[LARTC] QoS with Artifficial Intelligence
Hello everyone, it is not the first time i discuss this topic here, but now it has come the time to actually do it. My idea is to set up a daemon to run QoS on linux, with a particularity, add some A.I. capabilities to our system and hence, be able to change QoS "topology" every certain time to obtain the maximum performance. I first want to teach the system which parameters should i vary, and hence i would like all of you to tell me, which do you think i should change. Any ideas? Anybody is welcome to join!! :) Message sent using UebiMiau 2.7.2 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] University Project: QoS with Ai
Hi there guys, i am on my last year of career, and as my final Project i am interested in doing something about QoS. The thing is, I have a couple of QoS solutions working, and since the beginning I though it was great but it lacked some kind of dynamicity. Let me explain myself.. I was thinking in creating a classful queue that based on some parameters (kind of users, bw, packets, etc...) could "learn" in some way the kind of traffic passing through the box, and change the parameters of the classes, classifying also not only the packets, but the users. For example there could be p2p users, HTTP users, etc.. and if the queue itself could create classes for those users, maybe increase productivity. What do you think? Am I talking bullocks or it makes some sense? All critics welcome :) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Odd question about load balancing
I am sorry about my previous email, it was a bit off a mess... Let me explain my self, I have my dsl routers working doing nat, and I want to set them up as a bridge but doing load balancing. My public ip addresses are : XXX.XXX.XXX.1 for dsl 1 and the same ending in .2 for dsl 2 Since I have to put the ip public address on the linux Ethernet cards, and they both have the same netmask address, will loadbalancing work? I red somewhere they have to be in different subnets in order to work Am I right? Can I set them as bridge mode? -Mensaje original- De: Damion de Soto [mailto:[EMAIL PROTECTED] Enviado el: lunes, 31 de mayo de 2004 2:34 Para: GoMi CC: [EMAIL PROTECTED] Asunto: Re: [LARTC] Odd question about load balancing Hello GoMi, > Hello there, i have a very special case about load balancing... ---snip > And I have the next problem: > Both routers will have the same IP ADDRESS, and hence they will both be on > the same network. I didn't really understand what you were writing about there but don't you just want to put your DSL routers into some type of 'bridging' mode, and then configure the IP addresses on your linux router ? (you may have to run PPPoE or something on the linux interfaces). > When y set up my load balancing a year ago, I red somewhere both connections > have to be under different networks, is that right? > Will load balancing know which interface has to use for each connection?? Unless your ISP(s) is doing incredibly tricky things with routing, you can't have 2 devices on the Internet with the same real IP address. > Can I set up my dsl routers the way I want them to work?? > Has any body done that??? I still don't really understand what's different between your setup and all the other people who have 2 DSL connections to the internet. Regards, -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Odd question about load balancing
Hello there, i have a very special case about load balancing... Here is my setup: ++/ || | +-+ ADSL ROUTER+--- __ | || / ___/ \_ +--+---+ ++| _/\__ | if1 | / / \ | | | | Local network -+ Linux router | | Internet \_ __/| | | \__ __/ | if2 | \ \___/ +--+---+ ++| | || \ +-+ADSL ROUTER +--- || | ++\ My load balancing is working great right now, but I have my dsl routers acting as multiple-users access, and hence doing NAT. Since my Linux is also doing NAT I want to connect the DSL routers acting as single-users and hence avoid doing NAT two times per connection. What I have to do, is change the public address on my dsl router as a mix of the mask and the actual public address, and assign the public ip to IF1 ( or IF2 in each case) The problem comes when, my public address is: IP1: XXX.XXX.XXX.1 IP2: same but ending in .2 MASK 255.255.255.0 To get the new local address for the router, y have to do the following: (1 AND 0) +1 for router1 and (2 AND 0) +1 for router2. And I have the next problem: Both routers will have the same IP ADDRESS, and hence they will both be on the same network. When y set up my load balancing a year ago, I red somewhere both connections have to be under different networks, is that right? Will load balancing know which interface has to use for each connection?? Can I set up my dsl routers the way I want them to work?? Has any body done that??? Thank you!! ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] RV: LATENCY PROBLEMS
