[LARTC] UDP port 1194 marking/routing problem
Hi folks, I have OpenVPN (respect for it developers) running on my FW. Is has two external NICs and on internal everything is fine, except I want OpenVPN (UDP port 1194) going not via default route/network interface. I use such commands: iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j MARK --set-mark 0x990ip rule add fwmark 0x990 table openvpn1 ip route add default via $P2 dev eth0 table openvpn1 eth0 is FW's not default external NIC. I have in use very similar iptables rules for my email server (TCP ports)and etc. Everything works fine. What I'm doing wrong with marking/routing the UDP port? Regards Remus ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem
Hi Wang, We specialy got two Internet connections, one is only for the OpenVPN (it is heavily used) and second for everthing else. I will give a try to PREROUTING stuff right away. What do mean : But I don't think you need to use MARK to do policy routing. It's a little overkill. Do you another suggestion than iptables/MARK? Regards Remus - Original Message - From: Wang Jian [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Cc: Remus [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 12:23 PM Subject: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem Hi Remus, It seems that iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \ --set-mark 0x990 will not take effect. (didn't you typo -A as -D?) POSTROUTING is looked up after routing decision is made. Because the default route is dev eth1, the output device is eth1, -o eth0 will not match. You should use iptables -t mangle -A PREROUTING -p udp --destination your openvpn \ peer --dport 1194 -j MARK But I don't think you need to use MARK to do policy routing. It's a little overkill. Why not simply route all traffic to your openvpn peer via device eth0? On Wed, 6 Apr 2005 11:51:16 +0100, Remus [EMAIL PROTECTED] wrote: Hi folks, I have OpenVPN (respect for it developers) running on my FW. Is has two external NICs and on internal everything is fine, except I want OpenVPN (UDP port 1194) going not via default route/network interface. I use such commands: iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j MARK --set-mark 0x990 ip rule add fwmark 0x990 table openvpn1 ip route add default via $P2 dev eth0 table openvpn1 eth0 is FW's not default external NIC. I have in use very similar iptables rules for my email server (TCP ports) and etc. Everything works fine. What I'm doing wrong with marking/routing the UDP port? Regards Remus -- lark --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Openvpn-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] UDP port 1194 marking/routing problem
Wang, That solution does not suite me: ip route add default via $DEFAULTGW dev eth1 ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0 Because only UPD 1194 has to be routed via eth0 to OpenVPN server IP, everything else to same Ip has to go via eth1. Any ideas? Regards Remus - Original Message - From: Wang Jian [EMAIL PROTECTED] To: Remus [EMAIL PROTECTED] Cc: lartc@mailman.ds9a.nl; [EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 1:38 PM Subject: Re: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem Hi Remus, I means: don't use policy routing, because you can use much simpler solution. Example: ip route add default via $DEFAULTGW dev eth1 ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0 The second, send all your traffic to IP xxx.xxx.xxx.xxx via eth0. When your box acts as your intranet's gateway, you can SNAT or MASQUERADE on eth0, like iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. For you openvpn configuration, you can either bind openvpn to eth0's ip, or let system chooose the IP, in most case the output interface. On Wed, 6 Apr 2005 12:54:53 +0100, Remus [EMAIL PROTECTED] wrote: Hi Wang, We specialy got two Internet connections, one is only for the OpenVPN (it is heavily used) and second for everthing else. I will give a try to PREROUTING stuff right away. What do mean : But I don't think you need to use MARK to do policy routing. It's a little overkill. Do you another suggestion than iptables/MARK? Regards Remus - Original Message - From: Wang Jian [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Cc: Remus [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 