All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Problem with iptables and CONNTRACK
@ 2003-06-18 11:20 GoMi .
  0 siblings, 0 replies; only message in thread
From: GoMi . @ 2003-06-18 11:20 UTC (permalink / raw)
  To: lartc

I know this is not the right place to ask this question, but i have an 
stateful firewall and i am doing CONNTRACKING to mark the tcp connections, 
and then with filters based on fw marks put them in the right qdisc.

The problem is that i have an uplink bandwith of 300kbit restricted to 
250kbit by the htb class. Here is my script to mark my traffic with qdiscs:

DEV=eth0
tc qdisc add dev ${DEV} handle 1: root htb default 20
tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit

## Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil 
200kbit
tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10

## Non Interactive
tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit ceil 
200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20


## ICMP
tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40

## Web-Server
tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit ceil 200kbit 
quantum 1500
tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst perturb 10 
depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw flowid 1:50

and here is my mangle setup

  iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
  iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
  iptables -t mangle -A POSTROUTING -m mark --mark 0 -j kazaa
  iptables -t mangle -A POSTROUTING -m mark --mark 0 -j marks
  iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

marks and kazaa are just -j MARK according the traffic

I am monitoring at wich speed is each class sending data, and it only goes 
up to 10KB alltogether..

Does anybody know why is it not going up to at least 20-23 KB ¿? i am going 
crazy! :)
Interactive traffic goes quite good actually, but since i am getting so low 
uplink speed, i suppose i am not getting a good usage of the downlink 
traffic, maybe because it does not send ack packets quickly enough.

Anybody willing to help? :)

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.yupimsn.com/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2003-06-18 11:20 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-18 11:20 [LARTC] Problem with iptables and CONNTRACK GoMi .

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.