* [LARTC] my shaping rules wont work on nat box
@ 2006-03-04 0:00 nix4me
2006-03-04 1:21 ` nix4me
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: nix4me @ 2006-03-04 0:00 UTC (permalink / raw)
To: lartc
I am currently running the following script on an internal machine to
shape outbound ftp and email traffic.
I am trying to move the script to my nat router (ipcop with 2 nic cards)
so that it shapes the whole network and not only the outbound of 1 box.
I have cable modem -> ipcop (eth1) >(eth0 - 192.168.1.1) >
192.168.1.100 and 192.168.1.101.
The scripts works great running on 192.168.1.101. But I cannot get it
to work on either of the ipcop interfaces.
Does it have something to do with NAT ?
Script:
#!/bin/bash
#shaping passive and active outbound ftp traffic on an internal computer
without affecting inbound and lan speed
# mark the outbound passive ftp packets on ports 50000-51000
iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null >
/dev/null
iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -N MYSHAPER-OUT
iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
# mark packets: 20 is lan traffic, 26 is active ftp and passive ftp, 30
is ACK for downloads, 35 is email
iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 20
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 59999 -j MARK
--set-mark 26
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
--set-mark 26
iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK
--set-mark 30
iptables -t mangle -A MYSHAPER-OUT -m tcp -p tcp --dport 25 -j MARK
--set-mark 35
# clear it
tc qdisc del dev eth0 root
#add the root qdisk
tc qdisc add dev eth0 root handle 1: htb default 20
#add main rate limit class
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit
#add leaf classes, 1:2 is lan, 1:3 is outbound max
tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100mbit
tc class add dev eth0 parent 1:1 classid 1:3 htb rate 40kbps
# 1:31 is ftp with lower prio, 1:32 is ACk AND email higher prio
tc class add dev eth0 parent 1:3 classid 1:31 htb rate 1kbps ceil 40kbps
prio 2
tc class add dev eth0 parent 1:3 classid 1:32 htb rate 20kbps ceil
40kbps prio 1
#filter traffic into classes
tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw
flowid 1:2
tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw
flowid 1:31
tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 30 fw
flowid 1:32
tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 35 fw
flowid 1:32
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] my shaping rules wont work on nat box
2006-03-04 0:00 [LARTC] my shaping rules wont work on nat box nix4me
@ 2006-03-04 1:21 ` nix4me
2006-03-04 12:08 ` Markus Schulz
2006-03-04 15:42 ` nix4me
2 siblings, 0 replies; 4+ messages in thread
From: nix4me @ 2006-03-04 1:21 UTC (permalink / raw)
To: lartc
Jody Shumaker wrote:
>On 3/3/06, nix4me <nix4me@cfl.rr.com> wrote:
>
>
>>I am currently running the following script on an internal machine to
>>shape outbound ftp and email traffic.
>>
>>I am trying to move the script to my nat router (ipcop with 2 nic cards)
>>so that it shapes the whole network and not only the outbound of 1 box.
>>
>>I have cable modem -> ipcop (eth1) >(eth0 - 192.168.1.1) >
>>192.168.1.100 and 192.168.1.101.
>>
>>
>>
>
>Does this mean the cable modem is on eth1? You need to use whichever
>device is connected to the cable modem. Based on the above, it seems
>like eth0 is for the local network and yet all of your rules below are
>for eth0. This would only be useful for shaping incoming bandwidth
>from the internet, not bandwidth to the internet.
>
>
>
>>The scripts works great running on 192.168.1.101. But I cannot get it
>>to work on either of the ipcop interfaces.
>>
>>Does it have something to do with NAT ?
>>
>>
>
>Since you're not matching on addresses, it shouldn't have to do with
>NAT. I also noticed in your rules you have a local traffic 100mbit
>class, if your cable modem is the only thing connected to the pc you
>shouldn't have such a class as it serves no purpose and could break
>things.
>
>- Jody
>
>
>
I have changed the eth0 to eth1 and changed the 100mbit root class to 1mbit.
Still doesnt work.
nix4me
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] my shaping rules wont work on nat box
2006-03-04 0:00 [LARTC] my shaping rules wont work on nat box nix4me
2006-03-04 1:21 ` nix4me
@ 2006-03-04 12:08 ` Markus Schulz
2006-03-04 15:42 ` nix4me
2 siblings, 0 replies; 4+ messages in thread
From: Markus Schulz @ 2006-03-04 12:08 UTC (permalink / raw)
To: lartc
Am Samstag, 4. März 2006 01:00 schrieb nix4me:
> I am currently running the following script on an internal machine to
> shape outbound ftp and email traffic.
