* [LARTC] cbq & iptables nat problems
@ 2002-07-09 4:17 ganesh kumar godavari
2002-07-09 6:41 ` Vanitha
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: ganesh kumar godavari @ 2002-07-09 4:17 UTC (permalink / raw)
To: lartc
Hey guys
I've 2 questions:
Question 1
################
I want to see if the bandwidth allocation using cbq is working
properly or not
I looked into stef coene's beautiful document(http://docum.org)
for the monitor.pl.
I am not good at perl so can anyone help me to understand if there
is anyway I can check if the cbq is working.
Question 2
##################
I also want to know if anyone has worked on realserver, the real
server client can use either the tcp or udp packets for
voice/video transfer. I checked with ethereal. It looks like that
the packets are successfully forwarded by my firewall to my
server in the private subnet. However, the server seems to be able
to finish the tcp handshake with the real player. The last
successful connection is the sever sending the client [FIN, ACK].
After that, nothing happens. Why can't the realserver
serves the video/voice packets?
Thanks
Ganesh
###########################################################################################
____________ 10 mbps
|---------------|
eth0 | | eth 1 |-----|
| |
internet ------|firewall |----------------| hub
|-------------------| 192.168.0.1 |
| | |-----|
| |
|____________|
|---------------|
192.168.0.1 is running the following services
http, https, pop3, smtp, realserver
goal
i want to allocate my internal bandwidth the following way
- 70% for http/https, realserver
- 20% for smtp, pop3
- 5% for tcp packets
- 5% for icmp packets
###############################################################
#The firewall Scripts
###############################################################
#inorder to make the 192.168.0.1 talk to the outside world i run
the following script
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward # Enables packet forwarding
by kernel
#inorder to redirect requests from firewall to the services we can
use the following script
iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth0 -j DNAT
--to 192.168.0.2:21
iptables -t nat -A PREROUTING -p tcp --dport 22 -i eth0 -j DNAT
--to 192.168.0.2:22
iptables -t nat -A PREROUTING -p tcp --dport 23 -i eth0 -j DNAT
--to 192.168.0.2:23
iptables -t nat -A PREROUTING -p tcp --dport nntp -i eth0 -j DNAT
--to 192.168.0.2:22
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT
--to 192.168.0.2:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT
--to 192.168.0.2:443
iptables -t nat -A PREROUTING -p tcp --dport 8080 -i eth0 -j DNAT
--to 192.168.0.2:8080
iptables -t nat -A PREROUTING -p tcp --dport 7070 -i eth0 -j DNAT
--to 192.168.0.2:7070
iptables -t nat -A PREROUTING -p tcp --dport 554 -i eth0 -j DNAT
--to 192.168.0.2:554
iptables -t nat -A PREROUTING -p tcp --dport 2687 -i eth0 -j DNAT
--to 192.168.0.2:2687
#class based queuing is done this way
$INTIF = eth1
$EXTIF = eth0
add_class() {
# $1=parent class $2=classid $3=hiband $4=lowband $5=handle
$6=style
$TC class add dev $INTIF parent $1 classid $2 cbq bandwidth 10Mbit
rate $3 allot 1514 weight $4 prio 5 maxburst 20 avpkt 1000
$6
$TC qdisc add dev $INTIF parent $2 sfq quantum 1514b perturb 15
$TC filter add dev $INTIF protocol ip prio 3 handle $5 fw classid
$2
}
$TC qdisc add dev $INTIF root handle 10: cbq bandwidth 10Mbit
avpkt 1000
$TC class add dev $INTIF parent 10:0 classid 10:1 cbq bandwidth
10Mbit rate 64kbit allot 1514 weight 6.4kbit prio 8 maxburst
20 avpkt 1000 bounded
#first type of traffic ICMP, TCP-SYN, DNS will be marked '1' by
the firewall code
#we will give it a bounded bandwidth of 5% of our total incoming
bandwidth (64*0.05=3.2)
add_class 10:1 10:100 3.2kbit 0.32kbit 1 bounded
#second type of traffic SMTP,POP3 will be marked '2' by the
firewalling code
#we will give it a bounded bandwidth of 5% of our total incoming
bandwidth (64*0.05=3.2)
add_class 10:1 10:300 3.2kbit 0.32kbit 2
#third type of traffic ssh,ftp,telnet will be marked '3' by the
firewalling code
#we will give it a bounded bandwidth of 20% of our total incoming
bandwidth (64*0.20\x12.8)
add_class 10:1 10:200 12.8kbit 1.28kbit 3
#last type of traffic is interactive traffic. It will be marked
'4' by the firewalling code
#we will give it a bounded bandwidth of 70% of our total incoming
bandwidth (64*0.70D.8)
add_class 10:1 10:400 44.8kbit 4.48kbit 4
# this is where the marking of packets is done
IPTABLES=/sbin/iptables
#mark incoming and News traffic with mark value 3
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 21 -d
0/0 -t mangle -j MARK --set-mark 3
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 22 -d
0/0 -t mangle -j MARK --set-mark 3
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 23 -d
0/0 -t mangle -j MARK --set-mark 3
#mark incoming www and Real Server traffic with mark value 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 80 -d
0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 443
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 7070
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 554
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 8080
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport 2687
-d 0/0 -t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p udp -o $INTIF -s 0/0 --dport 7070 -d 0/0
-t mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p udp -o $INTIF -s 0/0 --dport 554 -d 0/0 -t
mangle -j MARK --set-mark 4
$IPTABLES -A FORWARD -p udp -o $INTIF -s 0/0 --dport 8080 -d 0/0
-t mangle -j MARK --set-mark 4
#mark incoming mail traffic with mark value 2
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport smtp
-d 0/0 -t mangle -j MARK --set-mark 2
$IPTABLES -A FORWARD -p tcp ! --syn -o $INTIF -s 0/0 --dport pop3
-d 0/0 -t mangle -j MARK --set-mark 2
# allow icmp traffic mark it with value 1
$IPTABLES -A FORWARD -p icmp -o $INTIF -t mangle -j MARK
--set-mark 1
$IPTABLES -A FORWARD -p tcp --syn -o $INTIF -t mangle -j MARK
--set-mark 1
$IPTABLES -A FORWARD -p udp -s 0/0 --dport 53 -o $INTIF -t mangle
-j MARK --set-mark 1
$IPTABLES -A INPUT -j ACCEPT
$IPTABLES -A FORWARD -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
the whole shell script can be downloaded from
http://cs.uccs.edu/~gkgodava/tfinal.sh
i can see that the packets are marked
# iptables -L -v -t mangle
Chain FORWARD (policy ACCEPT 6404 packets, 1766K bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- any eth1 anywhere anywhere tcp dpt:ftp
flags:!SYN,RST,ACK/SYN MARK set 0x3
257 19602 MARK tcp -- any eth1 anywhere anywhere tcp dpt:ssh
flags:!SYN,RST,ACK/SYN MARK set 0x3
:
:
:
_________________________________________________________
There is always a better job for you at Monsterindia.com.
