[LARTC] Few question on HTB
Dear All, Sorry to trouble again. After go through www.lartc.org I have implemented the HTB instead of CBQ for the same scenario. Now following files are under /etc/sysconfig/htb directory. eth0 DEFAULT=30 R2Q=10 eth0-2.root RATE=256kbps BURST=25k eth0-2:10.comp1 RATE=120kbps BURST=12k PRIO=0 LEAF=sfq RULE=192.168.200.0/24 eth0-2:20.comp2 RATE=80kbps BURST=8k PRIO=1 LEAF=sfq RULE=192.168.100.0/24 eth0-2:30.server RATE=56kbps BURST=6k PRIO=3 LEAF=sfq RULE=203.145.134.120/29 eth1-2:30.root RATE=56kbps BURST=6k eth1-2:30:300.all RATE=56kbps BURST=6k PRIO=3 LEAF=sfq RULE=203.145.134.120/29 MARK=3 eth2-2:20.root RATE=80kbps BURST=8k eth2-2:20:200.all RATE=80kbps BURST=8k PRIO=1 LEAF=sfq RULE=192.168.100.0/24 MARK=2 eth3-2:10.rootRATE=120kbps BURST=12k eth3-2:10:100.allRATE=120kbps BURST=12k PRIO=0 LEAF=sfq RULE=192.168.200.0/24 MARK=1 - When I have run # service htb.init start # it returns nothing . Is it OK? Also stats returns nothing. Are the above configuration files OK? Thanking you, Sandeep Agarwal - Original Message - From: "Sandeep Agarwal" <[EMAIL PROTECTED]> To: "LARTC" <[EMAIL PROTECTED]> Sent: Monday, March 29, 2004 5:08 PM Subject: Suggestion required on CBQ !! > Dear Sir, > [snip] > - > - > Scenario: Restrict Server, Comp1 & Comp2 on given speed. > --256kbps---|eth0(203.145.134.112/255.255.255.252) > |eth1(Server room) 56kbps (203.145.134.120/255.255.255.248) > |eth2(Company2) 80kbps (203.145.134.116/255.255.255.252) >& > > (192.168.100.0/255.255.255.0) > |eth3(Company1) 120kbps(192.168.200.0/255.255.255.0) > [snip] > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Complex Routing/Firewalling/Bridging question
This is an intriguing problem, and one that applies to what my network is moving into. > First, we're bringing in 2 additional T's and want to use BGP to > provide for some measure of failover to an Class C portable IP block > we own. My question regarding this is, what do I need to do on my > Linux firewall/NAT box so that it knows how to send outbound packets? I can't tell you much about BGP, but I've heard horror stories about the excessive bandwidth needed just to send/receive the updates. One alternative to BGP would be WAN (for outbound) and DNS (for inbound) load balancing. This works if you have a large series of small IP sessions. This alternative wouldn't be appropriate if you have a few VERY large sessions to manage, like high-bandwidth IPSec tunnels. That's your judgment call. > Second, we currently have two seperate DMZ networks, one for corporate > Internet servers, and one for client-accessible Internet servers. > Currently, both these networks, and our internal LAN, (and all of our > IPSec-connected remote offices) are all subnets in the 10.* range, and > NATted to the outside. I'm using Shorewall on RH9 (Linux 2.4) to > handle the firewalling and SNAT/DNAT for the DMZs and NAT for the > LAN, and FreeS/WAN for the IPSec WAN. Sounds fine. I'm not sure how robust the shorewall framework is for complex networks, but if it works for you, all the better. > What I would _like_ to do is build an "invisible" firewall between the > routers provided with each of the three T-1 lines (yes, each T has > it's own Cisco 2600-series router). Ideally, two, in some sort of > fail-over configuration. I want to split the firewalling from the > routing primarily to remove the chance of breaking one when working > on the other, but this is not a set-in-stone requirement. I think you're on the right track. Just one point, you would have a hub/switch between each T1 and the firewall. This could be a one or two L3 switches, or you could just have a single switch/hub for each T1. I wouldn't have each T1 visible to each-other. I have inherent fears of people finding a vulnerability/DOS situation bouncing packets from one 1600 to another. That may not be based on reality, but it helps me sleep having all end points terminate at a firewall. > Would it be better to forgo the edge firewall, and simply put > firewalls on each network that connects to the Internet or another > internal network? I'd have a single edge firewall that does internet filtering and all the NATing a router that does the route selection (assuming you're not using BGP) a firewall inside the router to handle inter-LAN filtering (if the IPSec drops in as a LAN subnet, I'd place it on the interior firewall) All of this could obviously be consolidated into one or two machines. The load and risk of configuration may increase having them on the same machine, but it is cheaper if it's a concern. > If so, should the NAT for the LAN be handled by the LAN's firewall, > or the router? Described above > Since we really need to be able to connect from any network to any > network internally, would I put the IPSec links in the Linux router? Described above > Am I making this all too complex? Should I just combine the firewall > & router into a single box, build a fail-over twin for it, and have > it run the IPSec links, the proxy-arp for psuedo-bridging to the > DMZs, the NAT for the LAN->Internet communications and all the > internal routing? Failover is pretty much a requirement stepping beyond what we have here. You'll run into problems with making both active. Since you look like you'd go failover because of excessive workload, I'd follow my original suggestion above. For redundancy, you should definitely pair up each component eventually. Choose the ones with the highest failure rate to work with first. > And where the hell does BGP for the T-1s fit into this mess? Like I said, for a T1, you may run into problems. I can't say for sure one way or another. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Complex Routing/Firewalling/Bridging question
I'm being cast headlong into unfamiliar waters here, and being desperate for
some air, thought I'd come here for some help. :)
Anyway, my employer is going through some whiplash-inducing growth spurts,
and as a result, the simple "Internet T-1 -> Linux Firewall/NAT -> LAN"
setup just isn't going to cut it anymore.
