* [LARTC] beginner question about imq
@ 2003-09-10 10:23 Szálka Tamás
2003-09-10 11:33 ` Raghuveer
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: Szálka Tamás @ 2003-09-10 10:23 UTC (permalink / raw)
To: lartc
Hi!
I have to make a firewall which guarantees bandwidth to several clients
(both upstream and downstream should be limitied). It has three interfaces,
eth0 facing to the internet, eth1 to local network with several ip
addresses (different subnets) and eth2 to dmz (webserver). Egress traffic
is ok, I set up the tc rules to eth0 and the upstream limiting is fine. But
I have to manage bandwidth of downloading too.
While eth0 has one public ip address, the firewall does masquerading to the
local subnets (with local ip ranges). So should I set up an imq device on
eth1 with iptables mangle through the prerouting chain to do traffic
shaping to the subnets? In this case the packets arrive to eth1 already
masqueraded (am I right?) and I can limit the ingress traffic of local
adresses. Or should I use the imq on eth0? Doesn't it bothers egress
shaping? I'm confused a little bit... :-s
Can you help me?
Thanks
Tom
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
@ 2003-09-10 11:33 ` Raghuveer
2003-09-10 18:13 ` Szálka Tamás
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Raghuveer @ 2003-09-10 11:33 UTC (permalink / raw)
To: lartc
Szálka Tamás wrote:
> Hi!
>
> I have to make a firewall which guarantees bandwidth to several
> clients (both upstream and downstream should be limitied). It has
> three interfaces, eth0 facing to the internet, eth1 to local network
> with several ip addresses (different subnets) and eth2 to dmz
> (webserver). Egress traffic is ok, I set up the tc rules to eth0 and
> the upstream limiting is fine. But I have to manage bandwidth of
> downloading too.
> While eth0 has one public ip address, the firewall does masquerading
> to the local subnets (with local ip ranges). So should I set up an imq
> device on eth1 with iptables mangle through the prerouting chain to do
> traffic shaping to the subnets? In this case the packets arrive to
> eth1 already masqueraded (am I right?) and I can limit the ingress
> traffic of local adresses. Or should I use the imq on eth0? Doesn't it
> bothers egress shaping? I'm confused a little bit... :-s
> Can you help me?
>
> Thanks
> Tom
>
I feel imq+HTB on eth0 is an ideal solution for ur requirement.
Regards
-Raghu
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
2003-09-10 11:33 ` Raghuveer
@ 2003-09-10 18:13 ` Szálka Tamás
2003-09-10 18:36 ` Stef Coene
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Szálka Tamás @ 2003-09-10 18:13 UTC (permalink / raw)
To: lartc
At 16:51 2003. 09. 10. +0530, you wrote:
>Szálka Tamás wrote:
>
>>Hi!
>>
>>I have to make a firewall which guarantees bandwidth to several clients
>>(both upstream and downstream should be limitied). It has three
>>interfaces, eth0 facing to the internet, eth1 to local network with
>>several ip addresses (different subnets) and eth2 to dmz (webserver).
>>Egress traffic is ok, I set up the tc rules to eth0 and the upstream
>>limiting is fine. But I have to manage bandwidth of downloading too.
>>While eth0 has one public ip address, the firewall does masquerading to
>>the local subnets (with local ip ranges). So should I set up an imq
>>device on eth1 with iptables mangle through the prerouting chain to do
>>traffic shaping to the subnets? In this case the packets arrive to eth1
>>already masqueraded (am I right?) and I can limit the ingress traffic of
>>local adresses. Or should I use the imq on eth0? Doesn't it bothers
>>egress shaping? I'm confused a little bit... :-s
>>Can you help me?
>>
>>Thanks
>>Tom
>I feel imq+HTB on eth0 is an ideal solution for ur requirement.
>
>Regards
>-Raghu
I'd like to filter the packages on their SNAT-ed (local) ip addresses. when
the package enters the IMQ right after the iptables PREROUTING chain, does
it have SNAT-ed ip addresses? As far as I know the SNAT happens in the
POSTROUTING chain. Am I wrong? Or am I even more confused? :)
Tom
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
2003-09-10 11:33 ` Raghuveer
2003-09-10 18:13 ` Szálka Tamás
@ 2003-09-10 18:36 ` Stef Coene
2003-09-10 19:16 ` Szálka Tamás
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Stef Coene @ 2003-09-10 18:36 UTC (permalink / raw)
To: lartc
On Wednesday 10 September 2003 20:13, Szálka Tamás wrote:
> At 16:51 2003. 09. 10. +0530, you wrote:
> >Szálka Tamás wrote:
> >>Hi!
