[LARTC] iptables, nat and traffic shaping woes

[LARTC] iptables, nat and traffic shaping woes

[Aaron Clausen]

As I try to solve my problems with iptables, nat and traffic shaping (with
ip accounting thrown intot he mix) a friend of mine just sent this claim.
Is it true?  Will I have to step back to ipchains, or is there a way to
force packets through the traffic shaping filters using iptables?

> If you are using iptables, you MUST forget it, or change to
> ipchains, because
> masq is done by nat table, and shaping is done by mangle table. I
> cannot found
> any way to drive the packet 1. thru nat, than mangle, instead of
> using OUTPUT
> and FORWARD.

-- 
Aaron Clausen

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] iptables, nat and traffic shaping woes

[Stef Coene]

On Tuesday 08 October 2002 20:57, Aaron Clausen wrote:
> As I try to solve my problems with iptables, nat and traffic shaping (with
> ip accounting thrown intot he mix) a friend of mine just sent this claim.
> Is it true?  Will I have to step back to ipchains, or is there a way to
> force packets through the traffic shaping filters using iptables?
>
> > If you are using iptables, you MUST forget it, or change to
> > ipchains, because
> > masq is done by nat table, and shaping is done by mangle table. I
> > cannot found
> > any way to drive the packet 1. thru nat, than mangle, instead of
> > using OUTPUT
> > and FORWARD.
Shaping is not done by mangle table, shaping is done when the packet leaves 
the box.  But marking is done in the mangle table.  I don't understand what's 
the problem.  You can mark the packets in mangle and masq in nat ???

You can find more info on www.docum.org under KPTD.


Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] iptables, nat and traffic shaping woes

[Martin A. Brown]

Aaron,

Visit the kernel packet traveling diagram linked from 
http://www.docum.org/.  This may answer your question.  If not, then 
explain to us what you are using each of the tools for.

It sounds like you are using

  iptables -t nat -j MASQUERADE   (or something like that; maybe SNAT?)
  iptables -t mangle ???          (what are you doing with mangle)
  tc

 : As I try to solve my problems with iptables, nat and traffic shaping (with
 : ip accounting thrown intot he mix) a friend of mine just sent this claim.
 : Is it true?  Will I have to step back to ipchains, or is there a way to
 : force packets through the traffic shaping filters using iptables?

Without knowing what exactly you are trying to do, we can't answer your 
question, and certainly can't comment on the veracity of your friend's 
statement.

As a general guideline though, if you can think of a way to do something 
with ipchains, you can probably do something similar with iptables (and 
usually it's easier with iptables).

 : > If you are using iptables, you MUST forget it, or change to
 : > ipchains, because masq is done by nat table, and shaping is done by
 : > mangle table. I cannot found any way to drive the packet 1. thru
 : > nat, than mangle, instead of using OUTPUT and FORWARD.

Good luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/