First, we're bringing in 2 additional T's and want to use BGP to provide for
some measure of failover to an Class C portable IP block we own. My
question regarding this is, what do I need to do on my Linux firewall/NAT
box so that it knows how to send outbound packets?
Second, we currently have two seperate DMZ networks, one for corporate
Internet servers, and one for client-accessible Internet servers.
Currently, both these networks, and our internal LAN, (and all of our
IPSec-connected remote offices) are all subnets in the 10.* range, and
NATted to the outside. I'm using Shorewall on RH9 (Linux 2.4) to handle
the firewalling and SNAT/DNAT for the DMZs and NAT for the LAN, and
FreeS/WAN for the IPSec WAN.
What I would _like_ to do is build an "invisible" firewall between the
routers provided with each of the three T-1 lines (yes, each T has it's own
Cisco 2600-series router). Ideally, two, in some sort of fail-over
configuration. I want to split the firewalling from the routing primarily
to remove the chance of breaking one when working on the other, but this is
not a set-in-stone requirement.
So, given my poor ascii-art skills, the layout might look something like
this:
^^^}-{T1(a)}--[cisco(a)]--+ +--{Service DMZ}
'N } | |
e }-{T1(b)}--[cisco(b)]--+-[[firewall]-[router]]-+--{Corporate DMZ}
t } | |
vvv}-{T1(c)}--[cisco(c)]--+ +--{LAN}
|
+--{future growth}
Now, for the sake of argument, we'll call our portable Class C
192.168.191.0/24. I hope to share it between the service DMZ and the
corporate DMZ. The two DMZs need to be seperate for security concerns, and
I'll need to do some amount of firewalling between the DMZs, and between
the DMZs and the LAN, in addition to the firewalling between the Internet
and our networks.
So, here's my list of questions:
Would it be better to forgo the edge firewall, and simply put firewalls on
each network that connects to the Internet or another internal network?
If so, should the NAT for the LAN be handled by the LAN's firewall, or the
router?
Since we really need to be able to connect from any network to any network
internally, would I put the IPSec links in the linux router?
Am I making this all too complex? Should I just combine the firewall &
router into a single box, build a fail-over twin for it, and have it run
the IPSec links, the proxy-arp for psuedo-bridging to the DMZs, the NAT for
the LAN->Internet communications and all the internal routing?
And where the hell does BGP for the T-1s fit into this mess?
I guess I'm more lost than I thought. :(
Any help or advice is appreciated.
TIA,
Gregory
--
Gregory K. Ruiz-Ade <[EMAIL PROTECTED]>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper question
gypsy wrote: > Also > remember YOU DO NOT SHAPE DOWNLOADS! HTB can only "police" D/L, not > "shape". You must use iptables or IMQ to "shape" D/L; I use iptables -m > limit --limit ##/second -j ACCEPT > iptables -j DROP > and make sure that these 2 lines preceed any RELATED, ESTABLISHED > accepts. Note that the real iptables rules include either --dport ## or > --sport ##, depending on what the rule accomplishes. Note further that > downloads are on INPUT so I specify -A INPUT to throttle D/L. > If you use htb or other shaping qdiscs on a router, you can set it up so that it sees packets that are leaving both interfaces and can therefore shape traffic in both directions. Sure, you can't shape traffic destined for the router itself, but that's rarely an issue. -Corey ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ driver & kernel options
which kernel you use? it is either possible that your kernel source is diferent from running kernel ot you have somethingn wron with netfilter are you sute you compiled iptables into kernel? preferably NOT as module. - Original Message - From: "Cord Buhlert" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 02, 2004 3:05 PM Subject: [LARTC] IMQ driver & kernel options > Hi, > i tried to insmod the imq.o module from http://pupa.da.ru/imq after a > successful compile, but it thows this error: > > > insmod imq.o > imq.o: unresolved symbol nf_unregister_hook > imq.o: unresolved symbol nf_register_hook > > > I think I have some kernel options disabled, does anyone know which > one(s)? > > > Thanks > cord > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper question
