[LARTC] zph patch website broken ?
Hi, I used to patch my squid with ZPH patch on http://www.it-academy.bg/zph/ > The idea behind this patch is to allow classification > of packets generated from the squid cache engine towards > clients. > The classification is based on whether the content is > being served from cache (a cache HIT), or > is being retrieved from a remote server (a cache MISS). Very useful patch ! How ever, since a time ago, I can't reach above link... If Marin or somebody see this mail , please advice that web site is offline. Is hosting the problem ?? best regards Andres. __ Preguntá. Respondé. Descubrí. Todo lo que querías saber, y lo que ni imaginabas, está en Yahoo! Respuestas (Beta). ¡Probalo ya! http://www.yahoo.com.ar/respuestas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Now to make only Traffic Priority
try IMQ http://www.linuximq.net/ regards. andres -> -Mensaje original- -> De: [EMAIL PROTECTED] -> [mailto:[EMAIL PROTECTED] nombre de Marek Kierdelewicz -> Enviado el: Sábado, 26 de Agosto de 2006 04:31 a.m. -> Para: lartc@mailman.ds9a.nl -> Asunto: Re: [LARTC] Now to make only Traffic Priority -> -> -> > Hi to everybody. -> -> Hi -> -> > I just want to make priority of certain traffic without shaping the -> > traffic . -> > For example SSH and RDP first priority -> > Mail second priority -> > WEB and FTP third -> -> You can make something like that: -> $TC qdisc add dev $IF1 root handle 1: htb default 40 -> $TC class add dev $IF1 parent 1: classid 1:1 htb rate 100mbit ceil \ -> 100mbit burst 15k prio 1 -> $TC class add dev $IF1 parent 1:1 classid 1:10 htb rate 25mbit ceil \ -> 100mbit burst 15k prio 1 -> $TC class add dev $IF1 parent 1:1 classid 1:20 htb rate 25mbit ceil \ -> 100mbit burst 15k prio 2 -> $TC class add dev $IF1 parent 1:1 classid 1:30 htb rate 25mbit ceil \ -> 100mbit burst 15k prio 3 -> $TC class add dev $IF1 parent 1:1 classid 1:40 htb rate 25mbit ceil \ -> 100mbit burst 15k prio 4 -> -> Then you direct ssh and rdp with filters to the 1:10 class (prio 1 -> means highest prio), mail to 1:20, web+ftp to 1:30 and rest to 1:40. -> -> It's shaping, but works the way you want it. -> -> Another solution is using prio qdisc, for what you need to: -> - set up prio map (tos -> prio) -> - rewrite tos field of packets in PREROUTING chain of mangle table. -> -> I never used such solution, only read some theoretical stuff at -> following site: -> http://lartc.org/howto/lartc.qdisc.classless.html#AEN659 -> -> -- -> Marek Kierdelewicz -> Kierownik Dzia?u Systemów Sieciowych, KoBa -> Manager of Network Systems Department, KoBa -> tel. (85) 7406466; fax. (85) 7406467 -> e-mail: [EMAIL PROTECTED] -> ___ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc __ Preguntá. Respondé. Descubrí. Todo lo que querías saber, y lo que ni imaginabas, está en Yahoo! Respuestas (Beta). ĄProbalo ya! http://www.yahoo.com.ar/respuestas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Routing packets over multiple links (NICS) all on thesame ISP all with same gateway.
Hi ! Luciano: thanks for your posts on lugmen.org.ar and lartc! I've read all of them, and I've a question: What diferrence bewtween this: -> ip ro add default NEXTHOP via x.x.x.x dev eth1 weight 1 \ NEXTHOP via y.y.y.y dev eth2 and this: -> ip route add x.x.x.x MPATH RR via y.y.y.y via z.z.z.z I work with 2.4 Kernel Series. Is connvenient upgrade to 2.6 ? Other question about this: iptables -t mangle -A POSTROUTING -o eth0 -j CONNMARK --set-mark 0x1 iptables -t mangle -A POSTROUTING -o eth1 -j CONNMARK --set-mark 0x2 My problem is that I use CONNMARK's marks in order to mark P2P traffic. Can I've a way to have diferents mark with CONNMARK ? Thank you!! Andres. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Sip Traffic
This post is from Samuel Garcia. (thank you ) -> -> I tried it with kernel 2.6.15.x and many pom-ng patches and those modules -> (conntrack and nat) hangs up the system. -> -> I don't recommend it, at least for now over 2.6.x kernel series. -> -> Regards -> -> -> Hi, -> Why don\'t just use \"--helper sip\" extension in -> IPTABLES with ip_conntrack_sip loaded. That would see, and track -> RTP trafic in the machine. -> -> Please, if you do send me feed about the module. -> Thanks. -> CH. -> -> Mensaje citado por: Marius Corici <[EMAIL PROTECTED]>: -> -> > >Why not just prioritize everything that comes to/from that -> SIP phone? So -> > forget about ports, just prioritize the IP >Address? Use the -> IP Address to -> > identify traffic you want to move with elevated priority. Just a -> > thought..> . -> > -> > If we got to this, what if the end user is a laptop and wants -> to do e-mule -> > too? I am just asking, maybe there is an idea here... -> > -> > Marius -> > -> -> __ -> Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Sip Traffic
-> About SIP: the traffic does not "jump" at a random port, it is -> another type of traffic that you see afterwards, it's the RTP stream. OK!, Thank you. I understand. -> SIP is used only for signaling a session hence the name Session -> Initiation Protocol. The SIP messages contain the IP Address + -> Port where the RTP flow will appear. The RTP might not have the -> same IP address as the SIP destination. If you want to -> prioritize SIP and RTP you can use your own SIP Proxy (i'm using -> SER from www.iptel.org) with somekind of gateway (RTPPROXY may -> be just enough for an end user). Ok, thank you. I'm newbie with VoIP . AFAIK , Ser is a router. But I need to priorize SIP traffic on my (very)custom router linux.2.4.28. There is a way to integrate openSer with it ? best regards andres ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Sip Traffic
sounds good :-) BTW, someone has tried "ip_conntrack_sip" module from netfilter (in order match and priorize VoIP Traffic ? -SIP and RTP- ) thank you -> -Mensaje original- -> De: [EMAIL PROTECTED] -> [mailto:[EMAIL PROTECTED] nombre de Francisco -> Enviado el: Jueves, 20 de Abril de 2006 11:19 p.m. -> Para: lartc@mailman.ds9a.nl -> Asunto: Re: [LARTC] Sip Traffic -> -> -> L7 filter works very well too: -> http://l7-filter.sourceforge.net/ -> -> Although I didn't try it with sip, I use it to control my P2P and server -> applications and have a very usable ADSL link at almost 100% -> utilization of -> my upstream. -> -> -> El Martes, 18 de Abril de 2006 07:45, LinuXKiD escribió: -> > mmm... intresting -> > -> > http://sipx-wiki.calivia.com/index.php/HowTo_configure_iptables -> > -> > ip_conntrack_sip -> > -> > Someone has tried it ? -> > -> > works on 2.4 kernel series ? -> > -> > thanks -> > -> > -> > -> > -> > -> -> > -> -> > -> Hi I am pretty much a newbie, I found with sip if I match -> ports 5060 and -> > -> 1 - 2 it works I noticed on some phones the use -> 13000 - 14000 -> > and -> others use 18000 - 19000. there is a new sip-contrack -> out although -> > I -> haven't tried it yet. -> > -> -> > -> william -> > -> -> > -> -Original