[LARTC] Confuse, putting packets in wrong mangle table.
Folks, I am a little bit confuse in how to put these packets into correct mangle table for traffic shaping. This is what i ve planned to do: - - - - :eth0 [ LINUX-BOX ] eth1: - - - - Let say: eth0: 220.100.1.1 eth1: 192.168.1.1 eth1:1 192.168.1.2 192.168.1.0/24 get natted into 220.100.1.1 before reaching the internet. I put every packets coming from internet (eth0) this way: # iptables -t mangle -I PREROUTING -i eth0 .. * * * * But what if i would like to do the same way with ip 192.168.1.1 and 192.168.1.2 ? How to put the packets in correct mangle table? Thanks before .. Regards, Rio Martin. ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Doubt regarding priority of classes with HTB
Are you sure we do care about priorities of inner classes? It seems for me that you do not even have this entry in the memory structure in case of inner class - only leaf classes have prios. Dmitry On Tuesday 18 January 2005 17:47, "sanjeev ravindran" <[EMAIL PROTECTED]> wrote: > Thank you for ur response, > Actually I too found the same in user guide of htb... however i was bit > confused about the priority of different classes now things are > clear... > thanks again > sanjeev > > > > - Original Message - > From: "Tóth Nándor" <[EMAIL PROTECTED]> > To: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Doubt regarding priority of classes with HTB > Date: Tue, 18 Jan 2005 09:35:12 +0100 > > > Hi! > > > > sanjeev ravindran wrote: > > > Hi, > > > > > > I'm a bit confused with the priority of different classes with > > > HTB. How it will be? Will the class with lowest no: have maximum > > > priority? > > > > > > Any help is most appreciated, > > > Thanks in advance, > > > Sanjeev > > > > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio > > > > "Priorizing traffic has two sides. First it affects how the excess > > bandwidth is distributed among siblings. Up to now we have seen > > that excess bandwidth was distibuted according to rate ratios. Now > > I used basic configuration from chapter 3 (hierarchy without > > ceiling and bursts) and changed priority of all classes to 1 except > > SMTP (green) which I set to 0 (higher). > > From sharing view you see that the class got all the excess > > bandwidth. The rule is that classes with higher priority are > > offered excess bandwidth first. But rules about guaranted rate and > > ceil are still met." > > > > -- Udv, > >Nandor > > ___ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Doubt regarding priority of classes with HTB
Thank you for ur response, Actually I too found the same in user guide of htb... however i was bit confused about the priority of different classes now things are clear... thanks again sanjeev - Original Message - From: "Tóth Nándor" <[EMAIL PROTECTED]> To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Doubt regarding priority of classes with HTB Date: Tue, 18 Jan 2005 09:35:12 +0100 > > Hi! > > sanjeev ravindran wrote: > > Hi, > > > > I'm a bit confused with the priority of different classes with > > HTB. How it will be? Will the class with lowest no: have maximum > > priority? > > > > Any help is most appreciated, > > Thanks in advance, > > Sanjeev > > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio > > "Priorizing traffic has two sides. First it affects how the excess > bandwidth is distributed among siblings. Up to now we have seen > that excess bandwidth was distibuted according to rate ratios. Now > I used basic configuration from chapter 3 (hierarchy without > ceiling and bursts) and changed priority of all classes to 1 except > SMTP (green) which I set to 0 (higher). > From sharing view you see that the class got all the excess > bandwidth. The rule is that classes with higher priority are > offered excess bandwidth first. But rules about guaranted rate and > ceil are still met." > > -- Udv, >Nandor > ___ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- __ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Archives and question
Hello-- I am brand new to this list. I've been using a pre-packaged subset of Linux that comes with an application called IPCop. (If you're unfamiliar with IPCop, I think it's a wonderful, easy-to-use firewall application that will run on pretty low-end hardware.) But otherwise I'm pretty much a neophyte with Linux. Two questions: 1. Is there an archive for this list so I can look for previous postings on my topic? 2. I have a hub-and-spoke network, made up of about 30 IPCop firewalls in remote offices that all VPN back to an IPCop box here in the main office. The remote offices can all communicate with the main office, but none can communicate with each other directly. I need to get that inter-remote-site communication to work. I'm thinking some routing table entries ought to be able to do it, but I'm not familiar enough [read: not familiar at all] with Linux routing to know how to set it up. I'm hoping you all can tell me, A)if it will work or not, and B)how to get started. Thanks, Rob ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] failover works - but balancing does not
Hi,
Can I know how is your failover works? Any additional scripts?
