[LARTC] Bandwidth management on a NAT-ing firewall

[LARTC] Bandwidth management on a NAT-ing firewall

[Marc Guardiola]

Guys,

Maybe one of you can enlighten me on the following problem.. :

I've got a Firewall, which is NAT-ing 10.10.0.0/16 to the outer world.
eth0b.108.12.226
eth1\x10.10.100.1

Of 1 ip, 10.10.100.212, I would like to limit the bandwith to 80 Kbit on the
firewall. This with iproute (tc) and iptables.
This can probably been done in different ways.. with fwmark and by
sourceaddress. I've tried them all.. without success sofar. It seems to
neglect the rules .. :((
The last thing I tried is:

iptables -A FORWARD -t mangle -s 10.10.100.212 -d ! 10.10.0.0/16 -j
MARK --set-mark 1
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

tc qdisc add dev eth1 root handle 10: cbq bandwidth 100Mbit avpkt 1000
tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate
80Kbit allot 1514 weight 8Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc filter add dev eth1 parent 10:0 protocol ip prio 50 handle 1 fw flowid
10:1

I think it goes wrong somewhere in the NAT-ing process. tc probably doesn't
understand it the way I configured it. ( In the last option, I already tried
to switch eth1 to eth0, but that doesn't work, and shouldn't work I think).

If I use tc on 10.10.100.212 itself works fine by the way, so I solved it
like that for now. To limit on 80 Kbit I use:

tc qdisc add dev eth0 root handle 10: cbq bandwidth 100Mbit avpkt 1200
tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate
80Kbit allot 1514 weight 8Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc filter add dev eth0 parent 10:0 protocol ip prio 50 u32 match ip src
10.10.100.212 flowid 10:1

Anyone knows how I can configure this on the firewall ? I would prefer a
solution based on source address instead of fwmark, but if that isn't
possible, using fwmark is no problem for me.

Thanks in advance !

adios,

Marc


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Bandwidth management on a NAT-ing firewall

[Wingtung.Leung]

On Mon, 11 Jun 2001, Marc Guardiola wrote:

> I've got a Firewall, which is NAT-ing 10.10.0.0/16 to the outer world.
> eth0b.108.12.226
> eth1\x10.10.100.1
>
> Of 1 ip, 10.10.100.212, I would like to limit the bandwith to 80 Kbit on the
> firewall. This with iproute (tc) and iptables.
> This can probably been done in different ways.. with fwmark and by
> sourceaddress. I've tried them all.. without success sofar. It seems to
> neglect the rules .. :((
> The last thing I tried is:

[snip]

Try to attach a filter to the internal interface which checks the source
IP address. Use the general u32 filter instead of fwmark, it should be
easier.

(This question (NAT + bandwidth control) is coming much too often on this
list, shouldn't it be added to the HOWTO?)

-- 
GnuPG public key: http://win-www.uia.ac.be/u/s965817/pub.key
fingerprint = A3C4 DE50 712D 4FA8 C564  4D96 5E06 C9CC ECFA 19C5



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/