gypsy wrote: AFTERTHOUGHT: I should have been more precise: > Yes, but be careful with NAT; finding 192.168.1.# can be tough. Also > remember YOU DO NOT SHAPE DOWNLOADS! HTB can only "police" D/L, not > "shape". You must use iptables or IMQ to "shape" D/L; I use iptables -m > limit --limit ##/second -j ACCEPT > iptables -j DROP > and make sure that these 2 lines preceed any RELATED, ESTABLISHED > accepts. Note that the real iptables rules include either --dport ## or > --sport ##, depending on what the rule accomplishes. Note further that > downloads are on INPUT so I specify -A INPUT to throttle D/L. iptables is "rate limiting" not "shaping". NATted users are rate limited on the FORWARD chain, not INPUT. gypsy ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper question
> Chris Winfield-Blum wrote: > > Hi I am very unclear about the wonder shaper and a bit of a novice > with Unix all together > > I have a question for you and I hope you can answer > > Basically my office is getting a couple of people slowing down the > network so ive been looking around and found wondershaper > > What I want to know is that can I rather than having low priority > ports have it with high priority ports Sure. > And the same with high priority hosts... Of course. > Can I have it so that say for example 192.168.1.2 192.168.1.3 are high > priority and port 20 22 80 443 110 25 etc are high priority? Yes, but be careful with NAT; finding 192.168.1.# can be tough. Also remember YOU DO NOT SHAPE DOWNLOADS! HTB can only "police" D/L, not "shape". You must use iptables or IMQ to "shape" D/L; I use iptables -m limit --limit ##/second -j ACCEPT iptables -j DROP and make sure that these 2 lines preceed any RELATED, ESTABLISHED accepts. Note that the real iptables rules include either --dport ## or --sport ##, depending on what the rule accomplishes. Note further that downloads are on INPUT so I specify -A INPUT to throttle D/L. > Also how do I clear the rules I have made with the script?? > If I want it to return to the default for example?? Read the effing script, man! > > Thanks > > Chris Please don't post using HTML. Here is a modified "wonder" script I call "ultimate"... http://andthatsjazz.net:8/ultimate.txt HTH gypsy ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] IMQ driver & kernel options
Hi, i tried to insmod the imq.o module from http://pupa.da.ru/imq after a successful compile, but it thows this error: > insmod imq.o imq.o: unresolved symbol nf_unregister_hook imq.o: unresolved symbol nf_register_hook I think I have some kernel options disabled, does anyone know which one(s)? Thanks cord ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Control Bandwidth
You are haveing tow major mistakes here which will make your script to have no efect over the $EXTIF, except the rate of 128k for uploading for everything that goes out of your box. Having a private ip which later will be SNATed , MASQed and because shaping will be done after POSTROUTING ( even for nat, mangle tables ) when a packet which arrives on the external interface will have as source the PUBLIC IP. So filter $TC filter add dev $EXTIF protocol ip parent 0:0 prio 1 u32 match ip src $IP flowid 1 will not match any packet. Check the "http://www.docum.org/stef.coene/qos/kptd/"; page. It is very usefull. Second, on external interface you will never have packets with dst $IP ... what will mean a packet with dst $IP ? It means that a machine which has a network device with the ip = $IP should be somewhere on the internet ( behind $EXTIF ) ... but in reality, this machine is behind the $INTIF. So filter $TC filter add dev $EXTIF protocol ip parent 0:0 prio 1 u32 match ip dst $IP flowid 1 will not match any packet. > Hi all, > > I need a little help, i am studing htb to control user > bandwidth (download/upload) and I made a script as > below to test. I am testing using ttcp tool from by > linux box to other linux (192.168.200.51). > my box < Linux = more than 128kbit > mybot -> Linux = get 128kbit > > But I want to control both ways, what am I missing? > > > script: > EXTIF=eth0 > INTIF=eth1 > TC=/sbin/tc > DOWN=128 > UP=64 > IP=192.168.200.201 > ## > # > $TC qdisc del $EXTIF root 2> /dev/null > /dev/null > # > $TC qdisc add dev $EXTIF root handle 0: htb default 1 > $TC class add dev $EXTIF parent 0: classid 1 htb rate > 128Kbit ceil 128Kbit > # > $TC filter add dev $EXTIF protocol ip parent 0:0 prio 1 > u32 match ip src $IP flowid 1 > $TC filter add dev $EXTIF protocol ip parent 0:0 prio 1 > u32 match ip dst $IP flowid 1 > > Thanks, > Anderson > > > __ > Acabe com aquelas janelinhas que pulam na sua tela. > AntiPop-up UOL - É grátis! > http://antipopup.uol.com.br/ > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > Adrian Saileanu Netmaster Communications Srl address: Str. Ion Brezoianu Nr. 20 Sector 1, Bucuresti, Romania office: +40 21 315 92 00 mobile: +40 723 979 586 email: [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
