From: "Marc Guardiola" <guardi@pdl.dhs.org>
To: lartc@vger.kernel.org
Subject: [LARTC] Bandwidth management on a NAT-ing firewall
Date: Mon, 11 Jun 2001 21:53:39 +0000 [thread overview]
Message-ID: <marc-lartc-99229659005031@msgid-missing> (raw)
Guys,
Maybe one of you can enlighten me on the following problem.. :
I've got a Firewall, which is NAT-ing 10.10.0.0/16 to the outer world.
eth0b.108.12.226
eth1\x10.10.100.1
Of 1 ip, 10.10.100.212, I would like to limit the bandwith to 80 Kbit on the
firewall. This with iproute (tc) and iptables.
This can probably been done in different ways.. with fwmark and by
sourceaddress. I've tried them all.. without success sofar. It seems to
neglect the rules .. :((
The last thing I tried is:
iptables -A FORWARD -t mangle -s 10.10.100.212 -d ! 10.10.0.0/16 -j
MARK --set-mark 1
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
tc qdisc add dev eth1 root handle 10: cbq bandwidth 100Mbit avpkt 1000
tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate
80Kbit allot 1514 weight 8Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc filter add dev eth1 parent 10:0 protocol ip prio 50 handle 1 fw flowid
10:1
I think it goes wrong somewhere in the NAT-ing process. tc probably doesn't
understand it the way I configured it. ( In the last option, I already tried
to switch eth1 to eth0, but that doesn't work, and shouldn't work I think).
If I use tc on 10.10.100.212 itself works fine by the way, so I solved it
like that for now. To limit on 80 Kbit I use:
tc qdisc add dev eth0 root handle 10: cbq bandwidth 100Mbit avpkt 1200
tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate
80Kbit allot 1514 weight 8Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc filter add dev eth0 parent 10:0 protocol ip prio 50 u32 match ip src
10.10.100.212 flowid 10:1
Anyone knows how I can configure this on the firewall ? I would prefer a
solution based on source address instead of fwmark, but if that isn't
possible, using fwmark is no problem for me.
Thanks in advance !
adios,
Marc
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
next reply other threads:[~2001-06-11 21:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-06-11 21:53 Marc Guardiola [this message]
2001-06-12 14:40 ` [LARTC] Bandwidth management on a NAT-ing firewall Wingtung.Leung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-99229659005031@msgid-missing \
--to=guardi@pdl.dhs.org \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.