I already did that, but thanks. The problem I think comes because I have an iplimit up to 15 parallel tcp connections for each user. The thing is, if a couple of clients open up emule,kazaa,etc... try to open lots of connections, but only 15 are allowed. Hence I thinkm, they actually produce a kind of DoS over my server, since lots of connections are trying to be stablished, but only 15 are allowed. Does that make sense? Is there a way of maybe do so, but without having this problem? I suppose the kernel treats connections as soon as they arrive, I mean in a FIFO policy. Maybe a policy there would make sense... -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Ed Wildgoose Enviado el: martes, 18 de mayo de 2004 12:52 Para: GoMi CC: [EMAIL PROTECTED] Asunto: Re: [LARTC] RV: LATENCY PROBLEMS >The load balancing is working great, we are doing connection tracking so I >can mark and hence prioritize interactive traffic and ACKS on the upstream, >and with ipp2p I mark p2p traffic allocating it under the non-interactive >queue. > >The problem comes when there is more than 70 users + or -, when interactive >traffic stops working at all, or it has a very VERY high latency. > > On thought occurs, which is that some P2P protocols apparently misuse the ACKs to send data: http://www.docum.org/stef.coene/qos/faq/cache/49.html Could this be the cause of some of your problems? Perhaps you should take a closer look at your ACK traffic - you could add a SFQ (or ESFQ?) to that queue? Pop some stats on it and try to find out where it is coming from and try to correlate with the traffic from that user? Ed W ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RV: [LARTC] RV: LATENCY PROBLEMS
I thought of creating an htb class for each user, but as you said I haven't got enough bw to do soo. Thats why my setup only has 5 classes with WRR queues so I get sure each user doesnt affects the other users. On top of that I have an iplimit to a maximum of 15 parallel connections per user. So I get the following conclusions: A) change link B) upgrade to kernel 2.6 and use l7 filtering Eventhough.. anyone suggesting alternative solutions? -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Andreas Klauer Enviado el: sábado, 15 de mayo de 2004 1:54 Para: [EMAIL PROTECTED] Asunto: Re: [LARTC] RV: LATENCY PROBLEMS Am Friday 14 May 2004 23:59 schrieb Jason Boxman: > > Anyway - even if I weren't using IPP2P, P2P traffic wouldn't really > > matter since I put all traffic into user classes. So the only person > > who's suffering would be the P2P user. And I don't really care about > > that. ;-) > > Interesting. How did you accomplish that? It's nothing special. Each user gets his/her own HTB class. No matter what kind of traffic the user generates (Interactive, P2P, ...), it shouldn't affect the other users. This works well in small networks. It wouldn't work well if I had to create 500 classes for a ADSL line, because the guaranteed rates per user would be too low. > So right now each user is getting a prio disc? It looks like this: http://www.metamorpher.de/files/fairnat_ipp2p.png (warning, big image: ~5000x2000 pixels) Blue = qdisc, Green = class; Blue arrow = filter. Please note that 1:3 is a class for local LAN traffic. The other are user classes. Every user gets a prio qdisc with 4 bands (4th band for P2P, everything else gets classified by the TOS priomap). The prio leafs get SFQ on top. Don't know if that actually makes sense, but it works well for me. Andreas ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] RV: LATENCY PROBLEMS
Hi there Roy, first of all, thanks :) I am talking about http, smtp, pop3 interactive traffic for example. As I said my DSL has 300kbit upstream and 2Mbit downstream, and I have an HTB rate of 150kbit and an ingress policy running at 1500kbit for downstream control. That way I can get sure there are no queues either at my ISP or my DSL modem, and the queues are managed at the Linux box right? I also have iplimit module and each user is limited to 15 parallel connections, so they can not cope with all the BW. -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Roy Enviado el: viernes, 14 de mayo de 2004 18:20 Para: GoMi; [EMAIL PROTECTED] Asunto: Re: [LARTC] RV: LATENCY PROBLEMS You did not say, what kind of interactive traffic you have, and is your dsl capable to hold it 800 connections should not be a problem for such cpu, if you are sure you did not satureted your dsl, in both directions, and how about http trafiic? then here is another possibility, even if tcp can be shaped on forward, there is still one problem, if your link as almost full, new tcp connections are not controlable at start. all you can do for now is to limit your max rate to 80% of link speed. this problem usualy happens when someone is using bittorent. that software creates 20 or more connections for each file each tcp connection initiation takes about 3kb of data which cant be shaped. At first try to limit your link speed to 50% of capacity , then check if it helps to reduce latency. I am working on imq driver with tcp prediction, which should fix some problems. - Original Message - From: "GoMi" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 14, 2004 6:18 PM Subject: [LARTC] RV: LATENCY PROBLEMS > Hello there, >I'm having lots of problems with my setup here. Let me explain: > > I am network administrator for my university dorm. We are about 300 users, > and we have 2 ADSL connections doing load balancing with 300kbits upstream > and 2Mbit downstream. > > The load balancing is working great, we are doing connection tracking so I > can mark and hence prioritize interactive traffic and ACKS on the upstream, > and with ipp2p I mark p2p traffic allocating it under the non-interactive > queue. > > The problem comes when there is more than 70 users + or -, when interactive > traffic stops working at all, or it has a very VERY high latency. > > I have a setup based on HTB and WRR. > > I have only two possible explanations, or either the CONNMARK module > introduces a very high latency when the number of entries on > /pron/net/ip_conntrack rises above lets say 800, or maybe the Ethernets I > have (cheap Ethernets) are getting saturated with that amount of traffic. > > My server is a AMD Duron 800MHz with 768Mb of RAM. > > Anyone knowing the marvellous solution? :) > > Thank you guys.. > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] RV: LATENCY PROBLEMS
