[LARTC] mangle

[LARTC] mangle

[Eddie]

Hi all
I have a linux gateway box,eth1 internet and eth0 lan
Now I made my qdisk for eth1 but now I want to mark them with iptables.
The thing it I dont now wht to use,-A FORWARD or PREROUTING?
Please can someone help
thanks

eddie

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] mangle

[Mike]

I mark everything on my internal interface.  I have classes for incoming
websurfing traffic which I use HTB to control the traffic.  This is done
on my internal NIC.

I also have classes on my external interface which controls my outgoing
traffic such as web (port 80) and smtp (port 25).  This is done on my
external NIC.

Mike Fetherston

> -----Original Message-----
> From: Eddie [mailto:eddieknows@ananzi.co.za]
> Sent: Monday, December 08, 2003 10:02 AM
> To: Mike
> Subject: RE: [LARTC] mangle
> 
> So you put all rules on your internal interface?
> 
> On Mon, 2003-12-08 at 16:43, Mike wrote:
> > *This message was transferred with a trial version of
CommuniGate(tm)
> Pro*
> > In my case eth1 is my internal NIC.  I'm giving certain groups of
IP's
> > certain amounts of bandwidth.  If you're trying to give full
bandwidth
> > to ssh traffic, you could mark on destination port 22 and assign
that
> > mark to a flowid with full bandwidth.  I believe you would still use
the
> > PREROUTING table to mark with.
> >
> > Why do you want to give SSH traffic full bandwidth?
> >
> > Mike Fetherston
> >
> > > -----Original Message-----
> > > From: Eddie [mailto:eddieknows@ananzi.co.za]
> > > Sent: Monday, December 08, 2003 9:53 AM
> > > To: Mike
> > > Subject: RE: [LARTC] mangle
> > >
> > > ok that is how I have,if eth1 is external,this will shape traffic
for
> > > all the lan people,right.
> > > BUT what do I do to give me full bandwidth when I ssh remotely to
work
> > > on the box.Will I use OUTPUT??
> > > Thanks,it helped allot:-)realy
> > >
> > >
> > > On Mon, 2003-12-08 at 16:31, Mike wrote:
> > > > *This message was transferred with a trial version of
> > CommuniGate(tm)
> > > Pro*
> > > > I've been using PREROUTING to mark packets and it's been working
> > very
> > > > well.
> > > >
> > > > iptables -t mangle -I PREROUTING -i eth1 -s $IP --j MARK
--set-mark
> > 3
> > > >
> > > > and if you're using HTB, this command:
> > > >
> > > > tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 3 fw
> > flowid
> > > > 1:13
> > > >
> > > > will act on those marked packets.  It's the 'handle 3' which
uses
> > the
> > > > --set-mark 3.
> > > >
> > > > Mike Fetherston
> > > >
> > > > > -----Original Message-----
> > > > > From: Eddie [mailto:eddieknows@ananzi.co.za]
> > > > > Sent: Monday, December 08, 2003 8:40 AM
> > > > > To: lartc
> > > > > Subject: [LARTC] mangle
> > > > >
> > > > > Hi all
> > > > > I have a linux gateway box,eth1 internet and eth0 lan
> > > > > Now I made my qdisk for eth1 but now I want to mark them with
> > > > iptables.
> > > > > The thing it I dont now wht to use,-A FORWARD or PREROUTING?
> > > > > Please can someone help
> > > > > thanks
> > > > >
> > > > > eddie
> > > > >
> > > > > _______________________________________________
> > > > > LARTC mailing list / LARTC@mailman.ds9a.nl
> > > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> > http://lartc.org/
> >

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] mangle

[Jose Luis Domingo Lopez]

On Monday, 08 December 2003, at 15:39:48 +0200,
Eddie wrote:

> I have a linux gateway box,eth1 internet and eth0 lan
> Now I made my qdisk for eth1 but now I want to mark them with iptables.
> The thing it I dont now wht to use,-A FORWARD or PREROUTING?
> 
Check for the Kernel Packet Traveling Diagram at:
http://www.docum.org/stef.coene/qos/kptd/

You will see very clearly the path of packets traversing your Linux box,
and will be able to know the exact place where to mark traffic.

