Re: [LARTC] vpn control
Rick Marshall wrote: linux-linux using ip tunnels - modprobe ip_gre ip tunnel add china mode gre remote xxx.xxx.xxx.xxx local \ xxx.xxx.xxx.xxx ttl 255 ip link set china up ip addr add 192.168.1.11 dev china ip route add 192.168.5.0/24 dev china Hrrm, not 100% sure on GRE tunnels, but I can't see why they wouldn't. You should be able to just create all your tc rules on the 'china' device. -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] vpn control
Hi Rick, can i now put rules in for the tunnels to control traffic within each tunnel (that's where our video conferencing etc runs)? What type of VPNs are you using? IPSec ? You can put htb rules on ipsecX interfaces and they will work. the pppX interfaces for pptp and l2tp VPNs should work just as well. control the real interface (eth1 in our setup)? if not can i somehow see the packets inside the vpn packets and then control them? With some clever kernel hackery, you probably could do this, I don't think it would be any fun at all though. regards, -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] vpn control
we have an external 2Mbit dsl connection and running on it are several gre vpn tunnels so far i've given priority to the vpn traffic (using htb) can i now put rules in for the tunnels to control traffic within each tunnel (that's where our video conferencing etc runs)? or can i only control the real interface (eth1 in our setup)? if not can i somehow see the packets inside the vpn packets and then control them? thanks rick ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Multihomed Masquerading, routing and iptables
Ooops .. Sorry, i havent read the entire email sent to the list by Bobic. My mistake. Bobic having the problem similar to what i got with one of my server running kernel-2.4.20. All the interface i have are under the same brand (Realtek), eth0 would be for clients, eth1 for DSLCable, eth2 for Wireless 2.4Ghz. Weirdly, several of my clients set up correctly to use both eth1 and eth2, but there are many clients having the wrong route packets just as Bobic. This problem can be solved if i change to use SNAT instead of MASQUERADE. Try it Bobic. This Masquerade problem didnt appeared under my Linux 2.4.21 Regards, Rio Martin. On Monday 05 January 2004 09:04, Rio Martin wrote: > Dear Bobic, > I am sure you havent read Lartc Document clearly. > Find inside the document, "iproute2" > Those are clue for setting up local area network to connect using two or > more connections to ISP. > > Regards, > Rio Martin. > > On Wednesday 31 December 2003 23:49, Gordan Bobic wrote: > > Hi. > > I have a networking problem that is driving me nuts at the moment. I > > have a multi homed network: Cable + DSL. > > The problem I have is that although I am 99% sure that I have the > > routing table rules set up correctly, for some reason > > masqueraded/NATed traffic doesn't go out of the correct interface. > > i.e. I am getting traffic leaving eth2 with the source IP header set > > to eth3 and vice versa. > > There are 3 network interfaces: > > eth0 (internal) > > eth2 (DSL) > > eth3 (Cable) > > (eth1 is unused at present) > > > > Here is my iptables setup (/etc/sysconfig/iptables): > > > > # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003 > > *nat > > > > :PREROUTING ACCEPT [0:0] > > > > # Port forwarding to an internal machine > > -A PREROUTING -i eth2 -d 217.79.103.2 -p tcp -m tcp --dport 18001 -j > > DNAT --to-destination 192.168.0.10:18001 > > -A PREROUTING -i eth3 -d 62.252.21.17 -p tcp -m tcp --dport 18001 -j > > DNAT --to-destination 192.168.0.10:18001 > > # SSH Port Forwarding > > -A PREROUTING -i eth2 -d 217.79.103.3 -p tcp -m tcp --dport 22 -j DNAT > > --to-destination 192.168.0.10:22 > > > > :POSTROUTING ACCEPT [0:0] > > > > # IP Masquerading Traffic From eth2 and eth3 > > -A POSTROUTING -o eth2 -j MASQUERADE > > -A POSTROUTING -o eth3 -j MASQUERADE > > > > :OUTPUT ACCEPT [0:0] > > > > COMMIT > > # Completed on Sat Dec 27 10:47:54 2003 > > # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003 > > *filter > > > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > > > -A FORWARD -i eth0 -o eth2 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > -A FORWARD -i eth0 -o eth3 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > -A FORWARD -i eth2 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state > > --state