From: Cedric Blancher <blancher@cartel-securite.fr>
To: Aaron Clausen <maureen-taocow@alberni.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: cbq.init and iptables NAT routing
Date: 03 Oct 2002 21:12:01 +0200 [thread overview]
Message-ID: <1033672321.682.12.camel@elendil> (raw)
In-Reply-To: <Pine.LNX.4.33.0210030928220.22286-100000@ts1.alberni.net>
Le jeu 03/10/2002 à 18:30, Aaron Clausen a écrit :
> I am running Linux 2.4.5 with two Ethernet cards as a NAT router (using
> iptables). I downloaded the cbq.init script so that I could try shaping the
> traffic coming from and going to the internal network. I am also using
> iptables for IP accounting. I can shape traffic on ETH1, which is the
> inside NIC, but I cannot shape the traffic going out on ETH0. None of the
> traffic reaches my classes. Is there any known incompatabilities between
> cbq and iptables?
No, I am not aware of such things, and I use cbq.init on a quite regular
basis.
You have to be very careful to where your packets are NATed and where
traffic shaping is acting. You also need to know exactly what kind of
rule you have to use in cbq.init.
Example :
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to 10.0.0.1
OK. Inner interface will be eth1 (attached to 192.168.10.0/24) and the
other one is eth0 (10.0.0.1).
Traffic shaping is done at last routing point, between FORWARD and
POSTROUTING, R2 below :
--> PREROUTING --> R1 --> FORWARD --> R2 --> POSTROUTING
So, when packets are going outside, I will match packets that are
sourced from 192.168.10.0/24 :
RULE=192.168.10.0/24,
!! as written in doc, pay attention to comma at the end of the
!! rule, for it means we specify source address
And when packets are returning, they've been denated somewhere nere
PREROUTING, so have 192.168.10.0/24 as destination :
RULE=192.168.10.0/24
!! no more comma, we give destination
So, to be quick, be careful to ending comma when you specify source
addresses, and be very careful of what kind of NAT you do. SNAT is
"after" shaping, while DNAT is "before" (considering original way).
Imho, you must have set up your eth0 rule with SNAT address, which does
not work, as explained below.
Hope this helps.
--
Cédric Blancher
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
next prev parent reply other threads:[~2002-10-03 19:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-03 16:30 cbq.init and iptables NAT routing Aaron Clausen
2002-10-03 19:12 ` Cedric Blancher [this message]
2002-10-03 20:15 ` Aaron Clausen
2002-10-04 0:30 ` Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1033672321.682.12.camel@elendil \
--to=blancher@cartel-securite.fr \
--cc=maureen-taocow@alberni.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox