* [LARTC] How to MARK NATtted packets coming from external interface to an internal host ?
@ 2001-12-13 12:27 Claudio L. Salvadori
2001-12-13 13:39 ` bert hubert
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Claudio L. Salvadori @ 2001-12-13 12:27 UTC (permalink / raw)
To: lartc
Hi,
I would like to control download bandwidth from the Internet for
clients inside a network. The gateway is a Linux box using
'iptables nat'.
I would like to use 'iptables mangle' to mark the packets coming
from the Internet and going to specific clients and then use CBQ
to shape it:
+-----------+
Internal network | Linux | Internet
------0-----------------| Gateway |-------------
| eth0 | NAT | eth1
[client] +-----------+
192.168.1.8
I tried to use the following command to mark the packets:
iptables -t mangle -A PREROUTING -i eth1 -d 192.168.1.8
-j MARK --set-mark 1
But the packets are not being marked probably because they were
not NATtted yet and still have the destination ip of the external interface.
How can I classify this traffic so I can shape it ?
Best regards,
Claudio Leonel Salvadori
cls@xpnet.com.br
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] How to MARK NATtted packets coming from external interface to an internal host ?
2001-12-13 12:27 [LARTC] How to MARK NATtted packets coming from external interface to an internal host ? Claudio L. Salvadori
@ 2001-12-13 13:39 ` bert hubert
2001-12-13 16:42 ` Claudio L. Salvadori
2001-12-16 13:52 ` bert hubert
2 siblings, 0 replies; 4+ messages in thread
From: bert hubert @ 2001-12-13 13:39 UTC (permalink / raw)
To: lartc
On Thu, Dec 13, 2001 at 10:27:37AM -0200, Claudio L. Salvadori wrote:
> Hi,
>
> I would like to control download bandwidth from the Internet for
> clients inside a network. The gateway is a Linux box using
> 'iptables nat'.
> I would like to use 'iptables mangle' to mark the packets coming
> from the Internet and going to specific clients and then use CBQ
> to shape it:
Mangle is being upgraded by the netfilter people to be available everywhere.
In he meantime, you should use tc filters to shape on eth0's egress. For
what you want, the commands are very simple.
> How can I classify this traffic so I can shape it ?
http://ds9a.nl/lartc/HOWTO//cvs/2.4routing/output/2.4routing-9.html#ss9.6
'All the filtering commands you will normally need'.
Regards,
bert
--
http://www.PowerDNS.com Versatile DNS Software & Services
Trilab The Technology People
Netherlabs BV / Rent-a-Nerd.nl - Nerd Available -
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] How to MARK NATtted packets coming from external interface to an internal host ?
2001-12-13 12:27 [LARTC] How to MARK NATtted packets coming from external interface to an internal host ? Claudio L. Salvadori
2001-12-13 13:39 ` bert hubert
@ 2001-12-13 16:42 ` Claudio L. Salvadori
2001-12-16 13:52 ` bert hubert
2 siblings, 0 replies; 4+ messages in thread
From: Claudio L. Salvadori @ 2001-12-13 16:42 UTC (permalink / raw)
To: lartc
Hi,
I have considered using 'tc filter' with the u32 classifier
but I couldn't find a way to differentiate between traffic coming
from the Internet (source ip = any) from traffic originating
in the gateway (source ip = ip of eth0). I need this because
I would like to shape only traffic coming from the Internet.
Internal clients should be able to download data from the gateway
without any bandwidth restriction.
If at least there was a NOT (! like in iptables) operator
in the match syntax I could assume that traffic not coming from the
source ip of eth0 is coming from the Internet. Something like this:
tc filter add dev eth0 parent 10:1\
protocol ip\
prio 1\
u32\
NOT operator --> match ip src ! (eth0 IP)\
match ip dst (client IP)\
classid 10:2
Any ideas on how to differentiate these two kinds of traffic
using 'tc filter' ?
Best regards,
Claudio Leonel Salvadori
cls@xpnet.com.br
bert hubert wrote:
> On Thu, Dec 13, 2001 at 10:27:37AM -0200, Claudio L. Salvadori wrote:
>
>>Hi,
>>
>>I would like to control download bandwidth from the Internet for
>>clients inside a network. The gateway is a Linux box using
>>'iptables nat'.
>>I would like to use 'iptables mangle' to mark the packets coming
>>from the Internet and going to specific clients and then use CBQ
>>to shape it:
>>
>
>
> Mangle is being upgraded by the netfilter people to be available everywhere.
> In he meantime, you should use tc filters to shape on eth0's egress. For
> what you want, the commands are very simple.
>
>
>>How can I classify this traffic so I can shape it ?
>>
>
> http://ds9a.nl/lartc/HOWTO//cvs/2.4routing/output/2.4routing-9.html#ss9.6
> 'All the filtering commands you will normally need'.
>
> Regards,
>
> bert
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] How to MARK NATtted packets coming from external interface to an internal host ?
2001-12-13 12:27 [LARTC] How to MARK NATtted packets coming from external interface to an internal host ? Claudio L. Salvadori
2001-12-13 13:39 ` bert hubert
2001-12-13 16:42 ` Claudio L. Salvadori
@ 2001-12-16 13:52 ` bert hubert
2 siblings, 0 replies; 4+ messages in thread
From: bert hubert @ 2001-12-16 13:52 UTC (permalink / raw)
To: lartc
On Thu, Dec 13, 2001 at 02:42:59PM -0200, Claudio L. Salvadori wrote:
> I have considered using 'tc filter' with the u32 classifier
> but I couldn't find a way to differentiate between traffic coming
> from the Internet (source ip = any) from traffic originating
> in the gateway (source ip = ip of eth0). I need this because
> I would like to shape only traffic coming from the Internet.
> Internal clients should be able to download data from the gateway
> without any bandwidth restriction.
That basically means that you should use iptables. My own version of
iptables can to this:
# iptables -t mangle -A OUTPUT -d 1.2.3.4 -j PRIO --classid 10:2
To match only locally generated packets. Change OUTPUT to PREROUTING to
process all non-local packets.
I'm trying to push this into the kernel, but will take a while.
> If at least there was a NOT (! like in iptables) operator
> in the match syntax I could assume that traffic not coming from the
> source ip of eth0 is coming from the Internet. Something like this:
>
> tc filter add dev eth0 parent 10:1\
> protocol ip\
> prio 1\
> u32\
> NOT operator --> match ip src ! (eth0 IP)\
> match ip dst (client IP)\
> classid 10:2
>
> Any ideas on how to differentiate these two kinds of traffic
> using 'tc filter' ?
Yes, make two rules. One that first exempts anything from your eth0 IP. Give
it prio 0, and the next rule prio 1, which will never see packets from your
local IP.
Regards,
bert
--
http://www.PowerDNS.com Versatile DNS Software & Services
Trilab The Technology People
Netherlabs BV / Rent-a-Nerd.nl - Nerd Available -
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2001-12-16 13:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-12-13 12:27 [LARTC] How to MARK NATtted packets coming from external interface to an internal host ? Claudio L. Salvadori
2001-12-13 13:39 ` bert hubert
2001-12-13 16:42 ` Claudio L. Salvadori
2001-12-16 13:52 ` bert hubert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.