Re: [LARTC] htb/iptables for ISP
plugthebox.net /dev/null wrote: Hello, hi This process kills my machine for 3-4 minutes until dumping all htb/sqf/iptables into files and running these files (remember that i almost have 1200 IPs, and each IP has 6 HTB+SFQ line with 2 iptables) both iptables and tc have a batch mode, and both support changing instead of deleting/creating. Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] htb/iptables for ISP
Hello, I'm working on a customized Linux firewall/router for a small/medium ISP (1200 users) we have almost 4 ranges of internal IPs and i want to limit each IP to a certain speed. The problem is that i'm storing all info about the user including IP and bandwidth rates on a MySQL server, then dump all the htb/sfq lines on a file (which takes 3 minutes) and then i run these files. This process kills my machine for 3-4 minutes until dumping all htb/sqf/iptables into files and running these files (remember that i almost have 1200 IPs, and each IP has 6 HTB+SFQ line with 2 iptables) Is there another method more efficient than re-running my files every time i add/edit/del a user? Sincerely, ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] htb,iptables
On Monday 09 February 2004 15:00, eddieknows wrote: > Hi all > I'm sure you have heard this before but sorry.I wrote a script once and > never looked at it again.An as my luck will have it I need it now and it > is gone.I'm trying my best to rewrite it:-( > > My 1st question is: If my server is a gateway and I'm marking packets > for iptables should I use OUTPUT,INPUT,PREROUTING,POSTROUTING or FORWARD > rules in iptables http://www.docum.org/stef.coene/qos/kptd/ > And > If I create a qdisk and classes and parents as 1--1:1-<1:10to1:50 for > eth0 and I want to create rules for eth1 can I also start with 1--1:1... > or should it be like 2--2:1... You can use the same numbering on different devices. > And > If someone would donate a script it will help a hell of a lot in this > time where there is no time...PLEASE See docum.org for some examples. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] htb,iptables
Hi all I'm sure you have heard this before but sorry.I wrote a script once and never looked at it again.An as my luck will have it I need it now and it is gone.I'm trying my best to rewrite it:-( My 1st question is: If my server is a gateway and I'm marking packets for iptables should I use OUTPUT,INPUT,PREROUTING,POSTROUTING or FORWARD rules in iptables And If I create a qdisk and classes and parents as 1--1:1-<1:10to1:50 for eth0 and I want to create rules for eth1 can I also start with 1--1:1... or should it be like 2--2:1... And If someone would donate a script it will help a hell of a lot in this time where there is no time...PLEASE Thanks ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] htb iptables
how can i MARK with iptables traffic in out INTERNET and in out PEERING from and forward to my LAN with 4 MARKS to create 4 class with htb wich have 4 fw filter and 4 parent with 4 u32 filter and many subclasess for each client with U32 filter ---root1--- / / / / 1:1 INTdown fw m=11 1:2 INupload fw m-2 1:3 Peeringdownload fw filter mark-3 1:4 Peering upload fw filter=mark 4 / / / / parent rate 32kbit U32 filter parent rate 16kbit U32 filter parent 64kbit U32 filter parent 32kbit U32 filter 192.168.1.2 192.168.1.2 192.168.1.2 192.168.1.2 please send me an example i am newby
Re: [LARTC] htb/iptables: incoming vs. outgoing shaping?
Outgoing shaping (LAN --> WAN) makes sense as your input rate to the router is at LAN speeds while its output rate is at (relatively low-bandwidth) WAN speeds. A good set of rules will provide significant performance benefits for critical apps, while relegating non-critical ones to a "best effort" basis. Shaping incoming traffic with queueing technology (WAN --> LAN) does not make much sense as queues would occur after packets have crossed a (presumably congested) WAN link, to be forwarded by the routing engine to a 10, 100 or 1,000 Mbps infrastructure. Queues in such a case add unnecessary latency and provide no real benefit. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb/iptables: incoming vs. outgoing shaping?
