[LARTC] problem with mark, need help

From: "Big World" <bigworld@ua.fm>
To: lartc@vger.kernel.org
Subject: [LARTC] problem with mark, need help
Date: Thu, 13 Jan 2005 22:31:37 +0000	[thread overview]
Message-ID: <opskktlyly0he058@localhost> (raw)

Hello.
I have eth1 for WAN(0.0.0.0) and eth0 for LAN (192.168.10.0/24),
need to setup that local user get access to $LOCAL_IP network
and ip 192.168.10.2, 192.168.10.3 (will be more in future) to internet,
but bandwidth to $LOCAL_IP is 128kbps and for internet is 8kbps.

i wrote rc.firewall
#!/bin/bash
#env
IPTABLES="/usr/sbin/iptables"
LOCAL_IP="62.64.80.0/21 62.221.38.0/24 ........................" #  
LOCAL_IP network

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

.........
# not important rule
........

#for local_network
$IPTABLES -N local_ip
for net_address in $LOCAL_IP; do
     $IPTABLES -A local_ip -p all -d $net_address -j ACCEPT
done
$IPTABLES -A local_ip -p all -j REJECT

# Forward rules for all
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.2 -m mac --mac-source 00:11:2F:92:D1:5E  
-j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.3 -m mac --mac-source 00:11:11:1D:D6:37  
-j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.5 -m mac --mac-source 00:11:2F:4A:88:47  
-j local_ip
$IPTABLES -A FORWARD -s 192.168.10.6 -m mac --mac-source 00:0E:A6:52:76:DD  
-j local_ip
..............

# IF file isn't from $LOCAL_IP
for net_address in $LOCAL_IP; do
     $IPTABLES -t mangle -A FORWARD -s ! $net_address -d 192.168.10.2 -j  
MARK --set-mark 3
     $IPTABLES -t mangle -A FORWARD -s ! $net_address -d 192.168.10.3 -j  
MARK --set-mark 4
done

# If ip address is from the $LOCAL_IP
for net_address in $LOCAL_IP; do
     $IPTABLES -t mangle -A FORWARD -s $net_address -d 192.168.10.2 -j MARK  
--set-mark 1
     $IPTABLES -t mangle -A FORWARD -s $net_address -d 192.168.10.3 -j MARK  
--set-mark 2
done

# Enable simple IP Forwarding and Network Address Translation
$IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 195.24.150.150

I marked package that could use it for control bandwidth, but if package  
 from $LOCAL_IP to 192.168.10.2
it will be marked two time (mark 3 then mark 1). Why iptables doing it?

# config bandwidth
#!/bin/bash
TC=/sbin/tc

$TC qdisc add dev eth0 root handle 1:0 htb default 4

# sub class of root
$TC class add dev eth0 parent 1:0 classid 1:1 htb rate 136kbps ceil 136kbps

$TC class add dev eth0 parent 1:1 classid 1:2 htb rate 128kbps ceil 128kbps
$TC class add dev eth0 parent 1:1 classid 1:3 htb rate 8kbps ceil 8kbps

# Classes for local users
$TC class add dev eth0 parent 1:2 classid 1:20 htb rate 16kbps ceil 128kbps
$TC class add dev eth0 parent 1:2 classid 1:21 htb rate 16kbps ceil 128kbps
$TC class add dev eth0 parent 1:2 classid 1:22 htb rate 16kbps ceil 128kbps
$TC class add dev eth0 parent 1:2 classid 1:23 htb rate 16kbps ceil 128kbps

$TC filter add dev eth0 protocol ip parent 1:0 handle 1 fw flowid 1:20
$TC filter add dev eth0 protocol ip parent 1:0 handle 2 fw flowid 1:21
$TC filter add dev eth0 protocol ip parent 1:0 u32 match ip dst  
192.168.10.5 flowid 1:22
$TC filter add dev eth0 protocol ip parent 1:0 u32 match ip dst  
192.168.10.6 flowid 1:23

# Classes for inet users
$TC class add dev eth0 parent 1:3 classid 1:30 htb rate 4kbps ceil 8kbps
$TC class add dev eth0 parent 1:3 classid 1:31 htb rate 4kbps ceil 8kbps

$TC filter add dev eth0 protocol ip parent 1:0 handle 3 fw flowid 1:30
$TC filter add dev eth0 protocol ip parent 1:0 handle 4 fw flowid 1:31

# default param for htb
$TC class add dev eth0 parent 1:1 classid 1:4 htb rate 1kbps ceil 1kbps

If someone know why iptables doing it or how to realize it differently
Thanks for any halp.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/