Go now http://monsterindia.rediff.com/jobs
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] cbq & iptables nat problems
2002-07-09 4:17 [LARTC] cbq & iptables nat problems ganesh kumar godavari
@ 2002-07-09 6:41 ` Vanitha
2002-07-09 9:55 ` bert hubert
2002-07-09 12:37 ` S Mohan
2 siblings, 0 replies; 4+ messages in thread
From: Vanitha @ 2002-07-09 6:41 UTC (permalink / raw)
To: lartc
----- Original Message -----
From: "ganesh kumar godavari" <gkgodava@rediffmail.com>
To: <netfilter@lists.samba.org>; <acearns@yahoo.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Tuesday, July 09, 2002 5:17 AM
Subject: [LARTC] cbq & iptables nat problems
Hello,
To find out wether CBQ is SET on the device or not , use the command
#ip link show
This would show the queue attached to the device
To find out the exact flow transmission in bits/bytes use iptraf.
Regards
Vanitha
> Hey guys
>
> I've 2 questions:
>
> Question 1
> ################
> I want to see if the bandwidth allocation using cbq is working
> properly or not
> I looked into stef coene's beautiful document(http://docum.org)
> for the monitor.pl.
> I am not good at perl so can anyone help me to understand if there
> is anyway I can check if the cbq is working.
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] cbq & iptables nat problems
2002-07-09 4:17 [LARTC] cbq & iptables nat problems ganesh kumar godavari
2002-07-09 6:41 ` Vanitha
@ 2002-07-09 9:55 ` bert hubert
2002-07-09 12:37 ` S Mohan
2 siblings, 0 replies; 4+ messages in thread
From: bert hubert @ 2002-07-09 9:55 UTC (permalink / raw)
To: lartc
On Tue, Jul 09, 2002 at 04:17:39AM -0000, ganesh kumar godavari wrote:
> server in the private subnet. However, the server seems to be able
> to finish the tcp handshake with the real player. The last
>
> successful connection is the sever sending the client [FIN, ACK].
> After that, nothing happens. Why can't the realserver
FIN,ACK means that the connection was closed by an application.
Regards,
bert
--
http://www.PowerDNS.com Versatile DNS Software & Services
http://www.tk the dot in .tk
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [LARTC] cbq & iptables nat problems
2002-07-09 4:17 [LARTC] cbq & iptables nat problems ganesh kumar godavari
2002-07-09 6:41 ` Vanitha
2002-07-09 9:55 ` bert hubert
@ 2002-07-09 12:37 ` S Mohan
2 siblings, 0 replies; 4+ messages in thread
From: S Mohan @ 2002-07-09 12:37 UTC (permalink / raw)
To: lartc
Iptraf shows by interface. However, we cannot see traffic per flowid
which is what I guess is needed. I've been hunting for one myself. Staf
has promised a good working version using rrd on a stable basis shortly.
Right Staf?
Mohan
-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]
On Behalf Of Vanitha
Sent: 09 July, 2002 4:45 PM
To: lartc@mailman.ds9a.nl
Cc: ganesh kumar godavari
Subject: Re: [LARTC] cbq & iptables nat problems
----- Original Message -----
From: "ganesh kumar godavari" <gkgodava@rediffmail.com>
To: <netfilter@lists.samba.org>; <acearns@yahoo.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Tuesday, July 09, 2002 5:17 AM
Subject: [LARTC] cbq & iptables nat problems
Hello,
To find out wether CBQ is SET on the device or not , use the command
#ip link show
This would show the queue attached to the device
To find out the exact flow transmission in bits/bytes use iptraf.
Regards
Vanitha
> Hey guys
>
> I've 2 questions:
>
> Question 1
> ################
> I want to see if the bandwidth allocation using cbq is working
> properly or not
> I looked into stef coene's beautiful document(http://docum.org)
> for the monitor.pl.
> I am not good at perl so can anyone help me to understand if there
> is anyway I can check if the cbq is working.
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-07-09 12:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-07-09 4:17 [LARTC] cbq & iptables nat problems ganesh kumar godavari
2002-07-09 6:41 ` Vanitha
2002-07-09 9:55 ` bert hubert
2002-07-09 12:37 ` S Mohan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.