Message- -> > -> From: [EMAIL PROTECTED] -> > -> [mailto:[EMAIL PROTECTED] -> > -> On Behalf Of LinuXKiD -> > -> Sent: 17 April 2006 15:59 -> > -> To: lartc -> > -> Subject: [LARTC] Sip Traffic -> > -> -> > -> -> > -> Hi. -> > -> -> > -> there is a way to MARK udp VOIP (SIP) traffic, -> > -> in order to put in a highest prio class ? -> > -> -> > -> Traffic flow seems start on udp 5060 port, but -> > -> next both server and client seems jump to a -> > -> random(?) port. -> > -> -> > -> I can't use CONNMARK because is udp traffic. -> > -> -> > -> I only see a pattern for L7 patch in order to -> > -> SIP traffic identification , but I run 2.4 -> > -> kernel series . -> > -> -> > -> When you patch 2.4 kernel with L7 patch, -> > -> later, Connmark (patch o matic ) can't apply. -> > -> (conflicts) -> > -> -> > -> thank you. -> > -> -- -> > -> Andres -> > -> ___ -> > -> LARTC mailing list -> > -> LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > -> -> > -> > ___ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> ___ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Re: Matching with Layer7 vs. IPP2P
Ok How match hosts ? How is your FC4 performance with that settings ? bests andres. -> -> L7 compiled fine on Fedora Core 4 with kernel 2.6.12.6 with following -> procedure: -> 1. patched kernel sources with ipp2p using patch-o-matic-ng -> 2. patched kernel with the patch file from l7 -> 3. patched iptables-1.3.5 with l7 -> 4. make/install iptables -> 5. make/install kernel -> -> I had to adjust the destination directories for iptables to fit Fedora's -> convention. -> -> Best regards, -> Arik -> -> Jandre Olivier wrote: -> > I was just about to post the same post, -> > -> > I currently use ipp2p and it works pretty well, It just doesnt seem to -> > track morpheous(fasttrack) protocols, otherwise it works -> pretty well. I -> > have quite alot of connections and havent seen any performance issues. -> > My next step is to add L7 as well with ipp2p to completely -> block/shape p2p. -> > -> > However I find L7 bit more tricky than ipp2p to compile -> > Cannot comment on L7 -> > -> > J -> > -> > -> > Arik Raffael Funke wrote: -> >> Hi, -> >> -> >> can anybody comment on the cost of matching with IPP2P vs. Layer7. -> >> -> >> Also, does a iptables rule with more complicated matching mechanism -> >> also slow down processing if all the packets are matched before they -> >> reach the rule. I.e. is the mere existence of a potentially costly -> >> rule already slowing down processing or only if packets are actually -> >> processed by it? -> >> -> >> Thanks very much in advance. -> >> -> >> Best regards, -> >> Arik -> -> ___ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Sip Traffic
mmm... intresting http://sipx-wiki.calivia.com/index.php/HowTo_configure_iptables ip_conntrack_sip Someone has tried it ? works on 2.4 kernel series ? thanks -> -> -> Hi I am pretty much a newbie, I found with sip if I match ports 5060 and -> 1 - 2 it works I noticed on some phones the use 13000 - 14000 and -> others use 18000 - 19000. there is a new sip-contrack out although I -> haven't tried it yet. -> -> william -> -> -Original Message- -> From: [EMAIL PROTECTED] -> [mailto:[EMAIL PROTECTED] -> On Behalf Of LinuXKiD -> Sent: 17 April 2006 15:59 -> To: lartc -> Subject: [LARTC] Sip Traffic -> -> -> Hi. -> -> there is a way to MARK udp VOIP (SIP) traffic, -> in order to put in a highest prio class ? -> -> Traffic flow seems start on udp 5060 port, but -> next both server and client seems jump to a -> random(?) port. -> -> I can't use CONNMARK because is udp traffic. -> -> I only see a pattern for L7 patch in order to -> SIP traffic identification , but I run 2.4 -> kernel series . -> -> When you patch 2.4 kernel with L7 patch, -> later, Connmark (patch o matic ) can't apply. -> (conflicts) -> -> thank you. -> -- -> Andres -> ___ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Problems in Dead Gateway Detection / Failover- MultipleISP Links
Hi, I've some similar: I croned a perl script that every 2 minutes check via ICMP some referential host ( for each "default route"). If some route is down , I take off it from "default routes table". But I think that make it by TCP connect at 80 port is better. bests. andres -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Alessandro Ren Enviado el: Lunes, 17 de Abril de 2006 12:17 p.m. Para: [EMAIL PROTECTED] CC: lartc@mailman.ds9a.nl Asunto: Re: [LARTC] Problems in Dead Gateway Detection / Failover- MultipleISP Links I bind to the interface IP and connect to 20 different sites or more, the sites are listed in a text file, using the TCP connect in perl. Off course, the ip rule tables the the marks in the firewall must be set correcly so you know that the connections are going through the right interface. I can share de script, it's a litle complex in its structus, as it depends on some external scripts, but I will try the share and problably get more and better ideas to do the fail over / multi path routing. I will prepare and sent a email with it shortly. []s. Shashikant Mundlik wrote: Hi Ren, Thanks for your help. But how do you check that you reach less than 20 of your sites. (do you mean 20 websites?). Will you able to share the script? That will be great help. Thanks and regards, Shashikant Mundlik System Administrator UBICS, Pune Phone: 91 20 2729 1004 x 138 Mobile : 91 9372 044015 www.ubics.com The UB Group DISCLAIMER AND PRIVILEGE NOTICE: This e-mail message contains confidential, copyright, proprietary and legally privileged information. It should not be used by anyone who is not the original intended recipient. If you have erroneously received this message, please delete it immediately and notify the sender. The recipient must note and understand that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of UBICS, Inc. From: Alessandro Ren [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 7:31 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; lartc@mailman.ds9a.nl Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links I have a script that connects to 20 diferent sites on the port 80 coming from each link interface a have on my linux router. If I reach less than 20% of my sites, I assume the link is down and do all the routing and firewall adjustments to make the traffic goes to other routes, removing the problematic link out, setting ip rules, routes in tables and the main multipath default route and commenting in the firewall the MARKs the would go via the link thats down and it also sets QoS and tries to bring the link that is down back UP. Althought I've tested with only 3 links, it supports any number of them. It's works very nice so far. []s. Shashikant Mundlik wrote: Hi There, I am also trying to do the same for my network. I have two links from different ISPs and I want to configure a failover and load balancing Linux router. I am facing same problem here, that how to detect link failure and let Linux box switch the gateway. I know it works when the first gateway is physically down and not reachable. But what to do if my link is up but there is problem at nexthop level and its not routing packets to destination. Please tell me if this can be overcome by setting multipath routing. Another way I can think of doing this is to use a script which will check if the default route is alive every 15 mins and if not it will make changes in routing table and route the packets through different link. I don't know if this is the best way to do this. If any one know how to do this better please share. If you guys thinks this can work, lets help each other to write such scrip. I am new to LARTC and just now started learning it to solve my network problems. Please help me to achieve this. Thanks in advance. Regards, Shashikant Mundlik Pune, India. