[LARTC] beginner question about imq

[LARTC] beginner question about imq

[Szálka Tamás]

Hi!

I have to make a firewall which guarantees bandwidth to several clients 
(both upstream and downstream should be limitied). It has three interfaces, 
eth0 facing to the internet, eth1 to local network with several ip 
addresses (different subnets) and eth2 to dmz (webserver). Egress traffic 
is ok, I set up the tc rules to eth0 and the upstream limiting is fine. But 
I have to manage bandwidth of downloading too.
While eth0 has one public ip address, the firewall does masquerading to the 
local subnets (with local ip ranges). So should I set up an imq device on 
eth1 with iptables mangle through the prerouting chain to do traffic 
shaping to the subnets? In this case the packets arrive to eth1 already 
masqueraded (am I right?) and I can limit the ingress traffic of local 
adresses. Or should I use the imq on eth0? Doesn't it bothers egress 
shaping? I'm confused a little bit... :-s
Can you help me?

Thanks
Tom



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Raghuveer]

Szálka Tamás wrote:

> Hi!
>
> I have to make a firewall which guarantees bandwidth to several 
> clients (both upstream and downstream should be limitied). It has 
> three interfaces, eth0 facing to the internet, eth1 to local network 
> with several ip addresses (different subnets) and eth2 to dmz 
> (webserver). Egress traffic is ok, I set up the tc rules to eth0 and 
> the upstream limiting is fine. But I have to manage bandwidth of 
> downloading too.
> While eth0 has one public ip address, the firewall does masquerading 
> to the local subnets (with local ip ranges). So should I set up an imq 
> device on eth1 with iptables mangle through the prerouting chain to do 
> traffic shaping to the subnets? In this case the packets arrive to 
> eth1 already masqueraded (am I right?) and I can limit the ingress 
> traffic of local adresses. Or should I use the imq on eth0? Doesn't it 
> bothers egress shaping? I'm confused a little bit... :-s
> Can you help me?
>
> Thanks
> Tom
>
I feel imq+HTB on eth0 is an ideal solution for ur requirement.

Regards
-Raghu

>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Szálka Tamás]

At 16:51 2003. 09. 10.­ +0530, you wrote:
>Szálka Tamás wrote:
>
>>Hi!
>>
>>I have to make a firewall which guarantees bandwidth to several clients 
>>(both upstream and downstream should be limitied). It has three 
>>interfaces, eth0 facing to the internet, eth1 to local network with 
>>several ip addresses (different subnets) and eth2 to dmz (webserver). 
>>Egress traffic is ok, I set up the tc rules to eth0 and the upstream 
>>limiting is fine. But I have to manage bandwidth of downloading too.
>>While eth0 has one public ip address, the firewall does masquerading to 
>>the local subnets (with local ip ranges). So should I set up an imq 
>>device on eth1 with iptables mangle through the prerouting chain to do 
>>traffic shaping to the subnets? In this case the packets arrive to eth1 
>>already masqueraded (am I right?) and I can limit the ingress traffic of 
>>local adresses. Or should I use the imq on eth0? Doesn't it bothers 
>>egress shaping? I'm confused a little bit... :-s
>>Can you help me?
>>
>>Thanks
>>Tom
>I feel imq+HTB on eth0 is an ideal solution for ur requirement.
>
>Regards
>-Raghu

I'd like to filter the packages on their SNAT-ed (local) ip addresses. when 
the package enters the IMQ right after the iptables PREROUTING chain, does 
it have SNAT-ed ip addresses? As far as I know the SNAT happens in the 
POSTROUTING chain. Am I wrong? Or am I even more confused? :)

Tom


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Stef Coene]

On Wednesday 10 September 2003 20:13, Szálka Tamás wrote:
> At 16:51 2003. 09. 10.­ +0530, you wrote:
> >Szálka Tamás wrote:
> >>Hi!
> >>
> >>I have to make a firewall which guarantees bandwidth to several clients
> >>(both upstream and downstream should be limitied). It has three
> >>interfaces, eth0 facing to the internet, eth1 to local network with
> >>several ip addresses (different subnets) and eth2 to dmz (webserver).
> >>Egress traffic is ok, I set up the tc rules to eth0 and the upstream
> >>limiting is fine. But I have to manage bandwidth of downloading too.
> >>While eth0 has one public ip address, the firewall does masquerading to
> >>the local subnets (with local ip ranges). So should I set up an imq
> >>device on eth1 with iptables mangle through the prerouting chain to do
> >>traffic shaping to the subnets? In this case the packets arrive to eth1
> >>already masqueraded (am I right?) and I can limit the ingress traffic of
> >>local adresses. Or should I use the imq on eth0? Doesn't it bothers
> >>egress shaping? I'm confused a little bit... :-s
> >>Can you help me?
> >>
> >>Thanks
> >>Tom
> >
> >I feel imq+HTB on eth0 is an ideal solution for ur requirement.
> >
> >Regards
> >-Raghu
>
> I'd like to filter the packages on their SNAT-ed (local) ip addresses. when
> the package enters the IMQ right after the iptables PREROUTING chain, does
> it have SNAT-ed ip addresses? As far as I know the SNAT happens in the
> POSTROUTING chain. Am I wrong? Or am I even more confused? :)
See
http://www.docum.org/stef.coene/qos/kptd/