Greetings.

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Sid (Linux 2.6.0-test10-mm1)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] mangle

[Ronnie Garcia]

> On Monday, 08 December 2003, at 15:39:48 +0200,
> Eddie wrote:
>
> > I have a linux gateway box,eth1 internet and eth0 lan
> > Now I made my qdisk for eth1 but now I want to mark them with iptables.
> > The thing it I dont now wht to use,-A FORWARD or PREROUTING?
> >
> Check for the Kernel Packet Traveling Diagram at:
> http://www.docum.org/stef.coene/qos/kptd/

Please note that this diagram is not valid for iptables.

When using iptables, packets that are "traversing" the linux box (forwarded
trafic) do not go thru the INPUT and OUTPUT chains.

You'll find an iptable packet traversal diagram at :
http://www.knowplace.org/netfilter/packet_traversal.gif

Rgds,
Ronnie.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] mangle

[Martin A. Brown]

Whoa!!  Back up the truck!

 : > Check for the Kernel Packet Traveling Diagram at:
 : > http://www.docum.org/stef.coene/qos/kptd/
 :
 : Please note that this diagram is not valid for iptables.

I think I disagree.

 : When using iptables, packets that are "traversing" the linux box
 : (forwarded trafic) do not go thru the INPUT and OUTPUT chains.

The KPTD hosted on docum.org certainly does accurately reflect the
traversal of iptables.  Please send corrections if you find something
wrong with the KPTD.  This was a collective effort by Leonardo Balliache,
Stef Coene, and some others on this very list.

It doesn't depict the relationship between iptables and bridging, but that
is a well-known exception to this diagram.

 : You'll find an iptable packet traversal diagram at :
 : http://www.knowplace.org/netfilter/packet_traversal.gif

This is a fine picture, too, though, Ron.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] mangle

[Jose Luis Domingo Lopez]

On Monday, 08 December 2003, at 17:18:52 +0100,
Ronnie Garcia wrote:

> Please note that this diagram is not valid for iptables.
> 
I think you did not interpret the diagram correctly. For "iptables" you
will have to focus just on the BLUE boxes with the CAPITAL names, and
forget about the lowercase ones, that are for "ipchains".

And each packet entering the box will follow just one path, and this
path is determined after the routing stage: any packet going through the
box (neither generated nor destined to it) will go the path on the
right, though the FORWARD chain of "iptables". From then on the travel
is simple to follow.

Hope it helps.

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Sid (Linux 2.6.0-test10-mm1)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] mangle

[Ronnie Garcia]

> On Monday, 08 December 2003, at 17:18:52 +0100,
> Ronnie Garcia wrote:
>
> > Please note that this diagram is not valid for iptables.
> >
> I think you did not interpret the diagram correctly. For "iptables" you
> will have to focus just on the BLUE boxes with the CAPITAL names, and
> forget about the lowercase ones, that are for "ipchains".

My bad, thats right.
The diagram is a bit confusing like this, what about drawing two different
diagrams, since ipchains and netfilter behave quite differently ?

I can send diff's if needed =)

Rgds,
Ronnie.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

AW: [LARTC] mangle

[Jan Gerritsen]

Hi,

i have two question about the diagram.

> The KPTD hosted on docum.org certainly does accurately reflect the
> traversal of iptables.  Please send corrections if you find something
> wrong with the KPTD.  This was a collective effort by Leonardo Balliache,
> Stef Coene, and some others on this very list.

first: what does PDBB stand for? is this the point where the RPDB is asked?

second: isn't there a hook between the OUTPUT and the POSTROUTING chain,
to handle the routing for packets generated by local processes?
Descriped in Figure 3.3.2 from 
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH03.web.html

thx,
Jan Gerritsen
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿË\x01\x14™¨¥Šx%ŠË\x7f,\x04S\vùšŠYšŸ÷lõ¯ç–^[m§ÿÿ™¨¥™©ÿvÏZþy\x7f™¨¥™©ÿ–+-ŠwèþV«µÁÎY3ÿ†Ûiÿÿåj»\þŠà