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- __ Alessandro Ren OpServices Luciana de Abreu, 471 - Sala 403 Porto Alegre, RS - CEP 90570-060 ( phone 55(51)3061-3588 4fax 55(51)3061-3588 Q mobile 55(51)8151-8212 : email [EMAIL PROTECTED] __ -- __ Alessandro Ren OpServices Luciana de Abreu, 471 - Sala 403 Porto Alegre, RS - CEP 90570-060 ( phone 55(51)3061-3588 4fax 55(51)3061-3588 Q mobile 55(51)8151-8212 : email [EMAIL PROTECTED] __ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mai
[LARTC] Sip Traffic
Hi. there is a way to MARK udp VOIP (SIP) traffic, in order to put in a highest prio class ? Traffic flow seems start on udp 5060 port, but next both server and client seems jump to a random(?) port. I can't use CONNMARK because is udp traffic. I only see a pattern for L7 patch in order to SIP traffic identification , but I run 2.4 kernel series . When you patch 2.4 kernel with L7 patch, later, Connmark (patch o matic ) can't apply. (conflicts) thank you. -- Andres ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] wireless router or Access Poing
Hi, I want to set up a Linux as Access Point, and maybe, as router too. There is some distro or minidistro in order to do that ? thanks in advance andres ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
very good. thank you -> -> -> Hello, -> -> Le Mercredi 1 Février 2006 23:11, LinuXKiD a écrit : -> > Some times, I fail to access some HTTPS URLs or MSN service -> > if you (dlink or router) miss manipulate mtu -> -> Did you try the TCPMSS netfilter target ? -> -> For instance : -> -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss -> --mss \ ->1400:1536 -j TCPMSS --clamp-mss-to-pmtu -> -A POSTROUTING -o ppp0 -j MASQUERADE -> -> As you are probably using pppoe on the telephon loop, the -> maximum transmit -> unit cannot reach its maximum 1500 bytes. -> The pppoe header takes 4 bytes. -> -> You should also let some icmp packets get in in order to have -> pmtu discovery -> effective. -> -> HTH, -> -> > -> > andres -> > -> > -> > -> -> > -> Hi, -> > -> -> > -> > try next: -> > -> > - Put d-link ADSL as "modem" -> > -> > - Make PPPoE call under Linux -> > -> -> > -> Yes I've already tried this - that's my current -> configuration since one -> > -> week;) -> > -> -> > -> But I want to understand why it's not possible to use the -> D-Link as a -> > -> router, and for what kind of problem the tcpdump results stand for. -> > -> -> > -> Ralph -> > -> -> > -> > -> > -> > -> > -> > -> > -> > -> -> > -> > -> Hi, -> > -> > -> -> > -> > -> I have the shown (end of this post) net work configuration. -> > -> > -> -> > -> > -> In a "few" words: My Debian Sarge server is connected to a -> > -> D-Link ADSL -> > -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP -> > -> on the Router. -> > -> > -> -> > -> > -> My Linux server has two NIC's. -> > -> > -> ethlan = internal Net -> > -> > -> ethdsl = external -> D-Link -> > -> > -> -> > -> > -> My Linux server is configured to make NAT via iptables. -> > -> > -> -> > -> > -> Current state - what's working: -> > -> > -> - Access from internal LAN to Internet is working (http, -> > -> https, ftp, etc) -> > -> > -> - Access inside the LAN is working -> > -> > -> - Access inside the LAN to the linux server is working (http, -> > https, -> > -> IMAP and SSH) -> > -> > -> - Access from outside the LAN (from internet) to the -> Linux server -> > is -> > -> working for https, IMAP and SSH -> > -> > -> -> > -> > -> ***BUT***: -> > -> > -> Same Problem simular for SSH, https and IMAP: -> > -> > -> On an internet browser inside the lan I can't access the -> > -> webserver on -> > -> > -> the Linux Server when I enter the external URL of the -> Linux server -> > -> > -> (dynDNS domain name). -> > -> > -> The https-page won't be opened. A simple ping to the linux -> > -> server with -> > -> > -> the same dynDSN domain name works. Trying to enter the -> > -> external IP of -> > -> > -> the linux server in the browser also won't work. -> > -> > -> The page won't be opened in the browser. -> > -> > -> -> > -> > -> Die Seite wird im Browser dann nicht geöffnet. -> > -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine -> > Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen -> > angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den -> > lokalen Namen -> > -> oder die lokale IP ein, dann geht es. -> > -> > -> -> > -> > -> iptables schould log dropped pakets. But there aren't any -> > -> > -> dropped packets. -> > -> > -> Ifconfig also does not show any errors (dropped packets) -> > -> for ethlan / -> > -> > -> ethdsl. -> > -> > -> -> > -> > -> So I've tried to understand what tcpdumd shows for -> port 443. But -> > I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. -> > -> > -> Here's what tcpdump shows: -> > -> > -> -> > -> > -> -> > -> > -> tcpdump for port 443: -> > -> > -> Not working access from inside the lan to the servers -> > -> external Name / -> > -> > -> the servers ext
RE: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
Some times, I fail to access some HTTPS URLs or MSN service if you (dlink or router) miss manipulate mtu andres -> -> Hi, -> -> > try next: -> > - Put d-link ADSL as "modem" -> > - Make PPPoE call under Linux -> -> Yes I've already tried this - that's my current configuration since one -> week;) -> -> But I want to understand why it's not possible to use the D-Link as a -> router, and for what kind of problem the tcpdump results stand for. -> -> Ralph -> -> > -> > -> > -> > -> -> > -> Hi, -> > -> -> > -> I have the shown (end of this post) net work configuration. -> > -> -> > -> In a "few" words: My Debian Sarge server is connected to a -> D-Link ADSL -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP -> on the Router. -> > -> -> > -> My Linux server has two NIC's. -> > -> ethlan = internal Net -> > -> ethdsl = external -> D-Link -> > -> -> > -> My Linux server is configured to make NAT via iptables. -> > -> -> > -> Current state - what's working: -> > -> - Access from internal LAN to Internet is working (http, -> https, ftp, etc) -> > -> - Access