> >>
> >>I have to make a firewall which guarantees bandwidth to several clients
> >>(both upstream and downstream should be limitied). It has three
> >>interfaces, eth0 facing to the internet, eth1 to local network with
> >>several ip addresses (different subnets) and eth2 to dmz (webserver).
> >>Egress traffic is ok, I set up the tc rules to eth0 and the upstream
> >>limiting is fine. But I have to manage bandwidth of downloading too.
> >>While eth0 has one public ip address, the firewall does masquerading to
> >>the local subnets (with local ip ranges). So should I set up an imq
> >>device on eth1 with iptables mangle through the prerouting chain to do
> >>traffic shaping to the subnets? In this case the packets arrive to eth1
> >>already masqueraded (am I right?) and I can limit the ingress traffic of
> >>local adresses. Or should I use the imq on eth0? Doesn't it bothers
> >>egress shaping? I'm confused a little bit... :-s
> >>Can you help me?
> >>
> >>Thanks
> >>Tom
> >
> >I feel imq+HTB on eth0 is an ideal solution for ur requirement.
> >
> >Regards
> >-Raghu
>
> I'd like to filter the packages on their SNAT-ed (local) ip addresses. when
> the package enters the IMQ right after the iptables PREROUTING chain, does
> it have SNAT-ed ip addresses? As far as I know the SNAT happens in the
> POSTROUTING chain. Am I wrong? Or am I even more confused? :)
See
http://www.docum.org/stef.coene/qos/kptd/
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
` (2 preceding siblings ...)
2003-09-10 18:36 ` Stef Coene
@ 2003-09-10 19:16 ` Szálka Tamás
2003-09-11 12:39 ` Toshiro Viera
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Szálka Tamás @ 2003-09-10 19:16 UTC (permalink / raw)
To: lartc
>
>See
>http://www.docum.org/stef.coene/qos/kptd/
>
>Stef
thanks, that's very useful for me
Tom
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
` (3 preceding siblings ...)
2003-09-10 19:16 ` Szálka Tamás
@ 2003-09-11 12:39 ` Toshiro Viera
2003-09-11 17:15 ` Stef Coene
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Toshiro Viera @ 2003-09-11 12:39 UTC (permalink / raw)
To: lartc
> >
> > I'd like to filter the packages on their SNAT-ed (local) ip addresses. when
> > the package enters the IMQ right after the iptables PREROUTING chain, does
> > it have SNAT-ed ip addresses? As far as I know the SNAT happens in the
> > POSTROUTING chain. Am I wrong? Or am I even more confused? :)
> See
> http://www.docum.org/stef.coene/qos/kptd/
>
> Stef
Stef,
The picture you have in http://www.docum.org/stef.coene/qos/kptd is with
(or without) the IMQ NAT patch?
--
Toshiro Viera <tviera@arnaldocastro.com.uy>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
` (4 preceding siblings ...)
2003-09-11 12:39 ` Toshiro Viera
@ 2003-09-11 17:15 ` Stef Coene
2003-09-12 15:22 ` Szálka Tamás
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Stef Coene @ 2003-09-11 17:15 UTC (permalink / raw)
To: lartc
On Thursday 11 September 2003 14:39, Toshiro Viera wrote:
> > > I'd like to filter the packages on their SNAT-ed (local) ip addresses.
> > > when the package enters the IMQ right after the iptables PREROUTING
> > > chain, does it have SNAT-ed ip addresses? As far as I know the SNAT
> > > happens in the POSTROUTING chain. Am I wrong? Or am I even more
> > > confused? :)
> >
> > See
> > http://www.docum.org/stef.coene/qos/kptd/
> >
> > Stef
>
> Stef,
>
> The picture you have in http://www.docum.org/stef.coene/qos/kptd is with
> (or without) the IMQ NAT patch?
Without. In prerouting, you see that IMQ is before nat.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
` (5 preceding siblings ...)
