[LARTC] Now to make only Traffic Priority
Hi to everybody. I read some info and documentation but i still can't find how to make this simple setup for example . I just want to make priority of certain traffic without shaping the traffic . For example SSH and RDP first priority Mail second priority WEB and FTP third And everything else last priority. What will be the simple and best way to achieve this. I will appreciate every help . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] PRIO and u32 matching problem
Hi to everybody I'm trying to use PRIO qdisc to prioritize the traffic but i have strange problem maybe I'm missing sometging. First i add root qdisc like this tc qdisc add dev eth0 root handle 1: prio it's fine after this i try to match traffic by tos field but i get error invalid match tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip tos 0x10 0xff \ match ip tos 0x12 0xff \ match ip tos 0x14 0xff \ match ip tos 0x16 0xff \ flowid 1:1 if i use it with only one match it's working like this. tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip tos 0x10 0xff \ flowid 1:1 i match traffic by type of TOS and put it to different classes but when i get statistic of the class there is no data. What is wrong? here is the example # tc -s -d qdisc show qdisc prio 1: dev eth0 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 30140564 bytes 42329 pkts (dropped 0, overlimits 0) qdisc prio 1: dev eth1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 2765825 bytes 29850 pkts (dropped 0, overlimits 0) ~# tc -s -d class show dev eth0 class prio 1:1 parent 1: Sent 0 bytes 0 pkts (dropped 0, overlimits 0) class prio 1:2 parent 1: Sent 0 bytes 0 pkts (dropped 0, overlimits 0) class prio 1:3 parent 1: Sent 0 bytes 0 pkts (dropped 0, overlimits 0) tc -s -d filter show dev eth0 filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 (rule hit 45901 success 3595) match 0010/00ff at 0 (success 3595 ) filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:1 (rule hit 42306 success 0) match 0012/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 1 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:1 (rule hit 42306 success 0) match 0014/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 1 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:1 (rule hit 42306 success 0) match 0016/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 filter parent 1: protocol ip pref 2 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:2 (rule hit 42306 success 17877) match /00ff at 0 (success 17877 ) filter parent 1: protocol ip pref 2 u32 fh 801::801 order 2049 key ht 801 bkt 0 flowid 1:2 (rule hit 24429 success 0) match 0004/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::802 order 2050 key ht 801 bkt 0 flowid 1:2 (rule hit 24427 success 0) match 0006/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::803 order 2051 key ht 801 bkt 0 flowid 1:2 (rule hit 24426 success 0) match 0018/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::804 order 2052 key ht 801 bkt 0 flowid 1:2 (rule hit 24424 success 0) match 001a/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::805 order 2053 key ht 801 bkt 0 flowid 1:2 (rule hit 24424 success 0) match 001c/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::806 order 2054 key ht 801 bkt 0 flowid 1:2 (rule hit 24424 success 0) match 001e/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 filter parent 1: protocol ip pref 3 u32 fh 802: ht divisor 1 filter parent 1: protocol ip pref 3 u32 fh 802::800 order 2048 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 0002/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 fh 802::801 order 2049 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 0008/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 fh 802::802 order 2050 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 000a/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 fh 802::803 order 2051 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 000c/00ff at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 fh 802::804 order 2052 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 000e/00ff at 0 (success 0 ) ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Guarantee ICMP respond time ?