inside the LAN is working -> > -> - Access inside the LAN to the linux server is working (http, https, -> > -> IMAP and SSH) -> > -> - Access from outside the LAN (from internet) to the Linux server is -> > -> working for https, IMAP and SSH -> > -> -> > -> ***BUT***: -> > -> Same Problem simular for SSH, https and IMAP: -> > -> On an internet browser inside the lan I can't access the -> webserver on -> > -> the Linux Server when I enter the external URL of the Linux server -> > -> (dynDNS domain name). -> > -> The https-page won't be opened. A simple ping to the linux -> server with -> > -> the same dynDSN domain name works. Trying to enter the -> external IP of -> > -> the linux server in the browser also won't work. -> > -> The page won't be opened in the browser. -> > -> -> > -> Die Seite wird im Browser dann nicht geöffnet. -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen -> > -> oder die lokale IP ein, dann geht es. -> > -> -> > -> iptables schould log dropped pakets. But there aren't any -> > -> dropped packets. -> > -> Ifconfig also does not show any errors (dropped packets) -> for ethlan / -> > -> ethdsl. -> > -> -> > -> So I've tried to understand what tcpdumd shows for port 443. But I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. -> > -> Here's what tcpdump shows: -> > -> -> > -> -> > -> tcpdump for port 443: -> > -> Not working access from inside the lan to the servers -> external Name / -> > -> the servers external IP: -> > -> => no connection -> > -> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> -> > -> -> > -> tcpdump for port 443: -> > -> WORKING access from inside the lan to the servers INTERNAL -> Name / the -> > -> servers INTERNAL IP: -> > -> => Successful connection -> > -> -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: S -> > -> 1505679381:1505679381(0) win 65535 -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: S -> > -> 189223170:189223170(0) ack 1505679382 win 5840 1460,nop,nop,sackOK> -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: . -> > -> ack 1 win 65535 -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: P -> > -> 1:106(105) ack 1 win 65535 -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: . -> > -> ack 106 win 5840 -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: P -> > -> 1:1055(1054) ack 106 win 5840 -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: . -> > -> ack 1055 win 64481 -> > -> -> > -> Is there any one who can interpret those results? Are these enough -> > -> informations to see where the problem may ve? -> > -> Wrong Routing? Linux server iptables problem? Problem -> inside the D-Link -> > -> Router? -> > ->
RE: [LARTC] Debian Sarge Server with iptables behind D-Link Router
try next: - Put d-link ADSL as "modem" - Make PPPoE call under Linux -> -> Hi, -> -> I have the shown (end of this post) net work configuration. -> -> In a "few" words: My Debian Sarge server is connected to a D-Link ADSL -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the Router. -> -> My Linux server has two NIC's. -> ethlan = internal Net -> ethdsl = external -> D-Link -> -> My Linux server is configured to make NAT via iptables. -> -> Current state - what's working: -> - Access from internal LAN to Internet is working (http, https, ftp, etc) -> - Access inside the LAN is working -> - Access inside the LAN to the linux server is working (http, https, -> IMAP and SSH) -> - Access from outside the LAN (from internet) to the Linux server is -> working for https, IMAP and SSH -> -> ***BUT***: -> Same Problem simular for SSH, https and IMAP: -> On an internet browser inside the lan I can't access the webserver on -> the Linux Server when I enter the external URL of the Linux server -> (dynDNS domain name). -> The https-page won't be opened. A simple ping to the linux server with -> the same dynDSN domain name works. Trying to enter the external IP of -> the linux server in the browser also won't work. -> The page won't be opened in the browser. -> -> Die Seite wird im Browser dann nicht geöffnet. -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe. -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen -> oder die lokale IP ein, dann geht es. -> -> iptables schould log dropped pakets. But there aren't any -> dropped packets. -> Ifconfig also does not show any errors (dropped packets) for ethlan / -> ethdsl. -> -> So I've tried to understand what tcpdumd shows for port 443. But I'm -> bound to say that I'm absolutety not firm with tcpdump. -> Here's what tcpdump shows: -> -> -> tcpdump for port 443: -> Not working access from inside the lan to the servers external Name / -> the servers external IP: -> => no connection -> -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> 65535 -> 18:43:41.477631 IP lp-java.linkpool.3491 > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> 65535 -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 -> 18:43:41.967525 IP lp-java.linkpool.3491 > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> 65535 -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> 18:43:42.468301 IP lp-java.linkpool.3491 > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> 65535 -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> -> -> tcpdump for port 443: -> WORKING access from inside the lan to the servers INTERNAL Name / the -> servers INTERNAL IP: -> => Successful connection -> -> 18:45:38.773997 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: S -> 1505679381:1505679381(0) win 65535 -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: S -> 189223170:189223170(0) ack 1505679382 win 5840 -> 18:45:38.774062 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: . -> ack 1 win 65535 -> 18:45:38.774608 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: P -> 1:106(105) ack 1 win 65535 -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: . -> ack 106 win 5840 -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: P -> 1:1055(1054) ack 106 win 5840 -> 18:45:38.927284 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: . -> ack 1055 win 64481 -> -> Is there any one who can interpret those results? Are these enough -> informations to see where the problem may ve? -> Wrong Routing? Linux server iptables problem? Problem inside the D-Link -> Router? -> Any suggestions are welcome! -> -> Internet -> | -> DSL -> | -> | ->D-Link DSL-562T -> 192.168.200.5 -> | -> | -> -> | Dev=ethdsl Linux Server | -> | 192.168.200.2 lp-komodo| -> | || -> | route + iptables | -> | || -> | 192.168.240.2| -> | Dev=ethlan | -> |--- -> | -> | -> Switch 10/100/1000 -> | -> | -> -> |Dev=LANWindows Client | -> | XP Pro SP2 | -> |192.168.240.010lp-java| -> | | -> ---| -> -> -> Regards, -> -> R
[LARTC] [OT?] MikroTik instead Linux ?
[Off topic ?] Somebody can help me to convince some people to use Linux instead MikroTik Happy new year. Andres. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] error in TC FILTER documentation ???
