RE: NAT, MANGLE, and TOS

RE: NAT, MANGLE, and TOS

[Daniel Chemko]

>Good point. Is there any reason I shouldn't put my rules on the mangle 
>POSTROUTING table and kill 2 birds with one rule?


None that I can see, though I must admit that I swear sometimes I see
packets missing POSTROUGING; though, I blame that on my bogon ray
generator, and not Netfilter itself.

RE: NAT, MANGLE, and TOS

[SBlaze]

--- Daniel Chemko <dchemko@smgtec.com> wrote:
> 
> >Good point. Is there any reason I shouldn't put my rules on the mangle 
> >POSTROUTING table and kill 2 birds with one rule?
> 
> 
> None that I can see, though I must admit that I swear sometimes I see
> packets missing POSTROUGING; though, I blame that on my bogon ray
> generator, and not Netfilter itself.
> 
> 
Ok let me hop back in here... and mke sure I understand this so I don't insert
bad rules in my firewall...

Jeff reccomends...

iptables -t mangle -A OUTPUT -p tcp -m state --state 
NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08

Ok I can see that this is making TOS changes for http service on the TCP
protocol. (Quick Side q here but is udp affected by TOS???). Which I can see as
being useful if you have cooperative routers between you and the peer user...

but Daniel reccomends...

You probably want this on the FORWARD chain to boost the performance of
your actual client machines instead of just the firewall.

Why place it in the FOWARD chain?

Question back at Jeff here too...

Is the OUTPUT chain really the right place for me? I mean yes I know it would
be good to change TOS in OUTPUT but doesn't that affect only the Linux box? My
NAT goes through ....

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.119.x.x

so how could I go about changing the TOS of SNAATed packets? Is it even
possible?

Thanks Guys... keep it coming.
SBlaze





=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: NAT, MANGLE, and TOS

[Ramin Dousti]

Look. tos can be set in mangle. mangle has five hooks including OUTPUT and
PREROUTING. OUTPUT affects the locally generated traffic. PREROUTING affects
the externally generated traffic that passes through your firewall. You can set
the tos like so:

$IPT -t mangle -A OUTPUT     -p udp --dport 53   -j TOS --set-tos 0x8
$IPT -t mangle -A OUTPUT     -p tcp --dport 80   -j TOS --set-tos 0x8
$IPT -t mangle -A OUTPUT     -p tcp --dport 22   -j TOS --set-tos 0x8
$IPT -t mangle -A OUTPUT     -p tcp --sport 22   -j TOS --set-tos 0x8

$IPT -t mangle -A PREROUTING -p udp --dport 53   -j TOS --set-tos 0x8
$IPT -t mangle -A PREROUTING -p tcp --dport 80   -j TOS --set-tos 0x8
$IPT -t mangle -A PREROUTING -p tcp --dport 22   -j TOS --set-tos 0x8
$IPT -t mangle -A PREROUTING -p tcp --sport 22   -j TOS --set-tos 0x8

What the tos value should be and what applications should benefit from
this, is up to you...

Ramin

On Thu, Oct 23, 2003 at 01:25:50PM -0700, SBlaze wrote:

> 
> --- Daniel Chemko <dchemko@smgtec.com> wrote:
> > 
> > >Good point. Is there any reason I shouldn't put my rules on the mangle 
> > >POSTROUTING table and kill 2 birds with one rule?
> > 
> > 
> > None that I can see, though I must admit that I swear sometimes I see
> > packets missing POSTROUGING; though, I blame that on my bogon ray
> > generator, and not Netfilter itself.
> > 
> > 
> Ok let me hop back in here... and mke sure I understand this so I don't insert
> bad rules in my firewall...
> 
> Jeff reccomends...
> 
> iptables -t mangle -A OUTPUT -p tcp -m state --state 
> NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
> 
> Ok I can see that this is making TOS changes for http service on the TCP
> protocol. (Quick Side q here but is udp affected by TOS???). Which I can see as
> being useful if you have cooperative routers between you and the peer user...
> 
> but Daniel reccomends...
> 
> You probably want this on the FORWARD chain to boost the performance of
> your actual client machines instead of just the firewall.
> 
> Why place it in the FOWARD chain?
> 
> Question back at Jeff here too...
> 
> Is the OUTPUT chain really the right place for me? I mean yes I know it would
> be good to change TOS in OUTPUT but doesn't that affect only the Linux box? My
> NAT goes through ....
> 
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.119.x.x
> 
> so how could I go about changing the TOS of SNAATed packets? Is it even
> possible?
> 
> Thanks Guys... keep it coming.
> SBlaze
> 
> 
> 
> 
> 
> =====
> In the absence of order there will be chaos.
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com

Re: NAT, MANGLE, and TOS

[SBlaze]

--- Ramin Dousti <ramin@cannon.eng.us.uu.net> wrote:
> Look. tos can be set in mangle. mangle has five hooks including OUTPUT and
> PREROUTING. OUTPUT affects the locally generated traffic. PREROUTING affects
> the externally generated traffic that passes through your firewall. 