Hello there, I'm having lots of problems with my setup here. Let me explain: I am network administrator for my university dorm. We are about 300 users, and we have 2 ADSL connections doing load balancing with 300kbits upstream and 2Mbit downstream. The load balancing is working great, we are doing connection tracking so I can mark and hence prioritize interactive traffic and ACKS on the upstream, and with ipp2p I mark p2p traffic allocating it under the non-interactive queue. The problem comes when there is more than 70 users + or -, when interactive traffic stops working at all, or it has a very VERY high latency. I have a setup based on HTB and WRR. I have only two possible explanations, or either the CONNMARK module introduces a very high latency when the number of entries on /pron/net/ip_conntrack rises above lets say 800, or maybe the Ethernets I have (cheap Ethernets) are getting saturated with that amount of traffic. My server is a AMD Duron 800MHz with 768Mb of RAM. Anyone knowing the marvellous solution? :) Thank you guys.. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] WRR and masq
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, i have a question reguarding WRR. I have a box with 2 ethernets, i am doing nat, and i have a question. Since i am doing egress traffic, and its done after natting, if i use wrr with src and masq options, will it get the real source address, or since the egress QoS its done after natting it will get the sourde address from ethernet 1?? Anyone? -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBQCUpVn7diNnrrZKsEQIViACcC1LAKlotZr/rHHDTD/HrY9GQ1Q4AoOAP G1d8yQW7LxCuqVK+StVZ77OF =qWAS -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] limiting p2p
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank you mike, its doing great right now. I didnt notice on my script. Thank you ;) - -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Mike Miller Enviado el: miércoles, 04 de febrero de 2004 17:58 Para: GoMi CC: [EMAIL PROTECTED] Asunto: RE: [LARTC] limiting p2p > iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p > -j > MARK --set-mark 2 > iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p > --ipp2p-data -j MARK --set-mark 2 There is no need to use --ipp2p and --ipp2p-data on one box. Use --ipp2p only this should be sufficient for most systems. But IPP2P should work with this ruleset anyway. Please do me a favour and remove both rules containing string matches from your ruleset let it run for a while and give me the full output of "iptables -t mangle -L -n -v -x". I guess you're using Kazaa? Is it a (nat-)router or a bridge? Regards, Mike - -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBQCT3+n7diNnrrZKsEQL2LgCfWWVyGTE2/fQ/oXNR4kGkjNqrsFUAn157 evWFiLjKNb3bPmMOBFzbfwK3 =EjNs -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] limiting p2p
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I forgot to tell you, i am with load balancing with 2 DSL connectios also doing natting on my machine.. -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBQCEwnH7diNnrrZKsEQIGxgCfWuKXVFV/7hu6YqIEjMvBqH59hxkAn3b0 UpjrpQWYDFt8vnaiERK3er2w =uBcX -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] limiting p2p
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There it goes, btw..thank you very much ;) Chain PREROUTING (policy ACCEPT 26236333 packets, 12882098667 bytes) pkts bytes target prot opt in out source destination 249121 26462887 CONNMARK all -- eth2 * 0.0.0.0/00.0.0.0/0 CONNMARK restore 142502 21317691 ACCEPT all -- eth2 * 0.0.0.0/00.0.0.0/0 MARK match !0x0 2414682 MARK icmp -- eth2 * 0.0.0.0/00.0.0.0/0 MARK set 0x4 00 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 ipp2p v0.5a --ipp2p MARK set 0x2 27 1296 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp dpt:1214 MARK set 0x2 3 144 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp dpt:2234 MARK set 0x2 43833099 MARK udp -- eth2 * 0.0.0.0/00.0.0.0/0 udp dpt:53 MARK set 0x1 6712 321889 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp dpt:80 STRING match !X-Kazaa MARK set 0x1 00 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp dpt:25 MARK set 0x1 98629 4733897 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp dpts:0:1024 MARK set 0x1 2746 133990 MARK udp -- eth2 * 0.0.0.0/00.0.0.0/0 udp dpt:!53 MARK set 0x2 95 4560 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp dpt:1863 MARK set 0x1 00 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp spt:80 MARK set 0x5 4622 221848 MARK all -- eth2 * 0.0.0.0/00.0.0.0/0 MARK match 0x0 MARK set 0x2 106580 5143324 CONNMARK all -- eth2 * 0.0.0.0/00.0.0.0/0 CONNMARK save 103317 4959216 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp flags:0x16/0x02 MARK set 0x3 15 601 chkack tcp -- eth2 * 0.0.0.0/00.0.0.0/0 tcp flags:0x16/0x10 106556 5142172 chgtos all -- eth2 * 0.0.0.0/00.0.0.0/0 Chain INPUT (policy ACCEPT 116314 packets, 17066648 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 39662528 packets, 15020457598 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 127443 packets, 41248573 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 32254661 packets, 14698686461 bytes) pkts bytes target prot opt in out source destination Chain chgtos (1 references) pkts bytes target prot opt in out source destination 99134 4770212 TOSall -- * * 0.0.0.0/00.0.0.0/0 CONNMARK match 0x1 TOS set 0x10 7398 357278 TOSall -- * * 0.0.0.0/00.0.0.0/0 CONNMARK match 0x2 TOS set 0x08 00 TOSall -- * * 0.0.0.0/00.0.0.0/0 CONNMARK match 0x3 TOS set 0x10 00 TOSall -- * * 0.0.0.0/00.0.0.0/0 CONNMARK match 0x5 TOS set 0x02 106556 5142172 RETURN all -- * * 0.0.0.0/00.0.0.0/0 Chain