> But does this really work? I also notices somewhere that you just can shape > input traffic, and for output you need a special IMQ target for iptables, > why? And why doesn't it work in that way? it' the other way around. You can only shape outgoing traffic. You shape traffic by influencing the queue where the packets wait to be sended. For incoming packets, there is no queue, so you can't shape incoming traffic. But, there is a IMQ device. You can put all incoming packets in this virtual device and this device has a queue. So you can shape incoming traffic. But this can/will introduce extra delays. There is also a ingress qdisc. This qdisc contains no queue, but you can attach filter to it. And you can use policers on this filter. A policer is sort of shaper on a filter : it will only match the packets at a certain rate. So you can match packets at a certain rate and throttle incoming traffic. Howerver, this is a one-level setup so you can't create a hierarchical setup like you can with htb/cbq. You never provided a ceil parameter when you created the classes. So the class will never borrow unused bandwidth from each other. And to be able to shape the traffic, you have to shape at 250 kbit or so. So YOU are the bottleneck and not your router/modem. You will loose some bandwidth, but you will be able the shape it. So if shaping is not working, try to lower the total bandwidth you send/receive. I suggest reading some docs : lartc.org in general and I have some more info about shaping on docum.org. > Furthermore, is this right how I mark the outgoing traffic? should this be > done in POSTROUTING, or even somewhere else? It's that we've > PREROUTING,INPUT, FORWARD,OUTPUT and POSTROUTING have in table mangle. It depends if the traffic is generated locally or forwarded. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] htb/iptables: incoming vs. outgoing shaping?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, there's something I really don't understand. What I wanna do is to shape my incoming _and_ my outgoing traffic in speperate queues. I have a 256kbit up and 256kbit down link on eth1. I want to use iptables to set the marks. wan=eth1 lowin=1 # ; highin=2 lowout=5 # ; highout=6 # mark incoming traffic iptables -t mangle -A PREROUTING -i $wan -p tcp --sport 80 \ -j MARK --set-mark $lowin # mark outgoing traffic iptables -t mangle -A OUTPUT -o $wan -p tcp --dport 80 \ -j MARK --set-mark $lowout tc qdisc handle add dev $wan root handle 1:0 htb tc class add dev $wan parent 1:0 classid 1:1 htb rate 256kbit # input shaping tc class add dev $wan parent 1:0 classid 1:2 htb rate 256kbit # output shaping tc class add dev $wan parent 1:1 classid 1:11 htb rate 64kbit # low in tc class add dev $wan parent 1:1 classid 1:12 htb rate 192kbit # high in tc class add dev $wan parent 1:2 classid 1:21 htb rate 64kbit # low out tc class add dev $wan parent 1:2 classid 1:22 htb rate 192kbit # high out tc filter add dev $wan parent 1:1 protocol ip prio 1 \ fw handle $lowin flowid 1:11 tc filter add dev $wan parent 1:2 protocol ip prio 1 \ fw handle $lowout flowid 1:21 What I think I have done is that I've created to main queues (1:1 and 1:2) each one rating up to 256kbit. Each main queue got devided into a queue for low traffic (non priorized) and one high traffic (priorized). Then, I attatched the filter that anchors the iptables marked ip packets to their corresponding queue. But does this really work? I also notices somewhere that you just can shape input traffic, and for output you need a special IMQ target for iptables, why? And why doesn't it work in that way? Furthermore, is this right how I mark the outgoing traffic? should this be done in POSTROUTING, or even somewhere else? It's that we've PREROUTING,INPUT, FORWARD,OUTPUT and POSTROUTING have in table mangle. Please, would you help me solving my problem? Thanks in advance, Christian Parpart. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9eWOpPpa2GmDVhK0RAgYtAJ9EgbgblPUgeB+1C0rbBMGE2u6MCACdFpOh ZIoj8dQQ3GYpWjxHrgTT/5Y= =hq5D -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/