Thanks alot Ramin,

I had read Oskar's tutorial before I started posting this thread. Sometimes
when I read things I like to verify my understanding with others to make sure I
did not get it wrong. I do this a lot by asking vuager questions than I
probably should to get to the "meat and portatoes" of what I read.

Again I owe all you guys a big thanks! 



=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: NAT, MANGLE, and TOS

[Jeffrey Laramie]

SBlaze wrote:

>--- Daniel Chemko <dchemko@smgtec.com> wrote:
>  
>
>>>Good point. Is there any reason I shouldn't put my rules on the mangle 
>>>POSTROUTING table and kill 2 birds with one rule?
>>>      
>>>
>>None that I can see, though I must admit that I swear sometimes I see
>>packets missing POSTROUGING; though, I blame that on my bogon ray
>>generator, and not Netfilter itself.
>>
>>
>>    
>>
>Ok let me hop back in here... and mke sure I understand this so I don't insert
>bad rules in my firewall...
>
>Jeff reccomends...
>
>iptables -t mangle -A OUTPUT -p tcp -m state --state 
>NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
>
>Ok I can see that this is making TOS changes for http service on the TCP
>protocol. (Quick Side q here but is udp affected by TOS???). Which I can see as
>being useful if you have cooperative routers between you and the peer user...
>  
>

This rule only changes the TOS for those packets generated by the fw box 
itself. Any packets that the fw box is forwarding from other boxes would 
be unaffected.

>but Daniel reccomends...
>
>You probably want this on the FORWARD chain to boost the performance of
>your actual client machines instead of just the firewall.
>
>Why place it in the FOWARD chain?
>  
>

The mangle FORWARD chain handles traffic between your LAN and the 
outside world. If you're firewalling a single box this chain isn't used.

>Question back at Jeff here too...
>
>Is the OUTPUT chain really the right place for me? I mean yes I know it would
>be good to change TOS in OUTPUT but doesn't that affect only the Linux box? My
>NAT goes through ....
>
>iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.119.x.x
>
>so how could I go about changing the TOS of SNAATed packets? Is it even
>possible?
>
>  
>

Daniel is correct. The OUTPUT chain is not the right place to mangle if 
the goal is to improve the speed of the LAN since it only effects 
packets generated by the fw box. You need to put your mangle rules on 
either the mangle FORWARD chain or the mangle POSTROUTING chain. Try not 
to be confused by the fact that each table (filter, nat, mangle) has 
chains that use the same name. They are not the same chains. This 
explains the flow of packets better than I ever could:

http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html

Jeff

RE: NAT, MANGLE, and TOS

[Daniel Chemko]

> $iptables -t mangle -A OUTPUT -p tcp -m state --state 
> NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08

You probably want this on the FORWARD chain to boost the performance of
your actual client machines instead of just the firewall.

Re: NAT, MANGLE, and TOS

[Jeffrey Laramie]

Daniel Chemko wrote:

>>$iptables -t mangle -A OUTPUT -p tcp -m state --state 
>>NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
>>    
>>
>
>You probably want this on the FORWARD chain to boost the performance of
>your actual client machines instead of just the firewall.
>
>
>  
>
Good point. Is there any reason I shouldn't put my rules on the mangle 
POSTROUTING table and kill 2 birds with one rule?

NAT, MANGLE, and TOS

[SBlaze]

Currently I run a very and common setup for my home network.

My Linux box acts as my router and gateway for my home network and simply NATs
everything out to the cable modem and onto the internet.

My question is this. I have read awhile ago that changing the TOS of packets
can be beneficial in ganing small performance. Logically I thought this would
pretty much be limited to a Point to Point systems. However by posting to some
forums for broadband, i hearf through the perverbial grapevine that my
ISP(Charter Communications) will honor user or application set TOS values
unless they are under network congestion. I can of course not verify this.

This is my quandry. Currently this is all I do..

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.119.49.97

Is it possible to mangle NAT in a way that all my nat traffic carries slightly
higher TOS values? Will this give me a slight to any boost in upstream?

As always thanks for any info in advance and hail to the open source community.
SBlaze

=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: NAT, MANGLE, and TOS

[Jeffrey Laramie]

SBlaze wrote:

>Currently I run a very and common setup for my home network.
>
>My Linux box acts as my router and gateway for my home network and simply NATs
>everything out to the cable modem and onto the internet.
>
>My question is this. I have read awhile ago that changing the TOS of packets
>can be beneficial in ganing small performance. Logically I thought this would
>pretty much be limited to a Point to Point systems. However by posting to some
>forums for broadband, i hearf through the perverbial grapevine that my
>ISP(Charter Communications) will honor user or application set TOS values
>unless they are under network congestion. I can of course not verify this.
>
>This is my quandry. Currently this is all I do..
>
>iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 68.119.49.97
>
>Is it possible to mangle NAT in a way that all my nat traffic carries slightly
>higher TOS values? Will this give me a slight to any boost in upstream?
>
>As always thanks for any info in advance and hail to the open source community.
>SBlaze
>  
>
You can use the appropriately named mangle table to set TOS like this:

$iptables -t mangle -A OUTPUT -p tcp -m state --state 
NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08

I don't have enough traffic on my network to see a noticeable difference 
when I change TOS, but given your situation, setting TOS might help.

Jeff