chkack (1 references) pkts bytes target prot opt in out source destination 15 601 MARK all -- * * 0.0.0.0/00.0.0.0/0 length 0:128 MARK set 0x3 00 MARK all -- * * 0.0.0.0/00.0.0.0/0 length 128:65535 MARK set 0x2 15 601 RETURN all -- * * 0.0.0.0/00.0.0.0/0 - -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Mike Miller Enviado el: miércoles, 04 de febrero de 2004 17:58 Para: GoMi CC: [EMAIL PROTECTED] Asunto: RE: [LARTC] limiting p2p > iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p > -j > MARK --set-mark 2 > iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p > --ipp2p-data -j MARK --set-mark 2 There is no need to use --ipp2p and --ipp2p-data on one box. Use --ipp2p only this should be sufficient for most systems. But IPP2P should work with this ruleset anyway. Please do me a favour and remove both rules containing string matches from your ruleset let it run for a while and give me the full output of "iptables -t mangle -L -n -v -x". I guess you're using Kazaa? Is it a (nat-)router or a bridge? Regards, Mi
RE: [LARTC] limiting p2p
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is my config iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -i eth2 -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -i eth2 -A PREROUTING -p icmp -j MARK --set-mark 4 iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 2 iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p-data -j MARK --set-mark 2 iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 1214 -j MARK --set-mark 2 iptables -t mangle -i eth2 -A PREROUTING -p tcp -m string --string X-Kazaa -j MARK --set-mark 2 iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 2234 -j MARK --set-mark 2 iptables -t mangle -i eth2 -A PREROUTING -p udp --dport 53 -j MARK --set-mark 1 iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 80 -m string ! --string X-Kazaa -j MARK --set-mark 1 iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1 iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 0:1024 -j MARK --set-mark 1 iptables -t mangle -i eth2 -A PREROUTING -p udp --dport ! 53 -j MARK --set-mark 2 iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 1863 -j MARK --set-mark 1 iptables -t mangle -i eth2 -A PREROUTING -p tcp -d 0/0 --sport 80 -j MARK --set-mark 5 iptables -t mangle -i eth2 -A PREROUTING -m mark --mark 0 -j MARK --set-mark 2 iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --save-mark ipt_ipp2p 2656 0 (unused) Thats my module working... 00 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 ipp2p v0.5a --ipp2p MARK set 0x2 00 MARK tcp -- eth2 * 0.0.0.0/00.0.0.0/0 ipp2p v0.5a --ipp2p-data MARK set 0x2 And my rules. There are 100 users, all using p2p, but i have it restricted under my fw, but some get access though port 80... I am currently downloading, and for a day or so, no traffic recognized at all... I have no messages at my syslog or messages files at all ... - -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Mike Miller Enviado el: miércoles, 04 de febrero de 2004 14:32 Para: [EMAIL PROTECTED] Asunto: RE: [LARTC] limiting p2p > Hi there, i am having really big troubles setting up ipp2p. I have a > woody with kernel upgraded to 2.4.20 and iptables 1.2.8. I changed the > makefile to include these modifications, but still it captures no > traffic at all.. Do i need to run it under 2.4.18? Well, for us it was working with all kernels from 2.4.18 on. We are currently struggeling problems with 2.4.24 but not sure if this is a kernel issue since we got a whole new box - investigation will take place soon. First of all: are you sure there is any P2P traffic occuring at your link? Is the IPP2P rule put at the correct place (PREROUTING of mangle for example)? Go to http://rnvs.informatik.uni-leipzig.de/ipp2p/ documentation page - there are a couple of examples how to use IPP2P. If this doesn't help come back to me with your setup and ruleset - maybe traffic is accepted somewhere else before IPP2P comes into play. Regards, Mike. - -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBQCESMH7diNnrrZKsEQJq4QCbByR7N5bRYmOis4+UHDYkHYlQWbAAn2oD Ylle5BNIpEkJJiAAFoIwPKsf =DROl -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] limiting p2p
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, i am having really big troubles setting up ipp2p. I have a woody with kernel upgraded to 2.4.20 and iptables 1.2.8. I changed the makefile to include these modifications, but still it captures no traffic at all.. Do i need to run it under 2.4.18? - -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: miércoles, 04 de febrero de 2004 0:53 Para: [EMAIL PROTECTED] Asunto: RE: [LARTC] limiting p2p > Now I'm testing ipt_ipp2p netfilter 3rd module > You can reach it at: > http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html Thanks for making this public I just forgot about posting the link to the list :-) > But I haven't tested ipt_ipp2p module strongly > with a large LAN Well we ran it at a campus network for about 6 weeks without any issue. Some results of our delay investigations are coming soon - the first graphs look not to bad (0.1-1ms average delay introduced by the bridging firewall). Cheers, Mike. - -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBQCDrxH7diNnrrZKsEQIDHwCfX6GsnRvFUS7zhWzxlUz7Tb9L9GAAn0Vj qXwsBA1B/dXI8TdWqPMuLYdn =k0xx -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] adsl on/off