2003-09-11 17:15 ` Stef Coene
@ 2003-09-12 15:22 ` Szálka Tamás
2003-09-12 16:58 ` Stef Coene
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Szálka Tamás @ 2003-09-12 15:22 UTC (permalink / raw)
To: lartc
At 19:15 2003. 09. 11.istory. +0200, you wrote:
> >
> > The picture you have in http://www.docum.org/stef.coene/qos/kptd is with
> > (or without) the IMQ NAT patch?
>Without. In prerouting, you see that IMQ is before nat.
>
>Stef
With the IMQ NAT patch the order is reversed? The filtering on
de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn't it?
Tom
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
` (6 preceding siblings ...)
2003-09-12 15:22 ` Szálka Tamás
@ 2003-09-12 16:58 ` Stef Coene
2003-09-12 19:07 ` Szálka Tamás
2003-09-12 21:22 ` Stef Coene
9 siblings, 0 replies; 11+ messages in thread
From: Stef Coene @ 2003-09-12 16:58 UTC (permalink / raw)
To: lartc
On Friday 12 September 2003 17:22, Szálka Tamás wrote:
> At 19:15 2003. 09. 11.istory. +0200, you wrote:
> > > The picture you have in http://www.docum.org/stef.coene/qos/kptd is
> > > with (or without) the IMQ NAT patch?
> >
> >Without. In prerouting, you see that IMQ is before nat.
> >
> >Stef
>
> With the IMQ NAT patch the order is reversed? The filtering on
> de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn't
> it? Tom
The nat in prerouting is also reponsible for rewriting the addresses of natted
packets. So you want IMQ after nat so the packets entering the imq device
have the real ip address.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
` (7 preceding siblings ...)
2003-09-12 16:58 ` Stef Coene
@ 2003-09-12 19:07 ` Szálka Tamás
2003-09-12 21:22 ` Stef Coene
9 siblings, 0 replies; 11+ messages in thread
From: Szálka Tamás @ 2003-09-12 19:07 UTC (permalink / raw)
To: lartc
At 18:58 2003. 09. 12. +0200, you wrote:
> >
> > With the IMQ NAT patch the order is reversed? The filtering on
> > de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ, isn't
> > it? Tom
>The nat in prerouting is also reponsible for rewriting the addresses of
>natted
>packets. So you want IMQ after nat so the packets entering the imq device
>have the real ip address.
>
>Stef
What do mean by "real ip address"? So when the packet arrives into the imq,
the address in the packet is the local (i.e. 10.0.0.x) address?
Thanks
Tom
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [LARTC] beginner question about imq
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
` (8 preceding siblings ...)
2003-09-12 19:07 ` Szálka Tamás
@ 2003-09-12 21:22 ` Stef Coene
9 siblings, 0 replies; 11+ messages in thread
From: Stef Coene @ 2003-09-12 21:22 UTC (permalink / raw)
To: lartc
On Friday 12 September 2003 21:07, Szálka Tamás wrote:
> At 18:58 2003. 09. 12. +0200, you wrote:
> > > With the IMQ NAT patch the order is reversed? The filtering on
> > > de-masqueraded addresses is only possible, if NAT is b e f o r e IMQ,
> > > isn't it? Tom
> >
> >The nat in prerouting is also reponsible for rewriting the addresses of
> >natted
> >packets. So you want IMQ after nat so the packets entering the imq device
> >have the real ip address.
> >
> >Stef
>
> What do mean by "real ip address"? So when the packet arrives into the imq,
> the address in the packet is the local (i.e. 10.0.0.x) address?
Yes. At least it should.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2003-09-12 21:22 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-10 10:23 [LARTC] beginner question about imq Szálka Tamás
2003-09-10 11:33 ` Raghuveer
2003-09-10 18:13 ` Szálka Tamás
2003-09-10 18:36 ` Stef Coene
2003-09-10 19:16 ` Szálka Tamás
2003-09-11 12:39 ` Toshiro Viera
2003-09-11 17:15 ` Stef Coene
2003-09-12 15:22 ` Szálka Tamás
2003-09-12 16:58 ` Stef Coene
2003-09-12 19:07 ` Szálka Tamás
2003-09-12 21:22 ` Stef Coene
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.