I've done some tests with TC FILTER and his PRIO and think that is an error or OMISION on TC FILTER DOCUMENTATION from: http://lartc.org/howto/lartc.qdisc.filters.html#AEN1100 Let's say we have a PRIO qdisc called '10:' which contains three classes, and we want to assign all traffic from and to port 22 to the highest priority band, the filters would be: # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ ip dport 22 0x flowid 10:1 # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ ip sport 80 0x flowid 10:1 # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 What does this say? It says: attach to eth0, node 10: a priority 1 u32 filter that matches on IP destination port 22 *exactly* and send it to band 10:1. And it then repeats the same for source port 80. The last command says that anything unmatched so far should go to band 10:2, the next-highest priority. Well... with this I understand that LOWER PRIO = HIGHER PRIO. and by default TC FILTER PRIO = 0 then: default TC FILTER prio is HIGHEST PRIO. ERROR !!! HIGHEST TC FILTER PRIO is 1 and LOWEST TC FILTER PRIO is 0 !! example see this script in order to share 64k internet upload link on 3 customers. but linux router has a FTP server. and I want to classify 1:3 FTP traffic to linux server: # initialize DEV="imq0" CUSTOMER_A_IP="172.16.10.10" CUSTOMER_B_IP="172.16.10.11" CUSTOMER_C_IP="172.16.10.12" FTP_SERVER="172.16.10.254" MODPROBE="/sbin/modprobe" IP="/sbin/ip" TC="/sbin/tc" FW="/sbin/iptables" $MODPROBE imq $IP l s dev imq0 up $TC qdisc del root dev $DEV 2> /dev/null > /dev/null $TC qdisc add dev $DEV handle 1: root htb echo "** MAIN HTB CLASSes ***" $TC class add dev $DEV parent 1: classid 1:1 htb rate 64kbit quantum 1500 $TC class add dev $DEV parent 1: classid 1:3 htb rate 10240kbit $TC qdisc add dev $DEV parent 1:3 handle 3: sfq perturb 10 $TC class add dev $DEV parent 1:1 classid 1:10 htb rate 64kbit quantum 1500 echo "** MARK PACKETS and IMQ ***" $FW -t mangle -F $FW -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 $FW -t mangle -A PREROUTING -p tcp --dport 20 -d $FTP_SERVER -j MARK --set-mark 40 $FW -t mangle -A PREROUTING -p tcp --dport 21 -d $FTP_SERVER -j MARK --set-mark 40 # HERE, I must put "prio 1" in order to process this rule BEFORE others TC FILTERs $TC filter add dev $DEV parent 1:0 protocol ip prio 1 handle 40 fw flowid 1:3 # FILTRO FAST_PIPE echo "** CUSTOMERS ***" $TC class add dev $DEV parent 1:10 classid 1:1000 htb rate 21kbit ceil 64kbit quantum 1500 $TC qdisc add dev $DEV parent 1:1000 handle 1000: sfq perturb 10 $TC filter add dev $DEV protocol ip parent 1:0 u32 match ip src $CUSTOMER_A_IP flowid 1:1000 $TC class add dev $DEV parent 1:10 classid 1:1010 htb rate 21kbit ceil 64kbit quantum 1500 $TC qdisc add dev $DEV parent 1:1010 handle 1010: sfq perturb 10 $TC filter add dev $DEV protocol ip parent 1:0 u32 match ip src $CUSTOMER_B_IP flowid 1:1010 $TC class add dev $DEV parent 1:10 classid 1:1020 htb rate 21kbit ceil 64kbit quantum 1500 $TC qdisc add dev $DEV parent 1:1020 handle 1020: sfq perturb 10 $TC filter add dev $DEV protocol ip parent 1:0 u32 match ip src $CUSTOMER_C_IP flowid 1:1020 run this script and under shell type: root:/scripts# tc -s -d filter ls dev imq0 filter parent 1: protocol ip pref 1 fw filter parent 1: protocol ip pref 1 fw handle 0x28 classid 1:3 PREF 1 = PRIO 1 filter parent 1: protocol ip pref 49151 u32 PREF 49151 = PRIO 0 !! then PRIO 0 has low prio that PRIO 1. filter parent 1: protocol ip pref 49151 u32 fh 802: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 802::800 order 2048 key ht 802 bkt 0 flowid 1:1020 match ac100a0c/ at 12 filter parent 1: protocol ip pref 49151 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:1010 match ac100a0b/ at 12 filter parent 1: protocol ip pref 49151 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1000 match ac100a0a/ at 12 filter parent 1: protocol ip pref 49151 u32 filter parent 1: protocol ip pref 49151 u32 fh 802: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 802::800 order 2048 key ht 802 bkt 0 flowid 1:1020 match ac100a0c/ at 12 filter parent 1: protocol ip pref 49151 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:1010 match ac100a0b/ at 12 filter parent 1: protocol ip pref 49151 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 800::800 order 2048 key ht 80
RE: [LARTC] FAIR NAT: this is correct ?
-> On Friday 25 November 2005 21:19, LinuXKiD wrote: -> > $BIN_IPT -t mangle -A $FN_CHK_TOS -p icmp -m length --length 0:1024 -j -> > RETURN -> > [...] -> > -> > because on original FARINAT, PINGS are marked as "MAXIMIZE THROUGHPUT" -> > -> > is correct my note ?? -> -> The code you quoted is a rule that should be protocol independent. Lower -> the priority of packets that claim to be interactive but are too big. Or -> rather, let packets keep their high priority status only if -> they're small -> enough. It should apply to ICMP and all others as well, but obviously it -> doesn't. Well spotted... -> OK, what about: $BIN_IPT -t mangle -A $FN_CHK_TOS -m length --length 0:512 -j RETURN instead... $BIN_IPT -t mangle -A $FN_CHK_TOS -p icmp -m length --length 0:1024 -j RETURN I think that (in ICMP case) would priorize small ICMP packets. and other small packets on other protocol. BTW, I think that FairNat and JiM QoS scripts are Great! I'm studing both in order to learn about Qos. bests andres. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] FAIR NAT: this is correct ?