ESTABLISHED,RELATED -j ACCEPT > > -A FORWARD -i eth3 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state > > --state ESTABLISHED,RELATED -j ACCEPT > > > > :OUTPUT ACCEPT [0:0] > > > > COMMIT > > # Completed on Sat Dec 27 10:47:54 2003 > > ### > > > > Additionally, here is the script I use to set up the multi homed > > routing: > > > > > > # Add ip rules for routing > > ip rule add from 217.79.103.0/29table Griffin > > ip rule add from 62.252.21.17 table NTL > > > > # Add routing rules for specific interfaces to insure connectivity > > ip route add to default via 217.79.103.1dev eth2 table Griffin > > ip route add to default via 62.252.21.254 dev eth3 table NTL > > > > ip route add to 217.79.103.0/29 dev eth2 table Griffin > > ip route add to 62.252.21.0/24 dev eth3 table NTL > > > > # Default route is multi homed > > ip route add to default \ > > nexthop via 217.79.103.1dev eth2 weight 1 \ > > nexthop via 62.252.21.254 dev eth3 weight 1 > > > > # Commit routing changes > > ip route flush cache > > # > > > > However, looking at tcpdump output from eth2: > > 11:19:27.153771 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > > 217.81.134.183.57626: R 0:0(0) ack 2502579442 win 0 (DF) > > 11:19:30.212427 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > > 217.81.134.183.57626: R 0:0(0) ack 1 win 0 (DF) > > 11:20:23.928900 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > > 217.81.134.183.58367: R 0:0(0) ack 2551899092 win 0 (DF) > > > > This is wrong because cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com is > > 62.252.21.17, which is the IP address of eth3. > > > > Similarly, tcpdump from eth3 says things like: > > 11:18:32.787404 217.79.103.2.adsl.griffin.net.uk.18001 > > > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 4066315873 win 0 (DF) > > 11:18:35.683228 217.79.103.2.adsl.griffin.net.uk.18001 > > > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF) > > 11:18:41.744790 217.79.103.
Re: [LARTC] Multihomed Masquerading, routing and iptables
Dear Bobic, I am sure you havent read Lartc Document clearly. Find inside the document, "iproute2" Those are clue for setting up local area network to connect using two or more connections to ISP. Regards, Rio Martin. On Wednesday 31 December 2003 23:49, Gordan Bobic wrote: > Hi. > I have a networking problem that is driving me nuts at the moment. I > have a multi homed network: Cable + DSL. > The problem I have is that although I am 99% sure that I have the > routing table rules set up correctly, for some reason > masqueraded/NATed traffic doesn't go out of the correct interface. > i.e. I am getting traffic leaving eth2 with the source IP header set > to eth3 and vice versa. > There are 3 network interfaces: > eth0 (internal) > eth2 (DSL) > eth3 (Cable) > (eth1 is unused at present) > > Here is my iptables setup (/etc/sysconfig/iptables): > > # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003 > *nat > > :PREROUTING ACCEPT [0:0] > > # Port forwarding to an internal machine > -A PREROUTING -i eth2 -d 217.79.103.2 -p tcp -m tcp --dport 18001 -j > DNAT --to-destination 192.168.0.10:18001 > -A PREROUTING -i eth3 -d 62.252.21.17 -p tcp -m tcp --dport 18001 -j > DNAT --to-destination 192.168.0.10:18001 > # SSH Port Forwarding > -A PREROUTING -i eth2 -d 217.79.103.3 -p tcp -m tcp --dport 22 -j DNAT > --to-destination 192.168.0.10:22 > > :POSTROUTING ACCEPT [0:0] > > # IP Masquerading Traffic From eth2 and eth3 > -A POSTROUTING -o eth2 -j MASQUERADE > -A POSTROUTING -o eth3 -j MASQUERADE > > :OUTPUT ACCEPT [0:0] > > COMMIT > # Completed on Sat Dec 27 10:47:54 2003 > # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003 > *filter > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > > -A FORWARD -i eth0 -o eth2 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state > --state NEW,ESTABLISHED,RELATED -j ACCEPT > -A FORWARD -i eth0 -o eth3 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state > --state NEW,ESTABLISHED,RELATED -j ACCEPT > -A FORWARD -i eth2 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state > --state ESTABLISHED,RELATED -j ACCEPT > -A FORWARD -i eth3 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state > --state ESTABLISHED,RELATED -j ACCEPT > > :OUTPUT ACCEPT [0:0] > > COMMIT > # Completed on Sat Dec 27 10:47:54 2003 > ### > > Additionally, here is the script I use to set up the multi homed > routing: > > > # Add ip rules for routing > ip rule add from 217.79.103.0/29table Griffin > ip rule add from 62.252.21.17 table NTL > > # Add routing rules for specific interfaces to insure connectivity > ip route add to default via 217.79.103.1dev eth2 table Griffin > ip route add to default via 62.252.21.254 dev eth3 table NTL > > ip route add to 217.79.103.0/29 dev eth2 table Griffin > ip route add to 62.252.21.0/24 dev eth3 table NTL > > # Default route is multi homed > ip route add to default \ > nexthop via 217.79.103.1dev eth2 weight 1 \ > nexthop via 62.252.21.254 dev eth3 weight 1 > > # Commit routing changes > ip route flush cache > # > > However, looking at tcpdump output from eth2: > 11:19:27.153771 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > 217.81.134.183.57626: R 0:0(0) ack 2502579442 win 0 (DF) > 11:19:30.212427 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > 217.81.134.183.57626: R 0:0(0) ack 1 win 0 (DF) > 11:20:23.928900 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > 217.81.134.183.58367: R 0:0(0) ack 2551899092 win 0 (DF) > > This is wrong because cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com is > 62.252.21.17, which is the IP address of eth3. > > Similarly, tcpdump from eth3 says things like: > 11:18:32.787404 217.79.103.2.adsl.griffin.net.uk.18001 > > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 4066315873 win 0 (DF) > 11:18:35.683228 217.79.103.2.adsl.griffin.net.uk.18001 > > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF) > 11:18:41.744790 217.79.103.2.adsl.griffin.net.uk.18001 > > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF) > > This is again wrong, because 217.79.103.2.adsl.griffin.net.uk is the > IP address of eth2. > > I am pretty sure the IP rules I set up should work. They assign all > packets with source IP of a particular interface to a routing table > that is routed out via the correct gateway. However, some packets > (from what I have been able to tell, only the masqueraded packets, > but the test was not exhaustive) get sent out of the wrong interface. > > Can anybody see a problem with this setup? > > TIA. > > Gordan > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
Re: [LARTC] Ingress with WonderShaper
Hi Gavin, You're missing the INGRESS option in the kernel, you should have: # QoS and/or fair queueing # CONFIG_NET_SCHED=y # CONFIG_NET_SCH_CBQ is not set CONFIG_NET_SCH_HTB=m # CONFIG_NET_SCH_CSZ is not set CONFIG_NET_SCH_PRIO=m CONFIG_NET_SCH_RED=m CONFIG_NET_SCH_SFQ=m CONFIG_NET_SCH_TEQL=m CONFIG_NET_SCH_TBF=m CONFIG_NET_SCH_GRED=m CONFIG_NET_SCH_DSMARK=m CONFIG_NET_SCH_INGRESS=y CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m # CONFIG_NET_CLS_RSVP is not set # CONFIG_NET_CLS_RSVP6 is not set CONFIG_NET_CLS_POLICE=y You'll need the NETFILTER kernel option turned on to be able to see/select the INGRESS option. I even saw the q_ingress.c and q_htb.c files being compiled OK during the 'debian/rules binary-arch' procedure so the code must be in the tc binary. If I mis-type 'ingress', then the error changes to "RTNETLINK answers: No such file or directory" so it must be seeing /something/ ... yeah, it looks like the tc binary is right, so once you fix the kernel, everything should work. -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] QoS with > 1 interface
there is 3 interfaces on router, one - internet, other two - client's. On one interface there is girls lan, on other - boys. I want give higher internet priority to girls, there is NAT, so ingress resheduling IMO won't work. Imq will work there but it will crash anyway ;) imq has nothing to do with ingress except that it can shape it too. there is no way to do this in other way, you can do some shaping by using police index but this way it will not work very well it can probably do this: if girls rate is > x then drop all packets for boys. I suggest you to use only one interface, or you want to separate networks so much. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Port limiting on forward