12:23 PM Subject: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem Hi Remus, It seems that iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \ --set-mark 0x990 will not take effect. (didn't you typo -A as -D?) POSTROUTING is looked up after routing decision is made. Because the default route is dev eth1, the output device is eth1, -o eth0 will not match. You should use iptables -t mangle -A PREROUTING -p udp --destination your openvpn \ peer --dport 1194 -j MARK But I don't think you need to use MARK to do policy routing. It's a little overkill. Why not simply route all traffic to your openvpn peer via device eth0? On Wed, 6 Apr 2005 11:51:16 +0100, Remus [EMAIL PROTECTED] wrote: Hi folks, I have OpenVPN (respect for it developers) running on my FW. Is has two external NICs and on internal everything is fine, except I want OpenVPN (UDP port 1194) going not via default route/network interface. I use such commands: iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j MARK --set-mark 0x990 ip rule add fwmark 0x990 table openvpn1 ip route add default via $P2 dev eth0 table openvpn1 eth0 is FW's not default external NIC. I have in use very similar iptables rules for my email server (TCP ports) and etc. Everything works fine. What I'm doing wrong with marking/routing the UDP port? Regards Remus -- lark --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Openvpn-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- lark --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Openvpn-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] iproute2 compilation problem
Hi folks, I just tried to compile the latest (current) iproute2 and got these errors: arpd.c:19:20: db_185.h: No such file or directory arpd.c:42: error: parse error before '*' token arpd.c:42: warning: type defaults to `int' in declaration of `dbase' arpd.c:42: warning: data definition has no type or storage class arpd.c: In function `do_one_request': arpd.c:305: error: `DBT' undeclared (first use in this function) arpd.c:305: error: (Each undeclared identifier is reported only once arpd.c:305: error: for each function it appears in.) arpd.c:305: error: parse error before dbkey arpd.c:309: error: request for member `sync' in something not a structure or union arpd.c:339: error: `dbkey' undeclared (first use in this function) arpd.c:342: error: request for member `get' in something not a structure or union arpd.c:342: error: `dbdat' undeclared (first use in this function) arpd.c:366: error: request for member `del' in something not a structure or union arpd.c:392: error: request for member `put' in something not a structure or union arpd.c:410: error: request for member `put' in something not a structure or union arpd.c:422: error: request for member `put' in something not a structure or union arpd.c: In function `get_arp_pkt': arpd.c:486: error: `DBT' undeclared (first use in this function) arpd.c:486: error: parse error before dbkey arpd.c:517: error: `dbkey' undeclared (first use in this function) arpd.c:520: error: request for member `get' in something not a structure or union arpd.c:520: error: `dbdat' undeclared (first use in this function) arpd.c:530: error: request for member `put' in something not a structure or union arpd.c: In function `main': arpd.c:670: warning: implicit declaration of function `dbopen' arpd.c:670: error: `DB_HASH' undeclared (first use in this function) arpd.c:670: warning: assignment makes pointer from integer without a cast arpd.c:680: error: `DBT' undeclared (first use in this function) arpd.c:680: error: parse error before dbkey arpd.c:682: error: `dbkey' undeclared (first use in this function) arpd.c:711: error: `dbdat' undeclared (first use in this function) arpd.c:716: error: request for member `put' in something not a structure or union arpd.c:721: error: request for member `sync' in something not a structure or union arpd.c:727: error: parse error before dbkey arpd.c:729: error: request for member `seq' in something not a structure or union arpd.c:729: error: `R_NEXT' undeclared (first use in this function) arpd.c:821: error: request for member `sync' in something not a structure or union arpd.c:840: error: request for member `close' in something not a structure or union arpd.c:844: error: request for member `close' in something not a structure or union make[1]: *** [arpd] Error 1 make[1]: Leaving directory `/home/iproute2/new/Source/Orig/iproute2-050124/misc' make: *** [all] Error 2 My kernel 2.6.10 on Slackware 10 (current) Any ideas? Regards Remus ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute2 compilation problem
