[LARTC] cbq & iptables nat problems

From: "ganesh kumar godavari" <gkgodava@rediffmail.com>
To: lartc@vger.kernel.org
Subject: [LARTC] cbq & iptables nat problems
Date: Tue, 09 Jul 2002 04:17:39 +0000	[thread overview]
Message-ID: <marc-lartc-102618842822327@msgid-missing> (raw)

Hey guys

I've 2 questions:

Question 1
################
I want to see if the bandwidth allocation using cbq is working 
properly or not
I looked into stef coene's beautiful document(http://docum.org) 
for the monitor.pl.
I am not good at perl so can anyone help me to understand if there 
is anyway I can check if the cbq is working.

Question 2
##################
I also want to know if anyone has worked on realserver, the real 
server client can use either the tcp or udp packets for

voice/video transfer. I checked with ethereal. It looks like that 
the packets are successfully forwarded by my firewall to my

server in the private subnet. However, the server seems to be able 
to finish the tcp handshake with the real player. The last

successful connection is the sever sending the client [FIN, ACK]. 
After that, nothing happens. Why can't the realserver

serves the video/voice packets?

Thanks
Ganesh

###########################################################################################

                 ____________                  10 mbps 		       
|---------------|
         eth0   |            | eth 1          |-----|                   
|               |
internet ------|firewall    |----------------| hub 
|-------------------| 192.168.0.1   |
                |            |                |-----|                   
|               |
                |____________|                                          
|---------------|

  192.168.0.1 is running the following services

  http, https, pop3, smtp, realserver

goal
i want to allocate my internal bandwidth the following way

 	- 70% for http/https, realserver
 	- 20% for smtp, pop3
 	- 5% for tcp packets
 	- 5% for icmp packets

###############################################################
#The firewall Scripts
###############################################################

#inorder to make the 192.168.0.1 talk to the outside world i run 
the following script
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j 
MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward # Enables packet forwarding 
by kernel

#inorder to redirect requests from firewall to the services we can 
use the following script
iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth0 -j DNAT 
--to 192.168.0.2:21
iptables -t nat -A PREROUTING -p tcp --dport 22 -i eth0 -j DNAT 
--to 192.168.0.2:22
iptables -t nat -A PREROUTING -p tcp --dport 23 -i eth0 -j DNAT 
--to 192.168.0.2:23
iptables -t nat -A PREROUTING -p tcp --dport nntp -i eth0 -j DNAT 
--to 192.168.0.2:22

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT 
--to 192.168.0.2:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT 
--to 192.168.0.2:443
iptables -t nat -A PREROUTING -p tcp --dport 8080 -i eth0 -j DNAT 
--to 192.168.0.2:8080
iptables -t nat -A PREROUTING -p tcp --dport 7070 -i eth0 -j DNAT 
--to 192.168.0.2:7070
iptables -t nat -A PREROUTING -p tcp --dport 554 -i eth0 -j DNAT 
--to 192.168.0.2:554
iptables -t nat -A PREROUTING -p tcp --dport 2687 -i eth0 -j DNAT 
--to 192.168.0.2:2687

#class based queuing is done this way
$INTIF = eth1
$EXTIF = eth0

add_class() {
# $1=parent class $2=classid $3=hiband $4=lowband $5=handle 
$6=style
$TC class add dev $INTIF parent $1 classid $2 cbq bandwidth 10Mbit 
rate $3 allot 1514 weight $4 prio 5 maxburst 20 avpkt 1000

$6
$TC qdisc add dev $INTIF parent $2 sfq quantum 1514b perturb 15
$TC filter add dev $INTIF protocol ip prio 3 handle $5 fw classid 
$2
}

$TC qdisc add dev $INTIF root handle 10: cbq bandwidth 10Mbit 
avpkt 1000
$TC class add dev $INTIF parent 10:0 classid 10:1 cbq bandwidth 
10Mbit rate 64kbit allot 1514 weight 6.4kbit prio 8 maxburst

20 avpkt 1000 bounded

#first type of traffic ICMP, TCP-SYN, DNS will be marked '1' by 
the firewall code
#we will give it a bounded bandwidth of 5% of our total incoming 
bandwidth (64*0.05=3.2)
add_class 10:1 10:100 3.2kbit 0.32kbit 1 bounded

#second type of traffic SMTP,POP3 will be marked '2' by the 
firewalling code
#we will give it a bounded bandwidth of 5% of our total incoming 
bandwidth (64*0.05=3.2)
add_class 10:1 10:300 3.2kbit 0.32kbit 2

#third type of traffic ssh,ftp,telnet will be marked '3' by the 
firewalling code
#we will give it a bounded bandwidth of 20% of our total incoming 
bandwidth (64*0.20\x12.8)
add_class 10:1 10:200 12.8kbit 1.28kbit 3

#last type of traffic is interactive traffic. It will be marked 
'4' by the firewalling code
#we will give it a bounded bandwidth of 70% of our total incoming 
bandwidth (64*0.70D.8)
add_class 10:1 10:400 44.8kbit 4.48kbit 4

# this is where the marking of packets is done
IPTABLES=/sbin/iptables

#mark incoming and News traffic with mark value 3
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 21 -d 
0/0 -t mangle -j MARK --set-mark 3
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 22 -d 
0/0 -t mangle -j MARK --set-mark 3
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 23 -d 
0/0 -t mangle -j MARK --set-mark 3

#mark incoming www and Real Server traffic with mark value 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 80 -d 
0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 443 
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 7070 
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 554 
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 8080 
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 2687 
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p udp -o $INTIF -s 0/0 --dport 7070 -d 0/0 
-t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p udp -o $INTIF -s 0/0 --dport 554 -d 0/0 -t 
mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p udp -o $INTIF -s 0/0 --dport 8080 -d 0/0 
-t mangle -j MARK --set-mark 4

#mark incoming mail traffic with mark value 2
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport smtp 
-d 0/0 -t mangle -j MARK --set-mark 2
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport pop3 
-d 0/0 -t mangle -j MARK --set-mark 2

# allow icmp traffic mark it with value 1
$IPTABLES -A FORWARD -p icmp -o $INTIF -t mangle -j MARK 
--set-mark 1
$IPTABLES -A FORWARD -p tcp --syn -o $INTIF -t mangle -j MARK 
--set-mark 1
$IPTABLES -A FORWARD -p udp -s 0/0 --dport 53 -o $INTIF -t mangle 
-j MARK --set-mark 1

$IPTABLES -A INPUT -j ACCEPT
$IPTABLES -A FORWARD -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT

the whole shell script can be downloaded from 
http://cs.uccs.edu/~gkgodava/tfinal.sh

i can see that the packets are marked
# iptables -L -v -t mangle
Chain FORWARD (policy ACCEPT 6404 packets, 1766K bytes)
pkts bytes target prot  opt   in   out     source   destination
0     0    MARK   tcp -- any eth1 anywhere anywhere tcp dpt:ftp 
flags:!SYN,RST,ACK/SYN MARK set 0x3
257 19602  MARK   tcp -- any eth1 anywhere anywhere tcp dpt:ssh 
flags:!SYN,RST,ACK/SYN MARK set 0x3
  :
  :
  :

_________________________________________________________
There is always a better job for you at Monsterindia.com.
Go now http://monsterindia.rediff.com/jobs

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/