Happy New Year.
Finally got my fw and tc rules down pat for the bridge, now interested
in introducing a third nic to have nat on the box as well. Does anyone
have a idea of a good place to start reading up on the subject, mainly
interested in how to setup the flow direction to start with as to get a
overall understanding of the flow, found that help best.
Internet --- eth0 --- eth1 --- bridge(eth0/eth1)
Now trying...
Internet --- eth0 --- eth1 --- bridge (eth0/eth1)
|----- eth2 --- nat (eth0/eth2)
Would this be how it is done (started at least ;) )? Please advise?
# create the required tables and route traffic to them
/sbin/iptables -t mangle -N server-all
/sbin/iptables -t mangle -N server-all-chains
/sbin/iptables -t mangle -N server-prerouting
/sbin/iptables -t mangle -A PREROUTING -j server-prerouting
/sbin/iptables -t mangle -A server-prerouting -j CONNMARK --restore-mark
# bridge traffic - input (eth0 -> eth1)
/sbin/tc qdisc add dev eth1 handle 1: root htb default 1
/sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in
eth0 --physdev-out eth1-j protocop-all
/sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0
physdev-out eth1 -j server-all-chains
/sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit
/sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0
classid 1:1
# bridge traffic - output (eth1 -> eth0)
/sbin/tc qdisc add dev eth0 handle 1: root htb default 1
/sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in
eth1 --physdev-out eth0-j protocop-all
/sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth1
--physdev-out eth0 -j server-all-chains
/sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit
/sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0
classid 1:1
# nat traffic - input (eth0 -> eth2)
/sbin/tc qdisc add dev eth1 handle 1: root htb default 1
/sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in
eth0 --physdev-out eth2-j protocop-all
/sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0
physdev-out eth2 -j server-all-chains
/sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit
/sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0
classid 1:1
# nat traffic - output (eth0 -> eth2)
/sbin/tc qdisc add dev eth0 handle 1: root htb default 1
/sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in
eth2 --physdev-out eth0-j protocop-all
/sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth2
--physdev-out eth0 -j server-all-chains
/sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit
/sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0
classid 1:1
# nat traffic - input (eth2 -> eth1)
/sbin/tc qdisc add dev eth1 handle 1: root htb default 1
/sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in
eth1 --physdev-out eth2-j protocop-all
/sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth1
physdev-out eth2 -j server-all-chains
/sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit
/sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0
classid 1:1
# nat traffic - output (eth1 -> eth2)
/sbin/tc qdisc add dev eth0 handle 1: root htb default 1
/sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in
eth2 --physdev-out eth1-j protocop-all
/sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth2
--physdev-out eth1 -j server-all-chains
/sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit
/sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0
classid 1:1
Then simply create the rules for all the classids? And have a fallback
for each classid.
Kind Regards
William
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