>
> I am trying to move the script to my nat router (ipcop with 2 nic
> cards) so that it shapes the whole network and not only the outbound
> of 1 box.
>
> I have cable modem -> ipcop (eth1) >(eth0 - 192.168.1.1) >
> 192.168.1.100 and 192.168.1.101.
>
> The scripts works great running on 192.168.1.101. But I cannot get
> it to work on either of the ipcop interfaces.
>
> Does it have something to do with NAT ?
>
> Script:
> #!/bin/bash
> #shaping passive and active outbound ftp traffic on an internal
> computer without affecting inbound and lan speed
>
> # mark the outbound passive ftp packets on ports 50000-51000
> iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null >
> /dev/null
> iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
> iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
> iptables -t mangle -N MYSHAPER-OUT
> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
you must mark your traffic in FORWARD or POSTROUTING chain. OUTPUT is
only for locally generated traffic.
--
Markus Schulz
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond where
the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] my shaping rules wont work on nat box
2006-03-04 0:00 [LARTC] my shaping rules wont work on nat box nix4me
2006-03-04 1:21 ` nix4me
2006-03-04 12:08 ` Markus Schulz
@ 2006-03-04 15:42 ` nix4me
2 siblings, 0 replies; 4+ messages in thread
From: nix4me @ 2006-03-04 15:42 UTC (permalink / raw)
To: lartc
Markus Schulz wrote:
>you must mark your traffic in FORWARD or POSTROUTING chain. OUTPUT is
>only for locally generated traffic.
>
>
>
I have a 1 mbit upstream cable service (approx 120kbytes/sec)
Ok, here is my plan:
+---------+
| root 1: |
+---------+
|
+---------------------------------------+
| class 1:1 (1 mbit send speed total) |
+---------------------------------------+
| |
+-------------------+ +--------------------------+
|1:2 Default 1 mbit | |1:3 Capped outbound 105 Kb|
+-------------------+ +--------------------------+
| |
1:31 1:32
50k ceil 105K 50K ceil 105k
prio 2 prio 1
FTP traffic Email, ACK
This allows me to set a cap on 1:3 and then divide that cap into 2
classes. 1:31 for lower prio FTP traffic and 1:32 for higher prio email
and ACK traffic. This allows the FTP to consume all 105K until i send
an email or download a huge file, then the email or ACK from the
download can borrow from the ftp due to its higher priority.
All other traffic will be lumped into the default 1:2 (I think)
I will use these rules:
iptables -t mangle -I POSTROUTING -o eth1 -j BW-OUT
iptables -t mangle -A BW-OUT -m mark --mark 0 -j MARK --set-mark 20
iptables -t mangle -A BW-OUT -p tcp --sport 59999 -j MARK --set-mark 26
iptables -t mangle -A BW-OUT -p tcp --sport 50000:51000 -j MARK
--set-mark 26
iptables -t mangle -A BW-OUT -p tcp -m length --length :64 -j MARK
--set-mark 30
iptables -t mangle -A BW-OUT -m tcp -p tcp --dport 25 -j MARK --set-mark 35
tc qdisc add dev eth1 root handle 1: htb default 20
tc class add dev eth1 parent 1: classid 1:1 htb rate 1mbit
tc class add dev eth1 parent 1:1 classid 1:2 htb rate 1mbit
tc class add dev eth1 parent 1:1 classid 1:3 htb rate 105kbps
tc class add dev eth1 parent 1:3 classid 1:31 htb rate 50kbps ceil
105kbps prio 2
tc class add dev eth1 parent 1:3 classid 1:32 htb rate 50kbps ceil
105kbps prio 1
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 20 fw
flowid 1:2
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 26 fw
flowid 1:31
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 30 fw
flowid 1:32
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 35 fw
flowid 1:32
This should work on my linux router on eth1 which is the interface
facing the internet.
I am assuming that the POSTROUTING chain is the correct way to do this.
Any issues here?
nix4me
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-03-04 15:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-04 0:00 [LARTC] my shaping rules wont work on nat box nix4me
2006-03-04 1:21 ` nix4me
2006-03-04 12:08 ` Markus Schulz
2006-03-04 15:42 ` nix4me
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.