Read the Nano-howto, yo might find some info...Thats only for multipath gateways, but... :) -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Eddie Enviado el: lunes, 02 de febrero de 2004 12:20 Para: lartc Asunto: [LARTC] adsl on/off Good day all Now I'm from South-Africa,here we have adsl router/modems You set the router to do the dialup and authentication and the set it as your gateways box's gateway.Now sometimes the links gets drop and is off for a while.Are there any way,for linux,my gateway of letting me now that the link was/is down.Note that the box is not dialing so there is no adsl-status. What I NEED to do it be able to know if the link is down,and if the link is down use a modem dialup and when the link get back up stop the modem.Any Ideas Thanks ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Problems with ipp2p module not marking packets at all
Hi there folks :) I installed the ipp2p module v0.5a (i had 0.4 as well) to classify p2p traffic. I have it loaded and working: Module Size Used byNot tainted ipt_ipp2p 2656 2 And i have the CONNMARK module to mark traffic: iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p-data -j MARK --set-mark 2 OTHER MARKING DONE FOR INTERACTIVE TRAFFIC iptables -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -j CONNMARK --save-mark I have the qdiscs attached with HTB (working fine) and filters to classify marks (also working) But the outcome of a iptables -t mangle -L -n -v -x shows this for ipp2p: pkts bytes target prot opt in out source destination 14097 4339998 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 10067 4144428 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0 6 504 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x4 00 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.5a --ipp2p MARK set 0x2 00 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.5a --ipp2p-data MARK set 0x2 14 912 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 MARK set 0x1 43420812 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK set 0x1 00 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 MARK set 0x2 3522 169036 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1024 MARK set 0x1 10 2198 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:!53 MARK set 0x2 5 240 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863 MARK set 0x1 00 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214 MARK set 0x2 2 80 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK set 0x5 47122600 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 MARK set 0x2 4030 195570 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save Any one with an idea why the hell is not recognizing traffic at all?? Thank you!! ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Maximum number of paralel connections
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was wondering, most of the p2p programs are bandwith wasters, because they open lots of parallel connections. I have 5 queues to prioritize traffic, but these p2p open thousands of connections and my systems gets REALLY HIGH latence. Does anybody of you know by any means, for a DSL connections, the ammount of parallel connections for a good rate of utilization? That way i can limit with netfilter the ammount of parallel connections assigned to each user. Just wondering... :) -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBQBUM1H7diNnrrZKsEQIb1wCeMLGhRi8CKZFZUXycRpV2fjYx1LwAnjqS Qx6wtyiPeY4L+FOnwg1s8CwR =jWzC -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] QoS not working
I have a setup based on htb and sfq qdiscs. When more than 100 users get connected to my lan, my internet setup works considerably bad. - I have a linux box with 1 eth card going to my switch (where the hubs connect to) and to eth cards to both adsl (2Mbit each) doing load balancing - My question is, is there a possibility the single ethcard cant cope with all the load? I have found no answers My setup: My adsl are 2Mbit down / 300kbit up -> but i only let each eth card send to each adsl router 150kbit to avoid collapsing during high load. DEV=eth1 tc qdisc add dev ${DEV} handle 1: root htb default 20 tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 150kbit burst 6k ## Interactive traffic tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 50kbit ceil 150kbit b tc qdisc add dev ${DEV} parent 1:10 handle 10: sfq perturb 10 tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw classid 1:10 ## Non-Interactive Trafic tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 50kbit ceil 100kbit qu tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw classid 1:20 tc filter add dev ${DEV} protocol ip parent 1:0 handle 6 fw classid 1:20 ## SYN,ACK Trafic tc class add dev ${DEV} parent 1:1 classid 1:30 htb rate 45kbit ceil 100kbit qu tc qdisc add dev ${DEV} parent 1:30 handle 30: sfq perturb 10 tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw classid 1:30 ## ICMP Trafic tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500 bur tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw classid 1:40 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Shaping p2p programs