Gypsy, I was missing only db31-3-1-17-i486-1, but after it install I still get the same errors. Regards Remus Remus wrote: Hi folks, I just tried to compile the latest (current) iproute2 and got these errors: arpd.c:19:20: db_185.h: No such file or directory ==SNIP== make[1]: *** [arpd] Error 1 make[1]: Leaving directory `/home/iproute2/new/Source/Orig/iproute2-050124/misc' make: *** [all] Error 2 My kernel 2.6.10 on Slackware 10 (current) Any ideas? Regards Remus Install from slackware/l the db3-3.11-i486-4 db31-3-1-17-i486-1 and db4-4.2.52-i486-2 libraries. gypsy ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute2 compilation problem
That have worked for me. Thanks Remus Just edit your Makefile where you find a line like this: --- cut here --- # Path to db_185.h include DBM_INCLUDE:=/usr/include --- and here --- with: #Path to db_185.h include DBM_INCLUDE:=/usr/include/db4/db_185.h Compile and you'll be fine :) ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Traffic shaping and tun devices
Hi folks, I have three network cards on my Slackware box and eth0 and eth1 are for two Internet connections. They have imq0 and imq1. All traffic shaping works fine. Internal eth2 does no traffic shaping. But recently I have put two OpenVPN tunnels (tun devices) and bothwork via eth0. So my question is - how to shape the traffic on these tun0 and tun1 devices? Thanks Remus
[LARTC] Problem with VPN routing from internal network
Hi folks, I have the two firewalls (Slackware current) in differnt cities connected via OpenVPN. I can ping the network behind server firewall from client firewall server. But how to route/iptable network traffic from the network behind client firewall to see the netwrok behind server firewall? Thank you Remus
Re: [LARTC] Problem with VPN routing from internal network + tun0 and traffic shaping
You are correct Peter. But that is not enough to have access from client local lan to serevr client local lan. The line below helpped me to fix it: iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 10.0.0.2 So there is one more problem, how to access from the server local net client's local net? Any ideas? And how to shape traffic going via tun0? At the moment I have htb on eth0 and imq0 to shape in and out traffic? But what about VPN traffic which goes via tun0? Thanks Remus - Original Message - From: Peter Huetmannsberger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 08, 2004 1:44 PM Subject: Re: [LARTC] Problem with VPN routing from internal network Hi! Correct me if I am wrong, what it looks like to me is this : 192.168.1.0/24 10.0.0.110.0.0.2 192.168.2.0/24 server net serverfw openvpn clientfw client net On the serverfw you need a static route to the client net: route add net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2 On the client net the other way round: route add net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1 Firewall must allow all traffic through tun+ And of course must allow traffic coming from the opposite network. Hope this helps, .peter On Fri, 8 Oct 2004, Remus wrote: Hi folks, I have the two firewalls (Slackware current) in differnt cities connected via OpenVPN. I can ping the network behind server firewall from client firewall server. But how to route/iptable network traffic from the network behind client firewall to see the netwrok behind server firewall? Thank you Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HFSC usage
Hi folks, Is anybody using HFSC http://trash.net/~kaber/hfsc/? I would like to get script examples if possible,in more less clear format. There is a new IMQ port for 2.4 and 2.6 kernelshttp://pupa.da.ru/imq/(just module, no needs to patch kernel or iptables) and it seems to be much easy to use hfsc than htb. Thanks in advance Remus
Re: [LARTC] HFSC usage
