[LARTC] NAT and CBQ

[LARTC] NAT and CBQ

[Fozzie]

I've got a linux box setup as a dedicated router, with CBQ and NAT.  I've
got the NAT all setup and that part is working ok.   I tried HTB first,
and then CBQ and both gave me this trouble.  Traffic doesn't seem to be
hitting my filter rules on outgoing traffic(sending from eth0 out to
internet land).   Incoming traffic is being bounded perfectly.  I was
wondering if there's any "issues" that have to be worked out when you have
CBQ and NAT on the same box.  Thanks in advanced for any help


------------------------------------------------------------------
- cbq.init list

### eth0: queueing disciplines

qdisc sfq 103: quantum 1514b
qdisc sfq 102: quantum 1514b
qdisc sfq 101: quantum 1514b
qdisc cbq 1: rate 100Mbit (bounded,isolated) prio no-transmit

### eth0: traffic classes

class cbq 1:101 parent 1: leaf 101: rate 102Kbit prio 5
class cbq 1: root rate 100Mbit (bounded,isolated) prio no-transmit
class cbq 1:103 parent 1: leaf 103: rate 204Kbit prio 5
class cbq 1:102 parent 1: leaf 102: rate 204Kbit prio 5

### eth0: filtering rules

filter parent 1: protocol ip pref 100 u32
filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:101
  match 0a000001/ffffffff at 12
filter parent 1: protocol ip pref 100 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:102
  match 0a000002/ffffffff at 12
filter parent 1: protocol ip pref 100 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:102
  match 0a000004/ffffffff at 12
filter parent 1: protocol ip pref 100 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:102
  match 0a000005/ffffffff at 12
filter parent 1: protocol ip pref 100 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:103
  match 0a000003/ffffffff at 12
filter parent 1: protocol ip pref 100 u32 fh 800::805 order 2053 key ht 800 bkt 0 flowid 1:103
  match 0a000006/ffffffff at 12

### eth1: queueing disciplines

qdisc sfq 203: quantum 1514b
qdisc sfq 202: quantum 1514b
qdisc sfq 201: quantum 1514b
qdisc cbq 1: rate 100Mbit (bounded,isolated) prio no-transmit

### eth1: traffic classes

class cbq 1:202 parent 1: leaf 202: rate 819Kbit prio 5
class cbq 1: root rate 100Mbit (bounded,isolated) prio no-transmit
class cbq 1:203 parent 1: leaf 203: rate 819Kbit prio 5
class cbq 1:201 parent 1: leaf 201: rate 409Kbit prio 5

### eth1: filtering rules

filter parent 1: protocol ip pref 100 u32
filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:201
  match 0a000001/ffffffff at 16
filter parent 1: protocol ip pref 100 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:202
  match 0a000002/ffffffff at 16
filter parent 1: protocol ip pref 100 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:202
  match 0a000004/ffffffff at 16
filter parent 1: protocol ip pref 100 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:202
  match 0a000005/ffffffff at 16
filter parent 1: protocol ip pref 100 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:203
  match 0a000003/ffffffff at 16
filter parent 1: protocol ip pref 100 u32 fh 800::805 order 2053 key ht 800 bkt 0 flowid 1:203
  match 0a000006/ffffffff at 16


-----------------------------------------------------------------------------------------------------
--- iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:21 to:10.0.0.1:21
DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:22 to:10.0.0.1:22
DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:25 to:10.0.0.1:25
DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:53 to:10.0.0.1:53
DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:80 to:10.0.0.1:80
DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:110 to:10.0.0.1:110
DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:113 to:10.0.0.1:113

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.0.0.0/24          0.0.0.0/0          to:24.156.64.5

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

---
Am Foz, Need Sig.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT and CBQ

[Daniel Sercaianu]

	The same problem I encountered myself when I try to SNAT some ip's
going through my router. The incoming is shaped ok but the outgoing
doesn't seem to hit my rules. I think when the traffic leaves the outgoing
interface isn't caught in the filter rules because the source address of
the packets is already changed with the address specified in the SNAT
rules or with the address of the outgoing interface if you do masquerade.
To make some shapers, I think you have to shape the ip of the outgoing
interface, but this only works if you want to shape globally only one
filter rules because there is only one ip of the outgoing interface you can catch it in
the filter rules. If someone can give any clues how we can solve this
problem please help us.