Hi Robin , I didn'd want to fake ICMP echo_reply i forgot to mention that in this test i'm pinging my gateway to be shure that ping response is not bigger for some other reasonds i find that ping response is getting bigger some times with about 10ms but some times it;s doubles or even more but in most time is like constant. Here is some data if you find it intresting with shaper enabled 64 octets from 213.91.166.1: icmp_seq=22 ttl=254 time=30.9 ms 64 octets from 213.91.166.1: icmp_seq=23 ttl=254 time=40.9 ms 64 octets from 213.91.166.1: icmp_seq=24 ttl=254 time=14.3 ms 64 octets from 213.91.166.1: icmp_seq=25 ttl=254 time=14.4 ms 64 octets from 213.91.166.1: icmp_seq=26 ttl=254 time=34.2 ms 64 octets from 213.91.166.1: icmp_seq=27 ttl=254 time=14.2 ms 64 octets from 213.91.166.1: icmp_seq=28 ttl=254 time=14.2 ms 64 octets from 213.91.166.1: icmp_seq=29 ttl=254 time=14.2 ms 64 octets from 213.91.166.1: icmp_seq=30 ttl=254 time=31.1 ms 64 octets from 213.91.166.1: icmp_seq=31 ttl=254 time=14.3 ms 64 octets from 213.91.166.1: icmp_seq=32 ttl=254 time=14.2 ms 64 octets from 213.91.166.1: icmp_seq=33 ttl=254 time=130.9 ms without shaper enabled 64 octets from 213.91.166.1: icmp_seq=10 ttl=254 time=517.2 ms 64 octets from 213.91.166.1: icmp_seq=11 ttl=254 time=545.4 ms 64 octets from 213.91.166.1: icmp_seq=12 ttl=254 time=573.8 ms 64 octets from 213.91.166.1: icmp_seq=13 ttl=254 time=628.6 ms 64 octets from 213.91.166.1: icmp_seq=14 ttl=254 time=635.3 ms 64 octets from 213.91.166.1: icmp_seq=15 ttl=254 time=666.0 ms 64 octets from 213.91.166.1: icmp_seq=16 ttl=254 time=694.3 ms 64 octets from 213.91.166.1: icmp_seq=17 ttl=254 time=718.1 ms 64 octets from 213.91.166.1: icmp_seq=18 ttl=254 time=746.2 ms 64 octets from 213.91.166.1: icmp_seq=19 ttl=254 time=749.8 ms 64 octets from 213.91.166.1: icmp_seq=20 ttl=254 time=778.1 ms Hammond, Robin-David%KB3IEN wrote: well if you want the line to look less conjested to a casual observer you can fake the ICMP echo_reply. (best know which hosts are infact on-line first). Faking the reply does not preclude actualy sending the echo request, but allowing a duplicate (real) reply might look weird... On Tue, 14 Feb 2006, Stanislav Nedelchev wrote: Date: Tue, 14 Feb 2006 22:35:40 +0200 From: Stanislav Nedelchev [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Subject: [LARTC] Guarantee ICMP respond time ? Hello to all people there . Can i guarantee ICMP respond time no metter how loaded is internet line . i have typical NATed enviroiment like External IP |linux router| LAN - 192.168.0.0/24 i have example setup with IMQ but is it possible to be done also if i attache htb to eth0 and eth1 for example . if i start shaper ping i better that without shaper but it's not guarantted i mean response time is not like constant. Maybe i'm missing something. Is it possible with HTB ot with something else like CBQ ? here is my example setup echo Loading Traffic Shaper IMQ0 Upload tc qdisc del dev imq0 root tc qdisc add dev imq0 root handle 2: htb default 333 r2q 1 tc class add dev imq0 parent 2: classid 2:2 htb rate 192kbit #ICMP tc class add dev imq0 parent 2:2 classid 2:30 htb rate 32kbit prio 0 tc filter add dev imq0 parent 2:0 protocol ip handle 5 fw classid 2:30 tc qdisc add dev imq0 parent 2:30 handle 