Hi Andres, Why you egrees for the IMQ? Kernel already has egrees, the problem is only with ingress and it is why we need IMQ. As I wrote in email you dont have to pacth kernel or iptables. Just use PREROUTING mangle to mark with iptables. Regards Remus - Original Message - From: ThE LinuX_KiD [EMAIL PROTECTED] To: Remus [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, February 12, 2004 2:57 PM Subject: RE: [LARTC] HFSC usage Hi, In README seems that your patchs doesn't with egress, Please, tell me if you want to mean that patch works or not with: iptables -t mangle -A POSTROUTING . -j IMQ ??? thank you. Andres -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Remus Enviado el: Jueves, 12 de Febrero de 2004 10:26 a.m. Para: [EMAIL PROTECTED] Asunto: [LARTC] HFSC usage Hi folks, Is anybody using HFSC http://trash.net/~kaber/hfsc/? I would like to get script examples if possible, in more less clear format. There is a new IMQ port for 2.4 and 2.6 kernels http://pupa.da.ru/imq/ (just module, no needs to patch kernel or iptables) and it seems to be much easy to use hfsc than htb. Thanks in advance Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ Stability
Hi Roy, Excelent Roy!!! Good job. Where we can get your IMQ port to test? Best Regards Remus - Original Message - From: Roy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, January 25, 2004 3:49 AM Subject: Re: [LARTC] IMQ Stability Internet (eth0) - ppp0 - ppp1 - LAN (eth1) 10.0.0.0/8 this way dont seem excelent because it still lacks some functionality and what about using LO or dummy type interface instead of ppp? the new imq driver that i am developing will have unlimited posibilities it willbe fake interface wich passes all ip trafic without exception no mater which direction, destination and so on even localy generated and received trafic should pass it I removed iptables module so noo need to configure it just everything is catched. so you will be able to shape in + out in one also I am thinking about the chaining functionality is there any need to make chain of imq devices ? ( they will get the all same trafic) you will be able to use few shapers then but it will add latency. I almost finished my driver , but unfortunately there is no way to avoid patching kernel. I need to export ip_finish_output2 and ip_local_deliver_finish functions but dont know how to do that, and where is the best place. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Traffic shaping and IP aliases
Hi folks, I have the traffic shaping (HTB and IMQ) on my eth0 (of course no problems with it). And now I would like add some extra IPs on it (ifconfig eth0:0 xxx.xxx.xxx.xxx and ifconfig eth0:1 xxx.xxx.xxx.xxx). So do I have to set up a new tc rools ( tc qdisc add deveth0:0 root handle 1: htb default 20 r2q 5 ...)for the eth0:0 and eth0:1 or can still be only tc rules for the eth0? Thanks in advance Remus
Re: [LARTC] 2.6 Test Kernel + ESFQ+IMQ patch
Well done guys. Thanks a lot. I'm going to test it this weekend. Cheers Remus - Original Message - From: Chijioke Kalu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, December 06, 2003 11:15 AM Subject: [LARTC] 2.6 Test Kernel + ESFQ+IMQ patch Hi Guys, Using the 2.6.test kernel? Alex and I have done some more tests and this is the patch incase ur using jdg-qos script http://www.digriz.org.uk/jdg-qos-script/index.html#qos-2.6 Thanks K _ Winterize your home with tips from MSN House Home. http://special.msn.com/home/warmhome.armx ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tc and kernel 2.6.0
Hi, I have used tc with kernel 2.6.0.x without any problems which comes with Slackware Linux. And I had switched to patched tc by Patrcik McHardy with hfsc support and again it works without any problems. Remus - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 2:12 PM Subject: [LARTC] tc and kernel 2.6.0 I successfully used the latest tc tool (version 3.12) with a linux 2.4 kernel. Now I switched to 2.6.0 and had the problem that I could'nt define any queues with tc. Do I need to download a newer version or is there anything like a patch? Thanks, Seb ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] IMQ and 2.6 kernel
Hi folks, I would like to know if IMQ (http://trash.net/~kaber/imq/) is going to be ported to the 2.6 kernel or there is something else? Thanks Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Port forward and two ISP