on Fair NAT: - [...] # Correcting TOS for large packets with Minimize-Delay-TOS $BIN_IPT -t mangle -A $FN_CHK_TOS -p tcp -m length --length 0:512 -j RETURN $BIN_IPT -t mangle -A $FN_CHK_TOS -p udp -m length --length 0:1024 -j RETURN $BIN_IPT -t mangle -A $FN_CHK_TOS -j TOS --set-tos Maximize-Throughput $BIN_IPT -t mangle -A $FN_CHK_TOS -j RETURN [...] I think that best is: [...] # Correcting TOS for large packets with Minimize-Delay-TOS $BIN_IPT -t mangle -A $FN_CHK_TOS -p tcp -m length --length 0:512 -j RETURN $BIN_IPT -t mangle -A $FN_CHK_TOS -p udp -m length --length 0:1024 -j RETURN ## NEW LINE: $BIN_IPT -t mangle -A $FN_CHK_TOS -p icmp -m length --length 0:1024 -j RETURN $BIN_IPT -t mangle -A $FN_CHK_TOS -j TOS --set-tos Maximize-Throughput $BIN_IPT -t mangle -A $FN_CHK_TOS -j RETURN [...] because on original FARINAT, PINGS are marked as "MAXIMIZE THROUGHPUT" is correct my note ?? bests andres ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] PRIO Q's
Hi, see www.linuximq.net regards andres -> -> -> Good morning, -> -> I have a client that needs some shaping done. -> Im only familiar with the HTB qeueu and was hopeing someone -> could give me a -> few pointers if possible. -> -> I need to shape outgoing and incoming as far as possible though -> I don't know -> if it will be possible to do so without policeing the incoming bandwidth. -> They have a link and their service provider allows them to burts as -> badndwidth is available. -> -> Any help welcome. -> -> Regards -> Nic -> -> ___ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] VOIP traffic under vSAT link
Hi, I've a vsat internet link and I want to know if I can make VOIP calls under it. ( Ping in the best case reach 900/ 100 ms by sattelite effect ) Can with SIP protocol make voip calls ? Thanks andres ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Differentiating between http downloads and interactivetraffic
Hi, I've read your recomendation: (http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-co nnrate in order to differentiate between an established http download and interactive http traffic. In that patch suggest something like that: iptables .. -m tos --tos Minimize-Delay \ -m connrate --connrate 2:inf \ -j TOS --set-tos Maximize-Throughput => match packets in minimize-delay TOS connections that are transferring faster than 20kbps and change their tos to maximize-throughput instead. Is very intresting! Somebody has really tryed this patch ? best regards andres -> -> -> I would recommend looking at the connrate -> (http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#p -> om-extra-connrate) Patch-O-Matic patch. Your interactive -> sessions could be long lived and thus pass the connlimit and / -> or connbytes matches and thus be falsely classified. Where as -> if you test for your interactive sessions by looking for an over -> all average low rate, burst delay burst delay etc, you should -> have a low average and thus be able to match based on rate to -> classify them higher. -> -> -> -> Grant. . . . -> -> Paul J. Smith wrote: -> > Hi, -> > -> > I’ve been wondering if anyone has thought of a way to differentiate -> > between an established http download and interactive http traffic? I -> > would like to give interactive http traffic priority over someone -> > downloading large files. -> > -> > Has anyone any ideas how to detect packets that are part of a download -> > like this? -> > -> > Thanks. -> -> ___ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ADSL-Bandwidth-Management-HOWTO
Hi, I've read ADSL-Bandwidth-Management-HOWTO http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/implementation.htm l#AEN166 and I've a doubt from script: [ ... ] # DNS name resolution (small packets) iptables -t mangle -A MYSHAPER-OUT -p udp -j MARK --set-mark 21 [ ... ] That is a bug ? I think that " DNS name resolution (small packets) " is better match with: # DNS name resolution (small packets) iptables -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j MARK --set-mark 21 iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 53 -j MARK --set-mark 21 ORIGINAL AND COMPLETE SCRIPT IS HERE: #!/bin/bash # # myshaper - DSL/Cable modem outbound traffic shaper and prioritizer. #Based on the ADSL/Cable wondershaper (www.lartc.org) # # Written by Dan Singletary (8/7/02) # # NOTE!! - This script assumes your kernel has been patched with the # appropriate HTB queue and IMQ patches available here: # (subnote: future kernels may not require patching) # # http://luxik.cdi.cz/~devik/qos/htb/ # http://luxik.cdi.cz/~patrick/imq/ # # Configuration options for myshaper: # DEV- set to ethX that connects to DSL/Cable Modem # RATEUP - set this to slightly lower than your # outbound bandwidth on the DSL/Cable Modem. # I have a 1500/128 DSL line and setting # RATEUP=90 works well for my 128kbps upstream. # However, your mileage may vary. # RATEDN - set this to slightly lower than your # inbound bandwidth on the DSL/Cable Modem. # # # Theory on using imq to "shape" inbound traffic: # # It's impossible to directly limit the rate of data that will # be sent to you by other hosts on the internet. In order to shape # the inbound traffic rate, we have to rely on the congestion avoidance # algorithms in TCP. Because of this, WE CAN ONLY ATTEMPT TO SHAPE # INBOUND TRAFFIC ON TCP CONNECTIONS. This means that any traffic that # is not tcp should be placed in the high-prio class, since dropping # a non-tcp packet will most likely result in a retransmit which will # do nothing but unnecessarily consume bandwidth. # We attempt to shape inbound TCP traffic by dropping tcp packets # when they overflow the HTB queue which will only pass them on at # a certain rate (RATEDN) which is slightly lower than the actual # capability of the inbound device. By dropping TCP packets that # are over-rate, we are simulating the same packets getting dropped # due to a queue-overflow on our ISP's side. The advantage of this # is that our ISP's queue will never fill because TCP will slow it's # transmission rate in response to the dropped packets in the assumption # that it has filled the ISP's queue, when in reality it has not. # The advantage of using a priority-based queuing discipline is # that we can specifically choose NOT to drop certain types of packets # that we place in the higher priority buckets (ssh, telnet, etc). This # is because packets will always be dequeued from the lowest priority class # with the stipulation that packets will still be dequeued from every # class fairly at a minimum rate (in this script, each bucket will deliver # at least it's fair share of 1/7 of the bandwidth). # # Reiterating main points: # * Dropping a tcp packet on a connection will lead to a slower rate # of reception for that connection due to the congestion avoidance algorithm. # * We gain nothing from dropping non-TCP packets. In fact, if they # were important they would probably be retransmitted anyways so we want to # try to never drop these packets. This means that saturated TCP connections # will not negatively effect protocols that don't have a built-in retransmit like TCP. # * Slowing down incoming TCP connections such that the total inbound rate is less # than the true capability of the device (ADSL/Cable Modem) SHOULD result in little # to no packets being queued on the ISP's side (DSLAM, cable concentrator, etc). Since # these ISP queues have been observed to queue 4 seconds of data at 1500Kbps or 6 megabits # of data, having no packets queued there will mean lower latency. # # Caveats (questions posed before testing): # * Will limiting inbound traffic in this fashion result in poor bulk TCP performance? # - Preliminary answer is no! Seems that by prioritizing ACK packets (small <64b) # we maximize throughput by not wasting bandwidth on retransmitted packets # that we already have. # # NOTE: The following configuration works well for my # setup: 1.5M/128K ADSL via Pacific Bell Internet (SBC Global Services) DEV=eth0 RATEUP=90 RATEDN=700 # Note that this is significantly lower than the capacity of 1500. # Because of this, you may not want to bother limiting inbound traffic # until a better implementation such as TCP window manipulation can be used. # # End Configuration Options # if [ "$1" = "status" ] then