So what is the problem? create root class /qos/bin/tc qdisc del dev eth0 root /qos/bin/tc qdisc add dev eth0 root handle 2 and add these # mark 23 /qos/bin/tc class add dev eth0 parent 2: classid 2:41 htb rate 8Kbit ceil 8Kbit /qos/bin/tc qdisc add dev eth0 parent 2:41 sfq /qos/bin/tc filter add dev eth0 parent 2: protocol ip pref 4 handle 23 fw classid 2:41 # mark 24 /qos/bin/tc class add dev eth0 parent 2: classid 2:42 htb rate 1000Kbit ceil 1000Kbit /qos/bin/tc qdisc add dev eth0 parent 2:42 sfq /qos/bin/tc filter add dev eth0 parent 2: protocol ip pref 4 handle 24 fw classid 2:42 - I have 40 Users on P2 200 MMX 32 RAM . So i know how to match packets . iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -s! 192.168.0.5 -p tcp --dport 0:1024 -j MARK --set-mark 23 iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 6660:65000 -j MARK --set-mark 24 How do i shape mark 23 at 1 KB/s and mark 24 at 1 MB/s ? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] QoS with > 1 interface
Roy wrote: Labas, What do you mean give priority to interface ? Do you want to route high priority packets to one interface and low priority to other? Or you want to give higer priority to packets forwarded from one interface than from another? I believe that he wants to send packets po some interface as soon as they arrive, not sending packets on other interfaces. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] QoS with > 1 interface
there is 3 interfaces on router, one - internet, other two - client's. On one interface there is girls lan, on other - boys. I want give higher internet priority to girls, there is NAT, so ingress resheduling IMO won't work. 2004 m. Sausio 4 d., Sekmadienis 22:11, Roy rašė: > Labas, > > What do you mean give priority to interface ? > Do you want to route high priority packets to one interface and low > priority to other? > Or you want to give higer priority to packets forwarded from one interface > than from another? > > > hi, as far I know, iproute QoS works in interface, not in all interfaces. I > want give one inner interface priority over other inner, like PRIO one IP > over other. HOW? -- Andrius K. Kasparavičius GSM +370 687 256 30 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Port limiting on forward
I have 40 Users on P2 200 MMX 32 RAM . So i know how to match packets . iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -s! 192.168.0.5 -p tcp --dport 0:1024 -j MARK --set-mark 23 iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 6660:65000 -j MARK --set-mark 24 How do i shape mark 23 at 1 KB/s and mark 24 at 1 MB/s ?
Re: [LARTC] virtual interface
Alen, : can i add HTB rule on virtual interface? : example: eth0:0 First, it's not really a virtual interface--it's just a convention from the old days of IP aliasing to have names like eth0:0. The IP exists and is active on an interface, eth0 in your case. The short answer is "no". Traffic control occurs just prior to the release of the packet for transmission by the hardware driver. See the KPTD [0]. You can however select packets based on many characteristics, so you may be able to accomplish what you need. You'll use characteristics other than the label "eth0:0". -Martin [0] http://www.docum.org/stef.coene/qos/kptd/ -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Port limiting on forward
I heard that matching ports with mangle and shape with CBQ or HTB will cost me some resources so i want to limit that way : 1. On forward I want to limit a port range like 0 to 79 at 8kbps .And after that i want to be able to add lines with other port range , also at 8kbps, but only on forward .Today i had just started to use BBQ and HTB are you so low on resources? or yo want to manage 1 users? the simple way to do everything that is to mark packets with iptables there is no other way to match port range. also you can know if pcket is forwarded of not by marking it with iptables or by source ip. And how do you use cbq and htb at once? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] virtual interface
On Monday 05 January 2004 05:55, alen sarkinovic wrote: > can i add HTB rule on virtual interface\ > example: eth0:0 No. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] QoS with > 1 interface
Labas, What do you mean give priority to interface ? Do you want to route high priority packets to one interface and low priority to other? Or you want to give higer priority to packets forwarded from one interface than from another? hi, as far I know, iproute QoS works in interface, not in all interfaces. I want give one inner interface priority over other inner, like PRIO one IP over other. HOW? -- Andrius K. Kasparavičius ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] virtual interface