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Szálka Tamás]

>
>See
>http://www.docum.org/stef.coene/qos/kptd/
>
>Stef
thanks, that's very useful for me
Tom



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Toshiro Viera]

> >
> > I'd like to filter the packages on their SNAT-ed (local) ip addresses. when
> > the package enters the IMQ right after the iptables PREROUTING chain, does
> > it have SNAT-ed ip addresses? As far as I know the SNAT happens in the
> > POSTROUTING chain. Am I wrong? Or am I even more confused? :)
> See
> http://www.docum.org/stef.coene/qos/kptd/
> 
> Stef

Stef, 

The picture you have in http://www.docum.org/stef.coene/qos/kptd is with
(or without) the IMQ NAT patch?

-- 
Toshiro Viera <tviera@arnaldocastro.com.uy>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Stef Coene]

On Thursday 11 September 2003 14:39, Toshiro Viera wrote:
> > > I'd like to filter the packages on their SNAT-ed (local) ip addresses.
> > > when the package enters the IMQ right after the iptables PREROUTING
> > > chain, does it have SNAT-ed ip addresses? As far as I know the SNAT
> > > happens in the POSTROUTING chain. Am I wrong? Or am I even more
> > > confused? :)
> >
> > See
> > http://www.docum.org/stef.coene/qos/kptd/
> >
> > Stef
>
> Stef,
>
> The picture you have in http://www.docum.org/stef.coene/qos/kptd is with
> (or without) the IMQ NAT patch?
Without.  In prerouting, you see that IMQ is before nat.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Szálka Tamás]

At 19:15 2003. 09. 11.istory. +0200, you wrote:

> >
> > The picture you have in http://www.docum.org/stef.coene/qos/kptd is with
> > (or without) the IMQ NAT patch?
>Without.  In prerouting, you see that IMQ is before nat.
>
>Stef
With the IMQ NAT patch the order is reversed? The filtering on 
de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn't it?
Tom



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Stef Coene]

On Friday 12 September 2003 17:22, Szálka Tamás wrote:
> At 19:15 2003. 09. 11.istory. +0200, you wrote:
> > > The picture you have in http://www.docum.org/stef.coene/qos/kptd is
> > > with (or without) the IMQ NAT patch?
> >
> >Without.  In prerouting, you see that IMQ is before nat.
> >
> >Stef
>
> With the IMQ NAT patch the order is reversed? The filtering on
> de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn't
> it? Tom
The nat in prerouting is also reponsible for rewriting the addresses of natted 
packets.  So you want IMQ after nat so the packets entering the imq device 
have the real ip address.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Szálka Tamás]

At 18:58 2003. 09. 12.­ +0200, you wrote:

> >
> > With the IMQ NAT patch the order is reversed? The filtering on
> > de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn't
> > it? Tom
>The nat in prerouting is also reponsible for rewriting the addresses of 
>natted
>packets.  So you want IMQ after nat so the packets entering the imq device
>have the real ip address.
>
>Stef

What do mean by "real ip address"? So when the packet arrives into the imq, 
the address in the packet is the local (i.e. 10.0.0.x) address?
Thanks
Tom



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] beginner question about imq

[Stef Coene]

On Friday 12 September 2003 21:07, Szálka Tamás wrote:
> At 18:58 2003. 09. 12.­ +0200, you wrote:
> > > With the IMQ NAT patch the order is reversed? The filtering on
> > > de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ,
> > > isn't it? Tom
> >
> >The nat in prerouting is also reponsible for rewriting the addresses of
> >natted
> >packets.  So you want IMQ after nat so the packets entering the imq device
> >have the real ip address.
> >
> >Stef
>
> What do mean by "real ip address"? So when the packet arrives into the imq,
> the address in the packet is the local (i.e. 10.0.0.x) address?
Yes.  At least it should.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/