[LARTC] ciber con terminales "bobas"
hola estoy intentando diagramar un proyecto de ciber cuya red lan este compuesta por PCs que no posean con disco duro, y booten y operen mediante un "gran" servidor central. He leido acerca de LTSP, pero el tema es que necesitaria correr wingarch en las terminales por el msn y el IE (perdon perdon perdon perdon ) (Este ultimo lo podria reemplazar por el firefox.) Puedo hacer esto y poner wine y correr estas aplicaciones ? o que me recomiendan ? gracias! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] [OFF-TOPIC] IPP2P version 0.8.0 released
-> On Friday 2005-October-21 01:57, Klaus wrote: -> > www.ipp2p.com is something I have never tested until now and it -> > looks quite different from my website... -> -> A cyber-squatter by the looks of it, waiting for you to offer huge sums -> of money for that domain name. Surely... This is "ipp2p.com" information Registration Service Provided By: best-domain Contact: [EMAIL PROTECTED] Visit: Domain name: IPP2P.com Administrative Contact: best-domain lin ye ([EMAIL PROTECTED]) +1.13870080170 Fax: +1.13870080170 5718 S Drexel Ave. chicago, IL 60637 US Billing Contact: best-domain lin ye ([EMAIL PROTECTED]) +1.13870080170 Fax: +1.13870080170 5718 S Drexel Ave. chicago, IL 60637 US Technical Contact: best-domain lin ye ([EMAIL PROTECTED]) +1.13870080170 Fax: +1.13870080170 5718 S Drexel Ave. chicago, IL 60637 US Registrant Contact: best-domain lin ye ([EMAIL PROTECTED]) +1.13870080170 Fax: +1.13870080170 5718 S Drexel Ave. chicago, IL 60637 US Status: Active Name Servers: dns1.name-services.com dns2.name-services.com dns3.name-services.com dns4.name-services.com dns5.name-services.com Creation date: 26 Sep 2005 03:13:21 Expiration date: 26 Sep 2006 03:13: ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] esfq ? or wrr ?
-> I think it depends on the type of traffic you're -> expecting from the different users. If you're -> expecting very similar patterns of behaviour, then my -> guess would be ESFQ would be the better. -> -> If, on the other hand, the network load is going to -> shift over time, between the users, then WRR would -> seem the more logical choice. -> -> You might also want to look at HFSC (Heirarchical Fair -> Service Curve) - it's possible you might be able to -> get what you want from the single algorithm, rather -> than piping through several. The fewer layers you -> have, the less latency you'll introduce. HFSC also has -> the advantage that it is standard in the kernel, so -> likely has better testing. OK. I've read some domcumments about HFSC, but at the momment I understand it. Can you post me a good tutorial about HFSC ? thank you. -> -> ESFQ and WRR have been forward-ported, well, -> sometimes, but only the combined -qos patch seems to -> be current - the individual patches don't seem to be -> maintained at all. -> -> I would like to see the patches cleaned up (as -> necessary) then submitted for merging into the -> mainstream kernel. Linux' QoS code is in frankly -> horrible shape at the moment, so anything that stirred -> interest in it would almost have to be a good thing, -> even if the patches themselves didn't get included any -> time soon. -> -> --- LinuXKiD <[EMAIL PROTECTED]> wrote: -> -> > Hi -> > -> > If I have a HTB class with 128kbit, and I want to -> > put "N" users in that class ( in order to share -> > bandwidth fairly ) , -> > -> > which is better for me ? esfq (hash dst) or wrr ? -> > -> > I would attach esfq or wrr to HTB parent class. -> > -> > Also I've readed on Jim script that over WRR put -> > a RED qdisc, but I don't understand it. -> > -> > bests -> > -> > andres -> > ___ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > -> -> -> -> -> __ -> Start your day with Yahoo! - Make it your home page! -> http://www.yahoo.com/r/hs ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] esfq ? or wrr ?
Hi If I have a HTB class with 128kbit, and I want to put "N" users in that class ( in order to share bandwidth fairly ) , which is better for me ? esfq (hash dst) or wrr ? I would attach esfq or wrr to HTB parent class. Also I've readed on Jim script that over WRR put a RED qdisc, but I don't understand it. bests andres ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] p2p: ARES
-> -> On Thursday 22 September 2005 22:32, LinuXKiD wrote: -> > iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT -> > iptables -A FORWARD -m ipp2p --ares -j ACCEPT -> -> Assuming that packets which are not accepted get dropped, IPP2P -> would have -> to match the very first packet of every P2P connection for this to work -> properly. I'm not sure that's a given. So far I've only used it for -> shaping and dropping purposes, and in both cases it does not -> matter wether -> the matched packet is the first, second, or third one... Consider this situation I want to SHAPE p2p connections on my LAN. But, ARES can't be shaped, at the momment. And, my firewall is DROP POLICY, then I've to ACCEPT ipp2p connections, and related / established. but (with this), ares packets are droped. bests -> -> Regards, -> Andreas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] p2p: ARES
Hi, I've a linux as router nat + firewall (POLICY DROP for INPUT OUTPUT and FORWARD) but, I've put next rules for p2p software on FORWARD chain [... snip ... ] iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -p tcp --dport 25 -j ACCEPT [... snip ... ] iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT iptables -A FORWARD -m ipp2p --ares -j ACCEPT [...] Then... emule, kaazaa , edonkey and so on works very good but ARES can't connect. I've - iptables 1.3.3 - kernel 2.4.28 - ipp2p 0.8.0rc3 BUT, if I change policy iptables -P FORWARD ACCEPT ARES works, can connect. I've tried to guess tcp/udp ports with tcpdump without suceess. I guess that ipp2p only can block p2p on a ACCEPT policy firewall I must open some tcp/udp port ? Can anybody helpme ? bests andres. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Loadbalancing and failover using TC and Iptables