can i add HTB rule on virtual interface\ example: eth0:0 alens - Original Message - From: "Stef Coene" <[EMAIL PROTECTED]> To: "jayesh rathod" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, January 04, 2004 10:41 AM Subject: Re: [LARTC] HTB filters - pls help me > On Sunday 04 January 2004 07:27, jayesh rathod wrote: > > Hi, > > > > we r using HTB algorithm,for traffic shaping, we are facing a problem. > > > > we are able to create multiple classes,filters. But when we delete 1 filter > > all filter gets deleted. how do we avoid that. > > > > waiting for you reply > What I do, is creating a script that delets the root qdisc and re-add > everything. Deleting the root qdisc delets all classes and filters. So I > never delete a filter. > Anyway, can you post your commands ? > > Stef > > -- > [EMAIL PROTECTED] > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Port limiting on forward
I heard that matching ports with mangle and shape with CBQ or HTB will cost me some resources so i want to limit that way : 1. On forward I want to limit a port range like 0 to 79 at 8kbps .And after that i want to be able to add lines with other port range , also at 8kbps, but only on forward .Today i had just started to use BBQ and HTB
[LARTC] QoS with > 1 interface
hi, as far I know, iproute QoS works in interface, not in all interfaces. I want give one inner interface priority over other inner, like PRIO one IP over other. HOW? -- Andrius K. Kasparavičius ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB filters - pls help me
On Sunday 04 January 2004 07:27, jayesh rathod wrote: > Hi, > > we r using HTB algorithm,for traffic shaping, we are facing a problem. > > we are able to create multiple classes,filters. But when we delete 1 filter > all filter gets deleted. how do we avoid that. > > waiting for you reply What I do, is creating a script that delets the root qdisc and re-add everything. Deleting the root qdisc delets all classes and filters. So I never delete a filter. Anyway, can you post your commands ? Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] problem whith htb script
On Sunday 04 January 2004 12:30, saptah wrote: > Hi all && happy new Year ;) > > I'm try to made a script for shaping my outgoing traffic, but it doesn't > work fine. > The script work good if all packets go thru the default class, but, if I > try to send packets by other class, the packes doesn't go by this class > go also by the default class. > > This script is installed in a router linux with ip masquerading for the > clients. > > ¿how I can classify the packets in this classes? > > thx 4 all ;) and sorry for my (bad) english :P No problem. Are you trying to match ftp traffic? Is so, you can have a problem because ftp can use dynamic ports. So it's not easy to filter out ftp traffic. You also use a combination of fw and u32 filter. But for that fw filter, I don't see the needed iptables rules. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Ingress with WonderShaper
Hullo :) I appear to be having a common problem, but the standard fix hasn't worked for me :/ I'm using a 2.4.23 kernel, with QoS options thusly: # QoS and/or fair queueing # CONFIG_NET_SCHED=y # CONFIG_NET_SCH_CBQ is not set CONFIG_NET_SCH_HTB=m # CONFIG_NET_SCH_CSZ is not set CONFIG_NET_SCH_PRIO=m CONFIG_NET_SCH_RED=m CONFIG_NET_SCH_SFQ=m CONFIG_NET_SCH_TEQL=m CONFIG_NET_SCH_TBF=m CONFIG_NET_SCH_GRED=m CONFIG_NET_SCH_DSMARK=m CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m # CONFIG_NET_CLS_RSVP is not set # CONFIG_NET_CLS_RSVP6 is not set CONFIG_NET_CLS_POLICE=y The whole wshaper.htb script executes fine until the final two commands, and running the first one manually gives me: $ tc qdisc add dev eth0 handle : ingress RTNETLINK answers: Invalid argument Now, the standard solution I've seen is "get a newer tc", and one report [1] said that Debian's unstable one worked fine... so I backported it to woody, but had exactly the same problem :/ I even saw the q_ingress.c and q_htb.c files being compiled OK during the 'debian/rules binary-arch' procedure so the code must be in the tc binary. If I mis-type 'ingress', then the error changes to "RTNETLINK answers: No such file or directory" so it must be seeing /something/ ... Any ideas? :D Cheers, Gavin. [1] http://www.cs.helsinki.fi/linux/linux-kernel/2002-06/0035.html ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ problems :-(
