:30
> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN
> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN
> 
> If i managed to do this, i promise, i will document it to the imq wiki.
> 
> Any advice/help is appreciated!
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] simple questions about imq

[Tóth Nándor]

Hi!

Andre Correa wrote:
> 
> Cool Toth, please let us know if you make it work. Just take care to 
> hook IMQ in the right place if you are doing NAT. You can choose to hook 
> it after or before NAT.

Where can i set it?
Can you answer my questions below?

I will document these things, if i managed to do it.

-- 
Udv,
   Nandor

> Tóth Nándor wrote:
> 
>> Hi!
>>
>> I have read all informations i could find, but some things are still 
>> not clear.
>>
>> My setup is:
>>  ---INTERNET1(eth0)-\  /- Local net1 (eth2)
>>                      GW
>>  ---INTERNET2(eth1)-/  \- Local net2 (eth3)
>>
>> I have NAT and a working setup using HTB,SFQ, classifying with the 
>> iptables -j CLASSIFY way. I shape only the traffic coming from the 
>> internet heading to the intranet.
>>
>> I would like to have a configuration like this:
>>  ---INTERNET1(eth0)-\        /- Local net1 (eth2)
>>                      GW--imq0
>>  ---INTERNET2(eth1)-/        \- Local net2 (eth3)
>>
>> I think it can be done this way:
>> iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0
>> iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0
>>
>> But it would include traffic heading to the gateway directly, wouldn't 
>> it? Can i put these rules to the POSTROUTING chain?
>>
>> And i can still have my CLASSIFY targets in the POSTROUTING chain, 
>> because IMQ queing will happen after it according to 
>> http://lartc.org/howto/lartc.imq.html.
>> So for example:
>> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY 
>> --set-class 1:30
>> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY 
>> --set-class 1:30
>> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN
>> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN
>>
>> If i managed to do this, i promise, i will document it to the imq wiki.
>>
>> Any advice/help is appreciated!
>>
> 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] simple questions about imq

[Andre Correa]

IMQ hooking is set on kernel config, there is an option for "IMQ 
behavior". Make sure you are using a recent patch version.

let me know if we can help you somehow...

Cheers.

Andre


Tóth Nándor wrote:
> Hi!
> 
> Andre Correa wrote:
> 
>>
>> Cool Toth, please let us know if you make it work. Just take care to 
>> hook IMQ in the right place if you are doing NAT. You can choose to 
>> hook it after or before NAT.
> 
> 
> Where can i set it?
> Can you answer my questions below?
> 
> I will document these things, if i managed to do it.
> 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] simple questions about imq

[Andy Furniss]

Tóth Nándor wrote:
> Hi!
> 
> I have read all informations i could find, but some things are still not 
> clear.
> 
> My setup is:
>  ---INTERNET1(eth0)-\  /- Local net1 (eth2)
>                      GW
>  ---INTERNET2(eth1)-/  \- Local net2 (eth3)
> 
> I have NAT and a working setup using HTB,SFQ, classifying with the 
> iptables -j CLASSIFY way. I shape only the traffic coming from the 
> internet heading to the intranet.
> 
> I would like to have a configuration like this:
>  ---INTERNET1(eth0)-\        /- Local net1 (eth2)
>                      GW--imq0
>  ---INTERNET2(eth1)-/        \- Local net2 (eth3)
> 
> I think it can be done this way:
> iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0
> iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0
> 
> But it would include traffic heading to the gateway directly, wouldn't 
> it?

Yes - but people often want this.

  Can i put these rules to the POSTROUTING chain?
> 
> And i can still have my CLASSIFY targets in the POSTROUTING chain, 
> because IMQ queing will happen after it according to 
> http://lartc.org/howto/lartc.imq.html.
> So for example:
> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY --set-class 
> 1:30
> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY --set-class 
> 1:30
> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN
> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN
> 
> If i managed to do this, i promise, i will document it to the imq wiki.
> 
> Any advice/help is appreciated!
> 

You need to jump to imq in postrouting, classify should be done first ok 
try and see.

If you only want to shape forwarded traffic you could mark/classify 
using -i and -o in forward and then match on mark/class and -j IMQ in 
postrouting, it will only really matter if you have shaper to lan 
traffic you want to exclude from imq.

I don't see why you are classifying to the same class or need return. If 
you have two seperate internet links you still need two nonsharing 
queues added to the imq device.

Andy.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] simple questions about imq

[Tóth Nándor]

Hi!

Andy Furniss wrote:
>  Can i put these rules to the POSTROUTING chain?
> 
>>
>> And i can still have my CLASSIFY targets in the POSTROUTING chain, 
>> because IMQ queing will happen after it according to 
>> http://lartc.org/howto/lartc.imq.html.
>> So for example:
>> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY 
>> --set-class 1:30
>> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY 
>> --set-class 1:30
>> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN
>> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN
>>
>> If i managed to do this, i promise, i will document it to the imq wiki.
>>
>> Any advice/help is appreciated!
>>
> 
> You need to jump to imq in postrouting, classify should be done first ok 
> try and see.

Ok will try it.

> If you only want to shape forwarded traffic you could mark/classify 
> using -i and -o in forward and then match on mark/class and -j IMQ in 
> postrouting, it will only really matter if you have shaper to lan 
> traffic you want to exclude from imq.
> 
> I don't see why you are classifying to the same class or need return. If 
> you have two seperate internet links you still need two nonsharing 
> queues added to the imq device.

Yes, i have two non-sharing queues(*) now, too. I mark the packets in 
PREROUTING, so i can classify them to the appropiate queue in postrouting.

The rules up there are just examples.

I need RETURN, because i have overlapping rules, so packets would be 
classified twice (the second classify will be the valid, isn't it?).
Like:
$IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --syn 
-m length --length 40:68 -j CLASSIFY --set-class 1:9
$IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --syn 
-m length --length 40:68 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --dport 
22 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --dport 
22 -j RETURN

Is this a stupid way to do this? I get this from the LARTC howto :)
http://lartc.org/howto/lartc.cookbook.fullnat.intro.html
"We have done a -j RETURN so packets don't traverse all rules"

Thanks, for the clarifying!

-- 
Udv,
   Nandor

* If anyone is curious:

HTB main 5000+120+250kbps
  --- Child1 5000kbps for the DMZ
  --- Child2 120kbps first internet line
  --- Child3 250 kbps second internet line


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/