I've tried this on my 4 adsl Linux + 10 hosts lan... but works better without "marks" -> -> Another question related with this. -> -> I've 4 ADSLs and I already use CONNMARK -> to MARK out/in traffic from ADSLs in order -> to make a QoS. -> -> # iptables -L -t mangle -> -> [... snip ...] -> -> Chain POSTROUTING (policy ACCEPT 15M packets, 5610M bytes) -> pkts bytes target prot opt in out source -> destination -> 989K 299M MYSHAPER-OUT all -- * ppp30.0.0.0/0 -> 0.0.0.0/0 -> 985K 222M MYSHAPER-OUT all -- * ppp20.0.0.0/0 -> 0.0.0.0/0 -> 856K 163M MYSHAPER-OUT all -- * ppp10.0.0.0/0 -> 0.0.0.0/0 -> 841K 164M MYSHAPER-OUT all -- * ppp00.0.0.0/0 -> 0.0.0.0/0 -> -> [... snip ...] -> -> Chain MYSHAPER-OUT (4 references) -> pkts bytes target prot opt in out source -> destination -> 39254 7491K MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp spts:0:1024 MARK set 0x17 -> 1920K 221M MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:0:1024 MARK set 0x17 -> 1882 153K MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:20 MARK set 0x1a -> 174 9457 MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:5190 MARK set 0x17 -> 142K 19M MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:1863 MARK set 0x17 -> [... snip ...] -> -> -> Later, with that MARK I put traffic on a HTB class. -> ... -> $TC filter add dev $DEV parent nn:0 prio 0 protocol ip handle XX -> fw flowid -> nn:yy -> ... -> -> MY Question is: -> is possible re-mark traffic or put another mark in order -> to know which PPP interface going out ? -> -> Must I use CLASSIFY to shape in/out PPP traffic , and let MARKs -> to know which PPP interface going out ? -> -> best regards. -> -> andres -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> :: L i n u XK i D :: wrote: -> -> > -> -> -> > I've read next link: -> -> > -> -> > -> I'm not sure this is still a good link -> -> > -> -> -> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> -> > -> -> > is really neccessary mark pakets on this way ? -> -> -> -> From the machine on which the 2 ISPs are connected to two different -> -> NICs, no. It will send and receive packets without marking. Where I -> -> have a problem is with NATted users; they are tied to one or the other -> -> ISP (even though I run 'ip route flush cache') unless I mark. -> -> -> -> Maybe Julian will give us some hints ? -> -> -- -> -> gypsy -> -> -> -> > [... snip ...] -> -> > -> -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \ -> -> > -m state --state NEW -o ppp0 -> -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \ -> -> > -m state --state NEW -o ppp1 -> -> > # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \ -> -> > -m state --state NEW -> -> > -> -> > [... snip ...] -> -> > -> -> > # iptables -A POSTROUTING -t nat -m mark --mark 1 \ -> -> > -j SNAT --to-source 11.1.1.1 -> -> > # iptables -A POSTROUTING -t nat -m mark --mark 2 \ -> -> > -j SNAT --to-source 22.2.2.2 -> -> > -> -> > -> hareram wrote: -> -> > -> > -> -> > -> > Hi all -> -> > -> > -> -> > -> > iam trying to deploy loadbalance and failover -> -> > -> > -> -> > -> > My setup description -> -> > -> > --Fedora Core 4 -> -> > -> > --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 -> -> i686 i686 i386 -> -> > -> > GNU/Linux -> -> > -> > --tc utility, iproute2-ss050314 -> -> > -> > --ip utility, iproute2-ss050314 -> -> > -> > --iptables v1.3.0 -> -> > -> -> -> > -> You say nothing about Julian's patch, so I assume you did -> -> not patch your -> -> > -> kernel. You must do that. -> -> > -> http://www.ssi.bg/~ja/ -> -> > -> -> -> > -> http://www.geocities.com/mctiew/ffw/dual.htm -> -> > -> -> -> > -> I'm not sure this is still a good link -> -> > -> -> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> > -> so here is an old copy -> > -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html -> > -> -- -> > -> gypsy -> > -> ___ -> > -> LARTC mailing list -> > -> LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > ___ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Loadbalancing and failover using TC and Iptables
Another question related with this. I've 4 ADSLs and I already use CONNMARK to MARK out/in traffic from ADSLs in order to make a QoS. # iptables -L -t mangle [... snip ...] Chain POSTROUTING (policy ACCEPT 15M packets, 5610M bytes) pkts bytes target prot opt in out source destination 989K 299M MYSHAPER-OUT all -- * ppp30.0.0.0/0 0.0.0.0/0 985K 222M MYSHAPER-OUT all -- * ppp20.0.0.0/0 0.0.0.0/0 856K 163M MYSHAPER-OUT all -- * ppp10.0.0.0/0 0.0.0.0/0 841K 164M MYSHAPER-OUT all -- * ppp00.0.0.0/0 0.0.0.0/0 [... snip ...] Chain MYSHAPER-OUT (4 references) pkts bytes target prot opt in out source destination 39254 7491K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:0:1024 MARK set 0x17 1920K 221M MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1024 MARK set 0x17 1882 153K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 MARK set 0x1a 174 9457 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190 MARK set 0x17 142K 19M MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863 MARK set 0x17 [... snip ...] Later, with that MARK I put traffic on a HTB class. ... $TC filter add dev $DEV parent nn:0 prio 0 protocol ip handle XX fw flowid nn:yy ... MY Question is: is possible re-mark traffic or put another mark in order to know which PPP interface going out ? Must I use CLASSIFY to shape in/out PPP traffic , and let MARKs to know which PPP interface going out ? best regards. andres -> -> :: L i n u XK i D :: wrote: -> > -> > I've read next link: -> > -> > -> I'm not sure this is still a good link -> > -> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> > -> > is really neccessary mark pakets on this way ? -> -> From the machine on which the 2 ISPs are connected to two different -> NICs, no. It will send and receive packets without marking. Where I -> have a problem is with NATted users; they are tied to one or the other -> ISP (even though I run 'ip route flush cache') unless I mark. -> -> Maybe Julian will give us some hints ? -> -- -> gypsy -> -> > [... snip ...] -> > -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \ -> > -m state --state NEW -o ppp0 -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \ -> > -m state --state NEW -o ppp1 -> > # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \ -> > -m state --state NEW -> > -> > [... snip ...] -> > -> > # iptables -A POSTROUTING -t nat -m mark --mark 1 \ -> > -j SNAT --to-source 11.1.1.1 -> > # iptables -A POSTROUTING -t nat -m mark --mark 2 \ -> > -j SNAT --to-source 22.2.2.2 -> > -> > -> hareram wrote: -> > -> > -> > -> > Hi all -> > -> > -> > -> > iam trying to deploy loadbalance and failover -> > -> > -> > -> > My setup description -> > -> > --Fedora Core 4 -> > -> > --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 -> i686 i686 i386 -> > -> > GNU/Linux -> > -> > --tc utility, iproute2-ss050314 -> > -> > --ip utility, iproute2-ss050314 -> > -> > --iptables v1.3.0 -> > -> -> > -> You say nothing about Julian's patch, so I assume you did -> not patch your -> > -> kernel. You must do that. -> > -> http://www.ssi.bg/~ja/ -> > -> -> > -> http://www.geocities.com/mctiew/ffw/dual.htm -> > -> -> > -> I'm not sure this is still a good link -> > -> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> > -> so here is an old copy -> > -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html -> > -> -- -> > -> gypsy -> > -> ___ -> > -> LARTC mailing list -> > -> LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > ___ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