30: sfq perturb 1 tc class add dev imq0 parent 2:2 classid 2:24 htb rate 96kbit ceil 160kbit prio 1 tc filter add dev imq0 parent 2:0 protocol ip handle 1 fw classid 2:24 tc qdisc add dev imq0 parent 2:24 handle 24: sfq perturb 10 tc class add dev imq0 parent 2:2 classid 2:26 htb rate 32kbit ceil 128kbit prio 3 tc filter add dev imq0 parent 2:0 protocol ip handle 2 fw classid 2:26 #tc qdisc add dev imq0 parent 2:26 handle 26: sfq perturb 10 tc class add dev imq0 parent 2:2 classid 2:28 htb rate 16kbit ceil 64kbit prio 5 tc filter add dev imq0 parent 2:0 protocol ip handle 3 fw classid 2:28 #tc qdisc add dev imq0 parent 2:28 handle 28: sfq perturb 10 tc class add dev imq0 parent 2:2 classid 2:333 htb rate 16kbit ceil 128kbit prio 7 tc qdisc add dev imq0 parent 2:333 handle 333: sfq perturb 10 echo Done #- #- echo Loading Traffic Shaper imq1 Upload tc qdisc del dev imq1 root tc qdisc add dev imq1 root handle 2: htb default 333 r2q 1 tc class add dev imq1 parent 2: classid 2:2 htb rate 192kbit #ICMP tc class add dev imq1 parent 2:2 classid 2:30 htb rate 32kbit prio 0 tc filter add dev imq1 parent 2:0 protocol ip handle 5 fw classid 2:30 tc qdisc add dev imq1 parent 2:30 handle 30: sfq perturb 1 tc class add dev imq1 parent 2:2 classid 2:24 htb rate 96kbit ceil 160kbit prio 1 tc filter add dev imq1 parent 2:0 protocol ip handle 1 fw classid 2:24 tc qdisc add dev imq1 parent 2:24 handle 24: sfq perturb 10 tc class add
[LARTC] Two internet lines and squid problem.
I have 2 internet connections and i;m trying to use squid as transparent proxy but every time squid is using first internet line but i want to use second internet line . i have this settings and without squid it's working i have default route on the first internet connection. iptables -t nat -I POSTROUTING -o eth2 -p tcp --dport 80 -s 192.168.0.0/24 -d ! 192.168.0.0/16 -j SNAT --to 217.10.248.135 /sbin/ip route add default via 217.10.248.135 dev eth2 table natips /sbin/ip rule add fwmark 66 table natips iptables -t mangle -I PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 66 iptables -t mangle -A FORWARD -i eth1 -p tcp --dport 80 -j MARK --set-mark 66 I try to solve the problem moving squid to onother computer and i add additional rules like /sbin/ip route add default via 217.10.248.135 dev eth2 table natips /sbin/ip route add default via 192.168.0.11 dev eth1 table squid /sbin/ip route flush cache /sbin/ip rule add fwmark 67 table squid /sbin/ip rule add fwmark 66 table natips iptables -t mangle -I PREROUTING -i eth1 -p tcp -s 192.168.0.11 --dport 80 -j MARK --set-mark 66 iptables -t mangle -I PREROUTING -i eth1 -p tcp -d ! 192.168.0.11 --dport 80 -j MARK --set-mark 67 iptables -t mangle -A FOWARD -i eth1 -s 192.168.0.11 -p tcp --dport 80 -j MARK --set-mark 66 iptables -t mangle -A FORWARD -i eth1 -p tcp -s ! 192.168.0.11 --dport 80 -j MARK --set-mark 67 iptables -t nat -I POSTROUTING -o eth2 -p tcp --dport 80 -s 192.168.0.0/24 -d ! 192.168.0.0/16 -j SNAT --to 217.10.248.135 in this case web traffic is working but pages that uses SSL like gmail.com is not working can anybody help me to use squid like transparent proxy with 2 internet connection and to use second one. Thank in advance. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Routing Mail traffic problem !