Hi folks, I have a question regarding some port forward via diffrent route. Ok, my configuration is like this: I have to Internet lines. 1 is for the email server 2 (default) isfor web browsing. Linux box (firewall/router) Local network 192.168.0.x I did IP routing for particular local IP (email server) via not the default route, everything works fine. But how to route via line 1 some IP port for the IP which one already has default route via 2 line? For example for the IP 192.168.0.20 - the TCP ports 80,443 go via default route (line 2) and the TCP port 110 goes via second route (line 1). Any ideas? Thanks in advance Remus
[LARTC] HTB errors
Hi folks, I get these shrill messages inmy /var/log/messages and on terminal 1 Mar 27 16:37:31 webgate kernel: HTB init, kernel part version 3.7 Mar 27 16:37:31 webgate kernel: HTB: quantum of class 10022 is small. Consider r2q change.6HTB init, kernel part version 3.7 Mar 27 16:37:32 webgate kernel: HTB: quantum of class 10022 is small. Consider r2q change.6HTB init, kernel part version 3.7 Mar 27 16:37:32 webgate kernel: HTB: quantum of class 10020 is small. Consider r2q change.4HTB: quantum of class 10021 is small. C onsider r2q change.4HTB: quantum of class 10022 is small. Consider r2q change.nf_hook: Verdict = QUEUE. Mar 27 16:37:32 webgate kernel: nf_hook: Verdict = QUEUE. How I may increase the quantum for the class it is reason for these messages? Thank you Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] I need some help with u32 filter
Thank very much Stef. It works. Best Regards Remus - Original Message - From: Stef Coene [EMAIL PROTECTED] To: Remus [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 8:49 PM Subject: Re: [LARTC] I need some help with u32 filter ## tc filter add dev imq0 parent 1:0 protocol ip prio 100 u32 match ip sport 25 0x classid 1:20 Is it enough to have only sport 25 on download link or I need the dport as well? You never told us what's redirected to the imq device. But I suppose it's incoming traffic from the internet. If you want to match mail coming from the internet to your smtp server, you need dport 25. All traffic is sended to your smtp and that's server is running on port 25. ## tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport 25 0x classid 1:20 tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport 110 0x classid 1:20 The same question on eth0 (upload link) Is it enough to have only sport 25 and 110 on upload link or I need the dport as well? You connect to port 25 and it's for traffic leaving the server, so you need sport 25. Stef ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] I need some help with u32 filter
Hello, This is my ADSL connection : ADSL 512k/256k | eth0 | Linux box aka fw | - | eth1 the firewall has smtp and pop3 servers running (I have no spare PC for email server, byt just for home use it is OK) Could somebody check my script please, I'm bit confused of ports 25 and 110 on eth0 and imq0. tc qdisc del dev imq0 root tc qdisc add dev imq0 root handle 1 htb default 10 r2q 100 tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1 htb default 10 r2q 100 tc class add dev imq0 parent 1: classid 1:2 htb rate 500kbit burst 15k tc class add dev imq0 parent 1:2 classid 1:10 htb rate 468kbit ceil 500Kbit burst 30k prio 0 tc qdisc add dev imq0 parent 1:10 handle 10 sfq perturb 10 tc class add dev imq0 parent 1:2 classid 1:20 htb rate 32Kbit ceil 400Kbit burst 15k prio 1 tc qdisc add dev imq0 parent 1:20 handle 20 sfq perturb 10 ## tc filter add dev imq0 parent 1:0 protocol ip prio 100 u32 match ip sport 25 0x classid 1:20 Is it enough to have only sport 25 on download link or I need the dport as well? ## tc class add dev eth0 parent 1: classid 1:2 htb rate 250kbit burst 15k tc class add dev eth0 parent 1:2 classid 1:10 htb rate 218kbit ceil 250Kbit burst 30k prio 0 tc qdisc add dev eth0 parent 1:10 handle 10 sfq perturb 10 tc class add dev eth0 parent 1:2 classid 1:20 htb rate 32Kbit ceil 250Kbit burst 15k prio 1 tc qdisc add dev eth0 parent 1:20 handle 20 sfq perturb 10 ## tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport 25 0x classid 1:20 tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport 110 0x classid 1:20 The same question on eth0 (upload link) Is it enough to have only sport 25 and 110 on upload link or I need the dport as well? ## Thank you very much in advance Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] u32 filter rules