Hi there, i am going to explain you my setup and post you my scripts in case they are of any help to anybody :) This mail is a little long, but i think the only way you can undestandme is writing you my whole code.. 1.- I have to ADSL connections connected through ehternet cards eth0 and eth1 to the routers -Both ADSL are 2Mbit downsteam / 300kbit upstream -eth2 goes to my 200 users LAN. 2.- I am doing load balancing (that works great) 3.- I have a mail and web server redirected to eth0's ADSL. 4.- My QoS setup attached to eth0 and eth1 1 Qdisc for high-priority traffic (mark 1) 1 Qdisc for low-priority traffic(mark 2) 1 Qdisc for SYN,ACK traffic (mark 3) 1 Qdisc for ICMP traffic(mark 4) 1 Qdisc for Web-server traffic (mark 5) ->Scripts below 5.- Since i am doing load balancing i have a stateful firewall as explained in Nano HOWTO ->Firewall scripts below 6.- Use the mangle table to mark packets and redirect them to the Qdisc Let me explain my reasoning: I want to mark interactive traffic like HTTP,SMTP,etc to mark 1 Mark DNS traffic and MSN Messenger(dport 1863) to interactive High priority mark 1 Mark p2p programs with the ipp2p module to mark p2p programs to mark 2 (dport 1214 is Imesh) In order to make sure ACKS and SYN traffic is going out propperly i have an special qdisc If any traffic is unmarked, mark it as low-priority ->Mangle setup below >PROBLEM: The problem comes after having this setup running for an hour or so, when interactive traffic has VERY HIGH latency, or nearly dIES. Anybody having mor or less a similar setup, because i am driving mad here! Any suggestions are welcome :) Thank you very much! My BOX is an athlon 900MHz with 1GB ram: cat /proc/sys/net/ipv4/ip_conntrack_max 57336 txqueuelen on all eth cards is 100. > SCRIPTS IPTABLES MANGLE Table iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 4 iptables -t mangle -A POSTROUTING -p udp --dport 53 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -m string --string 'KazaaClient' -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -p tcp --dport 0:1024 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -p tcp --dport 1214 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -p tcp --dport 1863 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,ACK,RST SYN -j MARK --set-mark 3 iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -j chkack iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j MARK --set-mark 2 Script for QoS attached to eth0 #!/bin/bash DEV=eth0 tc qdisc add dev ${DEV} handle 1: root htb default 10 tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit ## ## Interactive traffic tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil 250kbit tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10 ### # Non Interactive Traffic tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 50kbit ceil 200kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20 ## SYN,ACK Traffic tc clas add dev ${DEV} parent 1:1 classid 1:30 htb rate 45kbit ceil 250kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw flowid 1:30 ## ICMP Traffic tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40 ## Web-Server Traffic tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit ceil 200kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst perturb 10 depth 15 tc filter add dev
[LARTC] Load balancing and Hight disponibility, but when a link fails, the whole thing stops working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, i have a setup based on hight disponibility and load balancing, and when any of the adsl lines stops working, the kernel does not recognices that the route is down, and my clients only get access to the internet if they are luckilly NATed thought the other ADSL. I have the script running every minute pinging both ADSL's, but it does not work. ANYONE? -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP6g02X7diNnrrZKsEQKkswCfXVbeJSZyhJLh4W2lNfD9VDWbrXsAoMnl eWuFrXZ+HnbhWa+f3AayUta2 =QHy/ -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Splitting connections between 2 different ADSL lines
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was wondering this morning, why unstead of having load balancing, use one ADSL router just for interactive traffic, and a second one just for p2p programs for example? Has anybody ever used this setup. Wouldn't NAT get crazy? Just a thought... -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP6d/c37diNnrrZKsEQJLWQCeLnArpTnbvMjHwAPN6HCzSVuIAnUAoINR jU6mHeHMJraHoEriHj0Ll6NY =AGrK -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] MSN messenger 6 keeps disconnecting after a few minutes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, i actually already told you about this problem, but i cant find a way to solve it. Let me explain my self again: - -I have 2 dsl connections, so i do load balacing. - -My QoS setup is based on htb on both ethernets: iptables -t mangle -N msn iptables -t mangle -A msn -m string --string 'x-msn' -j MARK --set-mark 2 iptables -t mangle -A msn -m string --string 'MSNMSGR' -j MARK --set-mark 2 iptables -t mangle -A msn -m string --string 'Content-Type: text/x-msmsgscontrol.' -j MARK --set-mark 2 iptables -t mangle -A msn -m string --string '@hotmail.com' -j MARK --set-mark 2 iptables -t mangle -A msn -m string --string 'MSG' -j MARK --set-mark 2 iptables -t mangle -A msn -j RETURN iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark --mark 0 -j msn iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark That goes trough a filter to the attachech qdisc. When my users begin to use msn messenger, after a while (5 minutes or so) the program automatically disconnects. This is worse depending on the hour of the day, and hence depending on the amount of users on my network. I have an average of 60 users during noon time, and an average of 25 during daytime. When 60 users are accesing the net through this QoS, the problem gets really bad. I thought that might be because the box was only running with 64Mb RAM and could not handle many tcp connections at once, and so i added another 128 so the number of tcp_max_conntrack connections went from 6000 to 12000. But it made no difference. Does anybody has any idea. Or how could i investigate this? Is it maybe because linux thinks the connection is lost and hence closes down the socket? Anybody? Thank you!! -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP4qRgn7diNnrrZKsEQLLcACg+tGdbsr9JdGh9Q1bAAfEzT+dEnUAn3ay G6+ITOPi5MycKbbEtcEtpRW3 =CEuH -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Bridge with load balancing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have a question here, i am wondering if changing my setup. I have a linux firewall doing QoS and load balancing with 3 ethernets. I have to DSL connections running at 2Mbit each. So, i was wondering, can i change this setup to set up to bridges on top of the ethernets connected to the dsl routers and still be capable of doing load balancing? -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP4pWLX7diNnrrZKsEQL+vgCgw+nOyrSjKyawUX94QCIt5x/K0ncAoJsK UOIQLBXB6y+dt+wtDo3ahjTD =ELwG -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] MSN Messenger automatically disconnects
