From: "GoMi ." <gomiuk@hotmail.com>
To: lartc@vger.kernel.org
Subject: [LARTC] Problem with iptables and CONNTRACK
Date: Wed, 18 Jun 2003 11:20:47 +0000 [thread overview]
Message-ID: <marc-lartc-105593551826244@msgid-missing> (raw)
I know this is not the right place to ask this question, but i have an
stateful firewall and i am doing CONNTRACKING to mark the tcp connections,
and then with filters based on fw marks put them in the right qdisc.
The problem is that i have an uplink bandwith of 300kbit restricted to
250kbit by the htb class. Here is my script to mark my traffic with qdiscs:
DEV=eth0
tc qdisc add dev ${DEV} handle 1: root htb default 20
tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit
## Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil
200kbit
tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10
## Non Interactive
tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit ceil
200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20
## ICMP
tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40
## Web-Server
tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit ceil 200kbit
quantum 1500
tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst perturb 10
depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw flowid 1:50
and here is my mangle setup
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -m mark --mark 0 -j kazaa
iptables -t mangle -A POSTROUTING -m mark --mark 0 -j marks
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
marks and kazaa are just -j MARK according the traffic
I am monitoring at wich speed is each class sending data, and it only goes
up to 10KB alltogether..
Does anybody know why is it not going up to at least 20-23 KB ¿? i am going
crazy! :)
Interactive traffic goes quite good actually, but since i am getting so low
uplink speed, i suppose i am not getting a good usage of the downlink
traffic, maybe because it does not send ack packets quickly enough.
Anybody willing to help? :)
_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger:
http://messenger.yupimsn.com/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
reply other threads:[~2003-06-18 11:20 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-105593551826244@msgid-missing \
--to=gomiuk@hotmail.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.