> I have read about people having lots of problems with IMQ. So I just wanted to > try it and see how stable it is on my box. I gather it could actually > be problems with the Kernel and not the IMQ code?? > That is possible but prpbably not because of bug in kernel I as I think it is because kernel handles local trafic diferently than forwarded so you cant use imq to shape trafic generated by server I am comtinuing development of imq abd I face this problem most of the time. > I think that sounds even more messy :-) > I only wanted to ingress shape with IMQ to ensure that I don't drop UDP > or small TCP ACK packets for upload streams. I guess I will just give > up on the idea and using ingress policing... Its not so important anyway as my > DSL connection is very asymetric (2mbit D/L; 256kbit U/L) and upload > shaping is more important. > if only want to shape incoming trafic probably you can use imq quite safely, anyway as I see you dont need it at all you can easily shape all uploads anyway and since your download speed is high enough you dont need to worry about it. however imq can be usefull to control trafic so that you can download with kaza and browse web or play game without high latency. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ problems :-(
Hi Roy, Thanks for getting back to me so promptly. > Imq is very invasive componemt which requires to recompile almost everyhing > this diver is very unstable and will crash for sure, sooner or later > depending on load. I have read about people having lots of problems with IMQ. So I just wanted to try it and see how stable it is on my box. I gather it could actually be problems with the Kernel and not the IMQ code?? > I sugest you to leave iptables alone and just modify imq.c source to catch > what you need. > ir you dont have too much trafic it may not crash for all day. ( if you will > use it for download shaping) I think that sounds even more messy :-) I only wanted to ingress shape with IMQ to ensure that I don't drop UDP or small TCP ACK packets for upload streams. I guess I will just give up on the idea and using ingress policing... Its not so important anyway as my DSL connection is very asymetric (2mbit D/L & 256kbit U/L) and upload shaping is more important. Even if IMQ is fixed in kernel 2.6 (is it??) I won't be able to use it until I can update the driver for my conexant PCI ADSL modem (which works fine just now under kernel 2.4.22) -- Best regards, Robert ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Multihomed Masquerading, routing and iptables
Hi. I have a networking problem that is driving me nuts at the moment. I have a multi homed network: Cable + DSL. The problem I have is that although I am 99% sure that I have the routing table rules set up correctly, for some reason masqueraded/NATed traffic doesn't go out of the correct interface. i.e. I am getting traffic leaving eth2 with the source IP header set to eth3 and vice versa. There are 3 network interfaces: eth0 (internal) eth2 (DSL) eth3 (Cable) (eth1 is unused at present) Here is my iptables setup (/etc/sysconfig/iptables): # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003 *nat :PREROUTING ACCEPT [0:0] # Port forwarding to an internal machine -A PREROUTING -i eth2 -d 217.79.103.2 -p tcp -m tcp --dport 18001 -j DNAT --to-destination 192.168.0.10:18001 -A PREROUTING -i eth3 -d 62.252.21.17 -p tcp -m tcp --dport 18001 -j DNAT --to-destination 192.168.0.10:18001 # SSH Port Forwarding -A PREROUTING -i eth2 -d 217.79.103.3 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.10:22 :POSTROUTING ACCEPT [0:0] # IP Masquerading Traffic From eth2 and eth3 -A POSTROUTING -o eth2 -j MASQUERADE -A POSTROUTING -o eth3 -j MASQUERADE :OUTPUT ACCEPT [0:0] COMMIT # Completed on Sat Dec 27 10:47:54 2003 # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -A FORWARD -i eth0 -o eth2 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth0 -o eth3 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth2 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth3 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT :OUTPUT ACCEPT [0:0] COMMIT # Completed on Sat Dec 27 10:47:54 2003 ### Additionally, here is the script I use to set up the multi homed routing: # Add ip rules for routing ip rule add from 217.79.103.0/29table Griffin ip rule add from 62.252.21.17 table NTL # Add routing rules for specific interfaces to insure connectivity ip route add to default via 217.79.103.1dev eth2 table Griffin ip route add to default via 62.252.21.254 dev eth3 table NTL ip route add to 217.79.103.0/29 dev eth2 table Griffin ip route add to 62.252.21.0/24 dev eth3 table NTL # Default route is multi homed ip route add to default \ nexthop via 217.79.103.1dev eth2 weight 1 \ nexthop via 62.252.21.254 dev eth3 weight 1 # Commit routing changes ip route flush cache # However, looking at tcpdump output from eth2: 11:19:27.153771 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > 217.81.134.183.57626: R 0:0(0) ack 2502579442 win 0 (DF) 11:19:30.212427 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > 217.81.134.183.57626: R 0:0(0) ack 1 win 0 (DF) 11:20:23.928900 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > 217.81.134.183.58367: R 0:0(0) ack 2551899092 win 0 (DF) This is wrong because cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com is 62.252.21.17, which is the IP address of eth3. Similarly, tcpdump from eth3 says things like: 11:18:32.787404 217.79.103.2.adsl.griffin.net.uk.18001 > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 4066315873 win 0 (DF) 11:18:35.683228 217.79.103.2.adsl.griffin.net.uk.18001 > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF) 11:18:41.744790 217.79.103.2.adsl.griffin.net.uk.18001 > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF) This is again wrong, because 217.79.103.2.adsl.griffin.net.uk is the IP address of eth2. I am pretty sure the IP rules I set up should work. They assign all packets with source IP of a particular interface to a routing table that is routed out via the correct gateway. However, some packets (from what I have been able to tell, only the masqueraded packets, but the test was not exhaustive) get sent out of the wrong interface. Can anybody see a problem with this setup? TIA. Gordan ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] problem whith htb script
Hi all && happy new Year ;) I'm try to made a script for shaping my outgoing traffic, but it doesn't work fine. The script work good if all packets go thru the default class, but, if I try to send packets by other class, the packes doesn't go by this class go also by the default class. This script is installed in a router linux with ip masquerading for the clients. ¿how I can classify the packets in this classes? thx 4 all ;) and sorry for my (bad) english :P # My script ## #!/bin/bash #QoS ;)= DEV=eth1 RATEUP=100#En KiloBytes # borro las bandas tc qdisc del dev $DEV root 2> /dev/null > /dev/null tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null tc qdisc del dev $DEV root 2> /dev/null > /dev/null iptables -F #también las relgas iptables #creacion del arbol de bandas tc qdisc add dev $DEV root handle 2: htb default 60 tc class add dev $DEV parent 2: classid 2:1 htb rate 120kbps ceil ${RATEUP}kbps tc class add dev $DEV parent 2:5 classid 2:50 htb rate $[70*$RATEUP/100]kbps ceil ${RATEUP}kbps tc class add dev $DEV parent 2:6 classid 2:60 htb rate $[20*$RATEUP/100]kbps ceil ${RATEUP}kbps prio 1 tc class add dev $DEV parent 2:7 classid 2:70 htb rate $[10*$RATEUP/100]kbps ceil ${RATEUP}kbps prio 2 #asociacion de colas sfq con bandas tc qdisc add dev $DEV parent 2:50 handle 50: sfq tc qdisc add dev $DEV parent 2:60 handle 60: sfq tc qdisc add dev $DEV parent 2:70 handle 70: sfq #se asocian marcas con bandas tc filter add dev $DEV protocol ip parent 2: handle 5 fw classid 2:50 tc filter add dev $DEV protocol ip parent 2: handle 6 fw classid 2:60 tc filter add dev $DEV protocol ip parent 2: handle 7 fw classid 2:70 #reglas de filtrado #tc filter add dev $DEV parent 2: protocol ip prio 0 u32 match ip dport 21 0x flowid 2:50 #envia algo #tc filter add dev $DEV parent 2: protocol ip prio 0 u32 match ip dport 20 0x flowid 2:50 #envia algo ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB filters - pls help me
Hi, we r using HTB algorithm,for traffic shaping, we are facing a problem. we are able to create multiple classes,filters. But when we delete 1 filter all filter gets deleted. how do we avoid that. waiting for you reply Regards Jayesh - Shop & Save at Sifymall.com! Special Festive Offers - up to 60% off on DVD players, MP3 Players. Mobile phones and more. Click here: http://sify.com/deals ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/