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am doing traffic shaping with HTB, and my msn messenger version 6 automatically disconnects every 5 minutes or so. Anyboyd had the same problem? I am driving myself mad. Thank you! -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3tT3H7diNnrrZKsEQKtvgCgyDFKqKXfhWr/ESGMp6/n5ivDpBIAoPa6 BwDoMvpcalwTekHxcgwb1fy5 =VaRw -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] imq + htb =~/kazaa/
I have no idea what you are talking about, since i never saw that email. If you want to filter traffic, anaylize the paquet contents, searching for a string common on kazaa packets and http traffic packets, so you can mark then and hence redirect them to the correct queue. ¿Get what i say? _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] doubt about Load Balancing
I am using load balancing, as far as i know, since both links have different public ip's a connection has to go through the same router. A connections means a http request to download a page, an ftp connection, telnet etc.., It has to go though the asme router because it needs to have the same public ip, and hence de destination knows who to reply. A single host can have multiple connectios simultaneusly. What you need is to read the Nano-howto, there you will find all your answers. What yo want is easily done with a script that pings both routers every minute or so, so the kernel knows if its alive or not. The nano howto is about high disponibility. Good Luck! _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Problem with iptables and CONNTRACK
I know this is not the right place to ask this question, but i have an stateful firewall and i am doing CONNTRACKING to mark the tcp connections, and then with filters based on fw marks put them in the right qdisc. The problem is that i have an uplink bandwith of 300kbit restricted to 250kbit by the htb class. Here is my script to mark my traffic with qdiscs: DEV=eth0 tc qdisc add dev ${DEV} handle 1: root htb default 20 tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit ## Interactive Traffic tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil 200kbit tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10 ## Non Interactive tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit ceil 200kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20 ## ICMP tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40 ## Web-Server tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit ceil 200kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst perturb 10 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw flowid 1:50 and here is my mangle setup iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -m mark --mark 0 -j kazaa iptables -t mangle -A POSTROUTING -m mark --mark 0 -j marks iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark marks and kazaa are just -j MARK according the traffic I am monitoring at wich speed is each class sending data, and it only goes up to 10KB alltogether.. Does anybody know why is it not going up to at least 20-23 KB ¿? i am going crazy! :) Interactive traffic goes quite good actually, but since i am getting so low uplink speed, i suppose i am not getting a good usage of the downlink traffic, maybe because it does not send ack packets quickly enough. Anybody willing to help? :) _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Questions regarding CONNMARK
A question here, i am having problems shaping the acks, due to p2p programs, how can i do the --restore-mark on a full connection, including acks? i have really no idea how... _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Questions regarding CONNMARK
I still dont get it..i think its like this, correct me if i am wrong: When a connection is new, a number is given to it and hence we know how to dnatet when the response comes. That mark has nocing to do with the mark given by the MARK value hence -j CONNMARK --save-mark will save that number, then i can mark the packet with MARK, and then i have to reset the connmark with --reset-mark is that right? What i want to do, is mark all kazaa connections since the begging with a mark 5 for example..but i am begging to get messed up :) _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Questions regarding CONNMARK
Hi there, i have some questions regarding CONNMARK and STRING modules for netfilter. I have a stateful firewall doing contraking, because i have two dsl connections doing load balancing. I have found a way to discriminate KaZaA traffic flowing via port 80 from normal HTTP traffic using the string match. I want to mark a kazaa connection and filter ir to a specific qdisc. I have been looking for info about CONNMARK, but i cant find any HOWTO to explain how it works. Anyone can help me out here? Thank you! _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Qeues seem to stop working after an hour, and it collapses, no idea why!
