Re: [LARTC] isolated works fine for me
hi stef, > Reserving bandwidth for something is not so difficult. If you have a 100kbps > link and you want a minimum of 10kbps for cs, you have to create 2 class : [...] > The 10kbps class will always get at least 10kbps. If it's a low rate class, > you can even limit the 90kbps to 90kbps. So the remaining 10kbps is always > there for the 10kbps class. I already shape my traffic with htb and it works pretty well. But I think I ran into the same problem as Daniel. If there is lots of other traffic the class where all packtes of counter-strike are in has still bandwidth available, but I'm getting ping times around 400ms (40ms if there is no other traffic). I'm not sure if I'm missing to mark some packets of counter-strike here or if "htb is to slow" or something else :o Therefore I asked to get the solution if you work something out - perhaps I can fix my scripts then ;) best regards Sebastian -- Sebastian 'spax' Pape | Just because you're paranoid doesn't mean THEY mailto: [EMAIL PROTECTED] | are not out to get you. gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] isolated works fine for me
hi there, > > i've isolated a band of 5k for one of my friends in the network so he can > > play counter-strike .. if i don't use the isolated parameter he will have a > > bad ping since his class will borrow to another classes .. > Can you post your script so I can take a look at it ? I tried to reserve bandwidth for cs, too, but it didn't really work. So if you work something out I would apreciate it if you post it here ;) thanks and best regards Sebastian -- Sebastian 'spax' Pape | Just because you're paranoid doesn't mean THEY mailto: [EMAIL PROTECTED] | are not out to get you. gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] ssh versus scp
hi Martin, I found almost the same except that my ssh-packets didn't have their TOS-value set. > So, one *should* be able to do something like this: > > # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain > # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain That's almost the same idea as in the "actual script" from the HOWTO. So it seems my ssh-client doesn't like to set tos-values :o > http://iptables-tutorial.frozentux.net/iptables-tutorial.html *bookmarked* ;) greetings Sebastian -- Sebastian 'spax' Pape | "Things should be as simple as possible, but mailto: [EMAIL PROTECTED] | not simpler." -- Albert Einstein gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] ssh versus scp
On Mon, 25 Nov 2002, Robert Penz wrote: > could you please tell me how you match ssh and not scp with iptables? I did almost the same as Martin suggested: | So, one *should* be able to do something like this: | | # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain | # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain # (ssh) # $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \ # -m tos ! --tos Maximize-Throughput \ # -j MARK --set-mark 2 # (scp) # $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \ # -m tos --tos Maximize-Throughput \ # -j MARK --set-mark 8 it works for me but I'm not sure if it is in general correct. greetings Sebastian -- Sebastian 'spax' Pape | "Things should be as simple as possible, but mailto: [EMAIL PROTECTED] | not simpler." -- Albert Einstein gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] ssh versus scp
hi! I'd like to priorize ssh traffic, but of course I don't like scp to get priorized, too. In the "actual script" of the howto priorization is done with this: | # TOS Minimum Delay (ssh, NOT scp) in 1:10: | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ | match ip tos 0x10 0xff flowid 1:10 I'm not sure if I got all of it, but it seems to me, that there is no port match - it seems to me that this rule matches all packets with a Minimize-Delay 16 (0x10) TOS value. I watched some packets with tcpdump and it also seems that scp packets all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure ssh" packets have Normal-Service 0 (0x00). It's no problem to match these packets with iptables (just drop me a note if you want to have the iptables syntax). But the question I have is: Are these TOS-values standard for ssh and scp or do all ssh/scp-clients use the values they like? I searched the net, but haven't found anything usefull, yet. best regards Sebastian -- Sebastian 'spax' Pape | A diplomat is someone who can tell you to go mailto: [EMAIL PROTECTED] | to hell in such a way that you will look gpg: http://p-a-p-e.de/gpg.asc | forward to the trip. --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Shaping outgoing traffic over multiple devices
hi! I searched the archives and found this question a few times, but I didn't find any answer :o Also I didn't find any hint at the howto. I want to shape outgoing traffic over multiple devices (let's say eth0 and eth1). If I create a root discipline I have to name a device. Therefore it seems I need two root disciplines and borrowing won't be able. So if I don't want to absolutely limit the devices (half by half or so) eth0 and eth1 will take as many bandwidth as they can get without caring of the other interface. Is there any solution like setting up a tunnel or "abusing the teql device" or something else? best regards Sebastian -- Sebastian 'spax' Pape | Never argue with an idiot. They drag you down mailto: [EMAIL PROTECTED] | to their level, then beat you with experience. gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB and per-connection bandwidth allocation
hi! imho there's an iplimit-patch (at patchomatic) - you should be able to limit the numer of connections to 100 with this... just a guess Sebastian -- Sebastian 'spax' Pape | Better to remain silent and be thought a fool mailto: [EMAIL PROTECTED] | than to speak and remove all doubt. gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Hammer protection
hi Joachim, > I want to deny a user who has just logged off .. for about > 10seconds. I think you can only limit the number of syn-pakets like you already proposed. > I tried with this, but that didn't work. Maybe my mind is going > completely in the wrong direction today? =) > > iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m > limit --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j > ACCEPT I'm not sure, but I think you just mixed the parameters up. --limit 10/second allows 10 SYN pakets per second so if you only want one paket per 10 seconds you should perhaps try 6/minute or maybe say 1/minute and set the limit-bust to 3 or so. best regards Sebastian -- Sebastian 'spax' Pape | I'm like time ... u can't stop me! mailto: [EMAIL PROTECTED] | gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] 2 questions
hi Jose, > 1)How can i create a qdisc with a MAC adress (not host)? try to mark those packets with netfilter $IPTABLES ... -m mac --mac-source ... > 2)How can i make a Transparent (squid)Proxy on my Linux-(Bridge+Traffic > control). I use 2 (1 in + 1 out) interfaces in promiscue mode. They have 2 > ip address , but as the bridge is transparent ,these Ip's are Invisibles on > My Network. Did you take a look at the mini-howto? http://www.tldp.org/HOWTO/mini/TransparentProxy.html best regards Sebastian -- Sebastian 'spax' Pape | "Gravitation can not be held responsible for mailto: [EMAIL PROTECTED] | people falling in love." -- Albert Einstein pgp: http://p-a-p-e.de/pgp.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Managing downloads
hi! > Also, does anyone know a good way of filtering by MAC address, rather than > by IP address? use the ability of netfilter to mark those packets - this works fine here. greetings Sebastian -- Sebastian 'spax' Pape | Never argue with an idiot. They drag you down mailto: [EMAIL PROTECTED] | to their level, then beat you with experience. pgp: http://p-a-p-e.de/pgp.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/