Hi folks, Can I use in the same parent but for the diffrent classes u32 filter rules: 1) filtering by ip address (very low speed only for the Internet) 2) filtering by port (smb, smtp and pop3) for the local connection Thanks in advance Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB classes, ceil and prio
Hello, I'm looking some recommendation how to configure htb. I have ADSL 512k/256k connection at my home for the 3 clients PCs and one Linux Box like firewall. Network looks like usual: ADSL connection (eth0) - | firewall | - (eth1) local network I would like to divide Internet connection like this: Download eth0 (512K) SSH/IPSec rate=256k, ceil=512k and prio=0 (it can be used from the local PC1 or PC2) PC1 1.2.3.1(local ip) rate=170k, ceil=512k and prio=1 PC2 1.2.3.2 (local ip) rate=170k, ceil=512k and prio=1 PC3 1.2.3.3 (local ip) rate=170k, ceil=512k and prio=1 SMTP server (exist on firewall) rate=64k, ceil=128k and prio=2 or better 1 Do I understand right if some of PCs (PC1or PC2) use SSH/IPsec it gets speed from 256k up to 512k if it not in use. Two anothers PCs and SMTP server share 256k between them. Is that right? What speed they get each? Upload eth0 (256k) htb/imq SSH/IPSec rate=128k, ceil=256k and prio=0 (it can be used from the local PC1 or PC2) PC1 1.2.3.1(local ip) rate=80k, ceil=256k and prio=1 PC2 1.2.3.2 (local ip) rate=80k, ceil=256k and prio=1 PC3 1.2.3.3 (local ip) rate=80k, ceil=256k and prio=1 SMTP server (exist on firewall) rate=64k, ceil=128k and prio=2 or better 1 If I'm not correct just correct me, please. Is it enough to have only one class or more? I know that running htb on external eth, htb cannot see local ip addresses. Can I mark them with the iptables and use it with the htb? Or do I have to make htb rules on my local eth1 as well? Thank you in advance for any help/ideas Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Setup IMQ on kernel 2.4.20
Yes, no problem. Just take a look to the attached files. Regards Remus - Original Message - From: Koot, M. [EMAIL PROTECTED] To: List LARTC [EMAIL PROTECTED] Sent: Thursday, January 09, 2003 8:02 AM Subject: [LARTC] Setup IMQ on kernel 2.4.20 Hi, does someone have setup IMQ succesfully on kernel 2.4.20? If so, how did you do that. I only see the diff for kernel 2.4.19. Can I use that? Thanks, Martijn ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ You can successfully run iptables 1.2.7a with patch from IMQ homepage. The thing what you have to do is to replace strings contains: NETFILTER_VERSION to 1.2.7a in libipt_IMQ.c and libip6t_IMQ.c . How to patch iptables and 2.4.xx kernel: cd iptables-1.2.7a patch -p1 ./iptables-1.2.7a-imq.diff chmod a+x extensions/.IMQ-test chmod a+x extensions/.IMQ-test6 cd linux-2.4.20 patch -p1 ./imq-2.4.19.diff cd patch-o-matic-MMDD patch -p1 ./pom-imq.diff KERNEL_DIR=/usr/src/linux-2.4.20 ./runme extra/IMQ.patch You will have three new options: Networking options --- IP: Netfilter Configuration ---IMQ target support Networking options --- IPv6: Netfilter Configuration ---IMQ target support Network device support ---IMQ (intermediate queueing device) support Choose at least one of the targets and the device itself. Netfilter debugging should be turned off, otherwise cou get lots of annoying messages. imq-2.4.19.tar.bz2 Description: Binary data
[LARTC] about Linux router
Hi folks, I got a new one Internet connection (Wireless) and to have more then one external IP I need a router. I don't want to a new Cisco or whoever router I would like to do it on Linux box. I prefer to use RedHat 7.3 for that and what I have to install on that Linux box (iptables, ip route and etc ) ? Two IP's will be for my FW's and one for router (like default getaway for my FW's). Thank you in advance Remus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB configuration
Hi folks, I'm new in HTB (CBQ too). I want this scenario for my Internet connection: localIP 1have to have half speed of internet connection (for incoming and receiving as well) local IP 2 another half of internet speed (for incoming and receiving as well) So if one of IP 1 or 2 doen't use connection to internet he get a full speed (like borowing) Sorry for my question but I really don't know how to do it. I tried to read HTB guide but cannot understand everything yet. Many thanks in advance Remus