Etx1 - First Internet Line - eth0 Ext2 - Second Internet line - eth2 LAN - Local Area Network - eth1 Other traffic - Ext1 ---+---+--- Ext2 ---Web goes Here eth0 | |eth2 +---+---+ | ROUTER| ++--+---+ |eth1 192.168.0.0/24 -+ | 192.168.0.1/24--- - Gateway | 192.168.0.2/24--- - Mail.Mail.org The problem is that i can't check e-mails if server name in e-mail client is mail.mail.org i can check e-mail only if server addrress is 192.168.0.2 I have : iptables -t mangle -I PREROUTING -i eth1 -s 192.168.0.0/24 -d mail.mail.org -p tcp --dport 110 -j MARK --set-mark 67 iptables -t mangle -I PREROUTING -i eth1 -s 192.168.0.0/24 -d mail.mail.org -p tcp --dport 25 -j MARK --set-mark 67 /sbin/ip route add 192.168.0.0/24 dev eth1 table natips /sbin/ip route add 127.0.0.0/8 dev lo scope link table natips /sbin/ip route add default via 192.168.0.2 dev eth1 table natips /sbin/ip route flush cache /sbin/ip rule add fwmark 67 table mail But it's not working . [EMAIL PROTECTED]:/usr/src/linux# ip rule list 0: from all lookup local 32764: from all fwmark 0x43 lookup mail 32765: from all fwmark 0x42 lookup natips 32766: from all lookup main 32767: from all lookup default [EMAIL PROTECTED]:/usr/src/linux# [EMAIL PROTECTED]:/usr/src/linux# ip route list 192.168.0.2 dev eth1 scope link 213.91.108.248/29 dev eth0 proto kernel scope link src 213.91.108.250 213.91.108.248/29 dev ipsec0 proto kernel scope link src 213.91.108.250 217.30.248.0/24 dev eth2 proto kernel scope link src 217.30.248.135 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 192.168.0.0/16 via 213.91.208.249 dev ipsec0 127.0.0.0/8 dev lo scope link default via 213.91.108.249 dev eth0 metric 1 default via 217.30.248.1 dev eth2 metric 2 Any help is very appreciated. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] (no subject)
-- -| external ip eth0 | -- -- | |--- | ---| Internal IP eth1| -- | |-- -| external Ip eth2 | -- -- i want to put web and ftp traffic to eth2 and all other traffic to eth0 is it possible can anybody help me to do that here is my config iptables -t nat -A POSTROUTING -o eth2 -s 192.168.0.0/0 -d ! 192.168.0.0/16 -p tcp --dport 80 -j SNAT --Extermal IP on Eth2 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/0 -d ! 192.168.0.0/16 -j SNAT --External IP on Eth0 213.32.208.2480.0.0.0255.255.255.248 U 0 00 eth0 213.32.208.2480.0.0.0 255.255.255.248 U 0 0 0 ipsec0 192.168.5.0 213.32.208.249 255.255.255.0 UG0 0 0 ipsec0 217.10.130.00.0.0.0 255.255.255.0 U 0 00 eth2 192.168.128.0 213.32.208.249 255.255.255.0 UG0 0 0 ipsec0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 192.168.32.0 213.32.208.249255.255.240.0 UG0 0 0 ipsec0 127.0.0.00.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 213.32.208.249 0.0.0.0 UG1 0 0 eth0 0.0.0.0 217.10.130.10.0.0.0 UG2 00 eth2 Thanks is Advance ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] 2 internet connection problem :(
-- -| external ip eth0 | -- -- | |--- | ---| Internal IP eth1| -- | |-- -| external Ip eth2 | -- -- i want to put web and ftp traffic to eth2 and all other traffic to eth0 is it possible can anybody help me to do that here is my config iptables -t nat -A POSTROUTING -o eth2 -s 192.168.0.0/0 -d ! 192.168.0.0/16 -p tcp --dport 80 -j SNAT --Extermal IP on Eth2 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/0 -d ! 192.168.0.0/16 -j SNAT --External IP on Eth0 213.32.208.2480.0.0.0255.255.255.248 U 0 00 eth0 213.32.208.2480.0.0.0 255.255.255.248 U 0 0 0 ipsec0 192.168.5.0 213.32.208.249 255.255.255.0 UG0 0 0 ipsec0 217.10.130.00.0.0.0 255.255.255.0 U 0 00 eth2 192.168.128.0 213.32.208.249 255.255.255.0 UG0 0 0 ipsec0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 192.168.32.0 213.32.208.249255.255.240.0 UG0 0 0 ipsec0 127.0.0.00.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 213.32.208.249 0.0.0.0 UG1 0 0 eth0 0.0.0.0 217.10.130.10.0.0.0 UG2 00 eth2 Thanks is Advance ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] [EMAIL PROTECTED]
[EMAIL PROTECTED] ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/