Hello, this is my first message to the board, so please excuse me if i am omiting any prestablished rule ;) Let me explain you my problem.. I have 300 users, studens, wich automatically means Edonkey,KaZaa,and most of this peer to peer sharing programs. I actually have 2 x 2Mbit ADSL's. My solution includes load balancing for those 2 inet access with a linux firewall separing both routers and my LAN. Right know i have a stateful firewall doing connection tracking (required for load balancing) DROPING all connections but web/smtp/pop3/https/imap etc That works fine, but people want to use p2p programs. After doing my research, i found out about QoS and ingress/egress queues. My idea was to priorize critical traffic like http/smtp/pop3/ssh/etc.., granting bandwith and leaving the rest to downloads (having these the posibility of ceiling bw as well). I have two egress and two ingress queues attached to the ethernets connected to each of the ethernet connected to the routers. Ingress is done with IMQ, and egress with HTB. At first it seems to work really well, but after half an hour having it working, INTERACTIVE TRAFFIC COLLAPSES, and looks as if there is no queues, hence interactive traffic is no interactive anymore.. :) I red somewhere that to decrease latency i had to set the txqueuelen from 100 to 30, but still collapses... I have noticed using iptraf, that the number of packets arriving to the LAN-eth (eth3 in my little sketch) is about 30% bigger than the sum of eth0 and eth2, is that normal? I attach the configuration files of both the firewall, and the queues... And a little graphical description of my topology: Obviously doing SNAT and LB :) __ <---> |Switch|__ | | | | eth0 <---> | | |Linux | <--> Router ADSL1 . | |eth3 | |192.168.3.5 192.168.3.6 . | | <-> | Box | . | |192.169.1.1| | eth2 . | | | | <--> Router ADSL2 <--> |__| |__|192.168.4.2 192.168.4.1 I am really desperate, because it has been a month right now, and i am begging to suspect i am a bit of a fool ;) Thank you very much!! _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ #killall adslrunning #/usr/local/bin/adslrunning & #/usr/local/bin/adsl/shaper/1 #/usr/local/bin/adsl/shaper/2 ip rule del from 192.168.2.0/24 ip rule del prio 50 ip rule del from 192.168.3.0/24 prio 201 ip rule del from 192.168.4.0/24 prio 202 ip rule del prio 222 ip rule del from 192.168.2.252 ip rule del from 192.168.2.20 ip rule del from 192.168.0.0/24 ip route del default table main ip rule add prio 50 table main ip rule add prio 201 from 192.168.3.0/24 table 201 ip route add default via 192.168.3.3 dev eth2 src 192.168.3.5 proto static table 201 ip route append prohibit default table 201 metric 1 proto static ip rule add prio 202 from 192.168.4.0/24 table 202 ip route add default via 192.168.4.1 dev eth0 src 192.168.4.2 proto static table 202 ip route append prohibit default table 202 metric 1 proto static ip rule add prio 222 table 222 ip route add default table 222 proto static nexthop via 192.168.3.3 dev eth2 nexthop via 192.168.4.1 dev eth0 ## ## Firewall para CMU CHAMINADE ## ## VLAN0=192.168.0.0/255.255.255.0 VLAN1=192.168.1.0/255.255.255.0 VLAN2=192.168.2.0/255.255.255.0 VLAN3=192.168.3.0/255.255.255.0 VLAN4=192.168.4.0/255.255.255.0 ## ## Primero limpiamos todas las reglas ## ## /sbin/iptables -t filter -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F echo Limpiando reglas... ## ## Aceptamos todas las conexiones## excepto las de nuestra red ## /sbin/iptables -t filter -P FORWARD ACCEPT ## ## SNAT ## /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/255.255.0.0 -j SNAT --to 192.168.3.5 /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/255.255.0.0 -j SNAT --to 192.168.4.2 ### ## Forzamos a que los usuarios usen el proxy ## ## # /sbin/iptables -t nat -A PREROUTING -s $VLAN2 -i eth3 -p tcp --dport 80 -j REDIRECT --to-ports 8080 # /sbin/iptables -t nat -A PREROUTING -s $VLAN0 -i eth3 -p tcp --dport 80 -j REDIRECT --to-ports 8080 # /sbin/iptables -t nat -A PREROUTING -s $VLAN1 -i eth3 -p tcp --dport 80 -j REDIRECT --to-ports 8080 ### ## No permitimos que utilicen otro proxy ## ## # /sbin/iptables -A FORWARD -s $VLAN0 -d ! 192.168.1.1 -p tcp --dport 3128 -j DROP # /sbin/iptables -A FORWARD -s $VLAN0 -d ! 192.168.1.1 -p tcp --dpo