Regards,
ro0ot
roderick tapang wrote:
here's the setup (two dsl - same provider)
+-> link1
LAN- linux box --| |--internet
+-> link2
the setup is ok in terms of the failover requirement. the other link
takes over when one is down. however, there is a very noticeable lag
when both lines are up. i've tried changing the weight value to a
higher one but the links are still under utilized and some client machines
playing games or mostly disconnected. taking down one link makes the
connection ok.
any suggestions? do i need to patch the kernel?
below is the script i'm using on a mandrake 10.1 box.
thanks.
erik
#!/bin/sh
# Iptables userspace executable
IPTABLES="/sbin/iptables"
# Internal Interface
NET_INT_INT=eth1
# Internal IP
NET_INT_IP=192.168.0.101
# Internal Subnet
NET_INT_SUB=/24
# Internal Network
NET_INT_NET=192.168.0.0
# First external interface
NET_EXT_INT1=eth0
# First external IP
NET_EXT_IP1=192.168.1.7
# First external interface's gateway
NET_EXT_GW1=192.168.1.1
# Second external interface
NET_EXT_INT2=eth2
# Second external IP
NET_EXT_IP2=192.168.1.3
# Second external interface's gateway
NET_EXT_GW2=192.168.1.1
echo "Flushing All Tables"
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X -t nat
$IPTABLES -X -t mangle
$IPTABLES -X
$IPTABLES -t mangle -N ETH0
$IPTABLES -t mangle -F ETH0
$IPTABLES -t mangle -A ETH0 -j MARK --set-mark 1
$IPTABLES -t mangle -N ETH2
$IPTABLES -t mangle -F ETH2
$IPTABLES -t mangle -A ETH2 -j MARK --set-mark 2
$IPTABLES -t nat -N SPOOF_ETH0
$IPTABLES -t nat -F SPOOF_ETH0"
$IPTABLES -t nat -A SPOOF_ETH0 -j SNAT --to ${NET_EXT_IP1}
$IPTABLES -t nat -N SPOOF_ETH2
$IPTABLES -t nat -F SPOOF_ETH2H2 "
$IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to ${NET_EXT_IP2}
echo "Setting some local network rules..."
$IPTABLES -A INPUT -p icmp -s ${NET_INT_NET}/24 -d ${NET_INT_IP} -j ACCEPT
echo "Setting Mangle rules for eth0..."
$IPTABLES -t mangle -A OUTPUT -o ! ${NET_INT_INT} -m random --average 50 -j ETH0
$IPTABLES -t mangle -A PREROUTING -i ${NET_INT_INT} -m random
--average 50 -j ETH0
ip ro add table 10 default via ${NET_EXT_GW1} dev ${NET_EXT_INT1}
ip ru add fwmark 1 table 10
ip ro fl ca
echo "Setting Mangle rules for eth2..."
$IPTABLES -t mangle -A OUTPUT -o ! ${NET_INT_INT} -m random --average 50 -j ETH2
$IPTABLES -t mangle -A PREROUTING -i ${NET_INT_INT} -m random
--average 50 -j ETH2
ip ro add table 20 default via ${NET_EXT_GW2} dev ${NET_EXT_INT2}
ip ru add fwmark 2 table 20
ip ro fl ca
echo "Setting up spoofing rules..."
$IPTABLES -t nat -A POSTROUTING -o ${NET_EXT_INT1} -j SPOOF_ETH0
$IPTABLES -t nat -A POSTROUTING -o ${NET_EXT_INT2} -j SPOOF_ETH2
echo "Adding default route..."
ip ro add default nexthop via ${NET_EXT_GW1} dev ${NET_EXT_INT1}
weight 1 nexthop via ${NET_EXT_GW2} dev ${NET_EXT_INT2} weight 1
echo "Disabling Reverse Path Filtering..."
echo 0> /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0> /proc/sys/net/ipv4/conf/eth2/rp_filter
echo "Enabling IPv4 Packet forwarding..."