Thanx,

Daniel Sercaianu
Terranet Virtual Media
sdan@terranet.ro
GSM +40 788 837723


On Mon, 8 Jul 2002, Fozzie wrote:

>
> I've got a linux box setup as a dedicated router, with CBQ and NAT.  I've
> got the NAT all setup and that part is working ok.   I tried HTB first,
> and then CBQ and both gave me this trouble.  Traffic doesn't seem to be
> hitting my filter rules on outgoing traffic(sending from eth0 out to
> internet land).   Incoming traffic is being bounded perfectly.  I was
> wondering if there's any "issues" that have to be worked out when you have
> CBQ and NAT on the same box.  Thanks in advanced for any help
>
>
> ------------------------------------------------------------------
> - cbq.init list
>
> ### eth0: queueing disciplines
>
> qdisc sfq 103: quantum 1514b
> qdisc sfq 102: quantum 1514b
> qdisc sfq 101: quantum 1514b
> qdisc cbq 1: rate 100Mbit (bounded,isolated) prio no-transmit
>
> ### eth0: traffic classes
>
> class cbq 1:101 parent 1: leaf 101: rate 102Kbit prio 5
> class cbq 1: root rate 100Mbit (bounded,isolated) prio no-transmit
> class cbq 1:103 parent 1: leaf 103: rate 204Kbit prio 5
> class cbq 1:102 parent 1: leaf 102: rate 204Kbit prio 5
>
> ### eth0: filtering rules
>
> filter parent 1: protocol ip pref 100 u32
> filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1
> filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:101
>   match 0a000001/ffffffff at 12
> filter parent 1: protocol ip pref 100 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:102
>   match 0a000002/ffffffff at 12
> filter parent 1: protocol ip pref 100 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:102
>   match 0a000004/ffffffff at 12
> filter parent 1: protocol ip pref 100 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:102
>   match 0a000005/ffffffff at 12
> filter parent 1: protocol ip pref 100 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:103
>   match 0a000003/ffffffff at 12
> filter parent 1: protocol ip pref 100 u32 fh 800::805 order 2053 key ht 800 bkt 0 flowid 1:103
>   match 0a000006/ffffffff at 12
>
> ### eth1: queueing disciplines
>
> qdisc sfq 203: quantum 1514b
> qdisc sfq 202: quantum 1514b
> qdisc sfq 201: quantum 1514b
> qdisc cbq 1: rate 100Mbit (bounded,isolated) prio no-transmit
>
> ### eth1: traffic classes
>
> class cbq 1:202 parent 1: leaf 202: rate 819Kbit prio 5
> class cbq 1: root rate 100Mbit (bounded,isolated) prio no-transmit
> class cbq 1:203 parent 1: leaf 203: rate 819Kbit prio 5
> class cbq 1:201 parent 1: leaf 201: rate 409Kbit prio 5
>
> ### eth1: filtering rules
>
> filter parent 1: protocol ip pref 100 u32
> filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1
> filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:201
>   match 0a000001/ffffffff at 16
> filter parent 1: protocol ip pref 100 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:202
>   match 0a000002/ffffffff at 16
> filter parent 1: protocol ip pref 100 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:202
>   match 0a000004/ffffffff at 16
> filter parent 1: protocol ip pref 100 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:202
>   match 0a000005/ffffffff at 16
> filter parent 1: protocol ip pref 100 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:203
>   match 0a000003/ffffffff at 16
> filter parent 1: protocol ip pref 100 u32 fh 800::805 order 2053 key ht 800 bkt 0 flowid 1:203
>   match 0a000006/ffffffff at 16
>
>
> -----------------------------------------------------------------------------------------------------
> --- iptables -t nat -L -n
>
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:21 to:10.0.0.1:21
> DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:22 to:10.0.0.1:22
> DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:25 to:10.0.0.1:25
> DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:53 to:10.0.0.1:53
> DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:80 to:10.0.0.1:80
> DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:110 to:10.0.0.1:110
> DNAT       tcp  --  0.0.0.0/0            24.156.64.5        tcp dpt:113 to:10.0.0.1:113
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  10.0.0.0/24          0.0.0.0/0          to:24.156.64.5
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> ---
> Am Foz, Need Sig.
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT and CBQ

[bert hubert]

On Mon, Jul 08, 2002 at 09:45:38AM +0300, Daniel Sercaianu wrote:
> 
> 	The same problem I encountered myself when I try to SNAT some ip's
> going through my router. The incoming is shaped ok but the outgoing
> doesn't seem to hit my rules. I think when the traffic leaves the outgoing
> interface isn't caught in the filter rules because the source address of
> the packets is already changed with the address specified in the SNAT
> rules or with the address of the outgoing interface if you do masquerade.
> To make some shapers, I think you have to shape the ip of the outgoing

Exactly - once tc 'sees' your packets they have everything done to them
already. Every translation by then will have finished.

> interface, but this only works if you want to shape globally only one
> filter rules because there is only one ip of the outgoing interface you can catch it in
> the filter rules. If someone can give any clues how we can solve this
> problem please help us.

Add fwmarks - they survive the NAT process and tell you where packets came
from. The HOWTO details this.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/