echo "1"> /proc/sys/net/ipv4/ip_forward
___
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] [EMAIL PROTECTED]
[EMAIL PROTECTED] ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved
- Original Message - From: "Jason Boxman" <[EMAIL PROTECTED]> To: Sent: Monday, January 17, 2005 6:50 PM Subject: Re: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved > On Monday 17 January 2005 08:48, Iosif Peterfi wrote: > > Hello, > > > > > All i want to do is shape the web traffic for long conections wich are not > > HTML webpages, i want to slow down those connections. > > I know that can be overriden by stopin/resuming the transfer but i still > > want to do it since people start downloading from HTTP with many > > connections, during the day and leave the office, i have no time to hunt > > them, so i just want to classify those connections if is possible. > > Sure, you can do that with the connbytes Netfilter module. After someone > downloads some given amount of data you can reclassify that traffic from > interactive-Web to bulk-Web or something similar. I've been meaning to do > this myself, but haven't gotten to it. Thanks a lot ! That was very usefull. I had some problems patching the kernel (I had to do it manually) since my gentoo kernel is already patched with a lot of other patches, but i managed to do it and works like a charm. > > -- > > Jason Boxman > Perl Programmer / *NIX Systems Administrator > Shimberg Center for Affordable Housing | University of Florida > http://edseek.com/ - Linux and FOSS stuff > > ___ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > -- > This message was scanned for spam and viruses by BitDefender. > For more information please visit http://linux.bitdefender.com/ > > -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved
- Original Message - From: "Jason Boxman" <[EMAIL PROTECTED]> To: Sent: Monday, January 17, 2005 6:50 PM Subject: Re: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved > On Monday 17 January 2005 08:48, Iosif Peterfi wrote: > > Hello, > > > > > All i want to do is shape the web traffic for long conections wich are not > > HTML webpages, i want to slow down those connections. > > I know that can be overriden by stopin/resuming the transfer but i still > > want to do it since people start downloading from HTTP with many > > connections, during the day and leave the office, i have no time to hunt > > them, so i just want to classify those connections if is possible. > > Sure, you can do that with the connbytes Netfilter module. After someone > downloads some given amount of data you can reclassify that traffic from > interactive-Web to bulk-Web or something similar. I've been meaning to do > this myself, but haven't gotten to it. Thanks a lot ! That was very usefull. I had some problems patching the kernel (I had to do it manually) since my gentoo kernel is already patched with a lot of other patches, but i managed to do it and works like a charm. > > -- > > Jason Boxman > Perl Programmer / *NIX Systems Administrator > Shimberg Center for Affordable Housing | University of Florida > http://edseek.com/ - Linux and FOSS stuff > > ___ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > -- > This message was scanned for spam and viruses by BitDefender. > For more information please visit http://linux.bitdefender.com/ > > -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Doubt regarding priority of classes with HTB
Hi! sanjeev ravindran wrote: Hi, I'm a bit confused with the priority of different classes with HTB. How it will be? Will the class with lowest no: have maximum priority? Any help is most appreciated, Thanks in advance, Sanjeev http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio "Priorizing traffic has two sides. First it affects how the excess bandwidth is distributed among siblings. Up to now we have seen that excess bandwidth was distibuted according to rate ratios. Now I used basic configuration from chapter 3 (hierarchy without ceiling and bursts) and changed priority of all classes to 1 except SMTP (green) which I set to 0 (higher). From sharing view you see that the class got all the excess bandwidth. The rule is that classes with higher priority are offered excess bandwidth first. But rules about guaranted rate and ceil are still met." -- Udv, Nandor ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] failover works - but balancing does not
Hi! roderick tapang wrote: here's the setup (two dsl - same provider) +-> link1 LAN- linux box --| |--internet +-> link2 the setup is ok in terms of the failover requirement. the other link takes over when one is down. however, there is a very noticeable lag when both lines are up. i've tried changing the weight value to a higher one but the links are still under utilized and some client machines playing games or mostly disconnected. taking down one link makes the connection ok. any suggestions? do i need to patch the kernel? I was in the situation like yours. Following the lartc howto did not result in correct functionality (not the same problems as yours). I managed to do it using these links: http://www.ssi.bg/~ja/nano.txt http://www.ssi.bg/~ja/#routes I had to read the nano howto about 5 times to understand it. -- Udv, Nandor ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
