Re: [LARTC] htb/iptables for ISP

2006-11-04 Thread Peter Surda 

plugthebox.net /dev/null wrote:

Hello,

hi


This process
kills my machine for 3-4 minutes until dumping all htb/sqf/iptables into
files and running these files (remember that i almost have 1200 IPs, and
each IP has 6 HTB+SFQ line with 2 iptables)
both iptables and tc have a batch mode, and both support changing 
instead of deleting/creating.


Yours sincerely,
Peter

--
http://www.shurdix.org - Linux distribution for routers and firewalls
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] htb/iptables for ISP

2006-11-01 Thread plugthebox.net /dev/null 
Hello,
I'm working on a customized Linux firewall/router for a small/medium ISP
(1200 users) we have almost 4 ranges of internal IPs and i want to limit
each IP to a certain speed.

The problem is that i'm storing all info about the user including IP and
bandwidth rates on a MySQL server, then dump all the htb/sfq lines on a
file (which takes 3 minutes) and then i run these files. This process
kills my machine for 3-4 minutes until dumping all htb/sqf/iptables into
files and running these files (remember that i almost have 1200 IPs, and
each IP has 6 HTB+SFQ line with 2 iptables)

Is there another method more efficient than re-running my files every
time i add/edit/del a user?

Sincerely,







___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] htb,iptables

2004-02-11 Thread Stef Coene 
On Monday 09 February 2004 15:00, eddieknows wrote:
> Hi all
> I'm sure you have heard this before but sorry.I wrote a script once and
> never looked at it again.An as my luck will have it I need it now and it
> is gone.I'm trying my best to rewrite it:-(
>
> My 1st question is: If my server is a gateway and I'm marking packets
> for iptables should I use OUTPUT,INPUT,PREROUTING,POSTROUTING or FORWARD
> rules in iptables
http://www.docum.org/stef.coene/qos/kptd/

> And
> If I create a qdisk and classes and parents as 1--1:1-<1:10to1:50 for
> eth0 and I want to create rules for eth1 can I also start with 1--1:1...
> or should it be like 2--2:1...
You can use the same numbering on different devices.

> And
> If someone would donate a script it will help a hell of a lot in this
> time where there is no time...PLEASE
See docum.org for some examples.

Stef

-- 
[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] htb,iptables

2004-02-09 Thread eddieknows 
Hi all
I'm sure you have heard this before but sorry.I wrote a script once and
never looked at it again.An as my luck will have it I need it now and it
is gone.I'm trying my best to rewrite it:-(

My 1st question is: If my server is a gateway and I'm marking packets
for iptables should I use OUTPUT,INPUT,PREROUTING,POSTROUTING or FORWARD
rules in iptables

And
If I create a qdisk and classes and parents as 1--1:1-<1:10to1:50 for
eth0 and I want to create rules for eth1 can I also start with 1--1:1...
or should it be like 2--2:1...

And
If someone would donate a script it will help a hell of a lot in this
time where there is no time...PLEASE
Thanks

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] htb iptables

2003-07-07 Thread Svetlin Ivanov 




   
  how can i MARK with iptables traffic in out 
  INTERNET and in out PEERING from and forward to my LAN
  with 4 MARKS  to create 4 class with htb 
  wich have 4 fw filter and 4 parent with 4 u32 filter
          
      
  and many subclasess for each client with U32 
  filter
   
  ---root1---
          
  /    
                  
  /  
  /  
  /
   1:1 INTdown fw 
  m=11   1:2 
  INupload fw m-2 1:3 Peeringdownload fw 
  filter mark-3       1:4 Peering upload  fw 
  filter=mark  4
          
  / 
          
     
  /  
              
    
  /                
                  
                  
              
      /
   parent  rate 
  32kbit   U32 filter         
              parent rate 
  16kbit U32 filter           
  parent 64kbit U32 
  filter  
  parent 32kbit U32 filter
   192.168.1.2    
  192.168.1.2    
  192.168.1.2    
  192.168.1.2   
   
   
  please send me an example i am newby

Re: [LARTC] htb/iptables: incoming vs. outgoing shaping?

2002-09-12 Thread George J. Jahchan 

Outgoing shaping (LAN --> WAN) makes sense as your input rate to the router
is at LAN speeds while its output rate is at (relatively low-bandwidth) WAN
speeds. A good set of rules will provide significant performance benefits
for critical apps, while relegating non-critical ones to a "best effort"
basis.

Shaping incoming traffic with queueing technology (WAN --> LAN) does not
make much sense as queues would occur after packets have crossed a
(presumably congested) WAN link, to be forwarded by the routing engine to a
10, 100 or 1,000 Mbps infrastructure. Queues in such a case add unnecessary
latency and provide no real benefit.


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] htb/iptables: incoming vs. outgoing shaping?

2002-09-07 Thread Stef Coene 

> But does this really work? I also notices somewhere that you just can shape
> input traffic, and for output you need a special IMQ target for iptables,
> why? And why doesn't it work in that way?
it' the other way around.  You can only shape outgoing traffic.  You shape 
traffic by influencing the queue where the packets wait to be sended.  For 
incoming packets, there is no queue, so you can't shape incoming traffic.
But, there is a IMQ device.  You can put all incoming packets in this virtual 
device and this device has a queue.  So you can shape incoming traffic. But 
this can/will introduce extra delays.  There is also a ingress qdisc.  This 
qdisc contains no queue, but you can attach filter to it.  And you can use 
policers on this filter.  A policer is sort of shaper on a filter : it will 
only match the packets at a certain rate.  So you can match packets at a 
certain rate and throttle incoming traffic.  Howerver, this is a one-level 
setup so you can't create a hierarchical setup like you can with htb/cbq.

You never provided a ceil parameter when you created the classes.  So the 
class will never borrow unused bandwidth from each other.
And to be able to shape the traffic, you have to shape at 250 kbit or so.  So 
YOU are the bottleneck and not your router/modem.  You will loose some 
bandwidth, but you will be able the shape it.  So if shaping is not working, 
try to lower the total bandwidth you send/receive.

I suggest reading some docs : lartc.org in general and I have some more info 
about shaping on docum.org.

> Furthermore, is this right how I mark the outgoing traffic? should this be
> done in POSTROUTING, or even somewhere else? It's that we've
> PREROUTING,INPUT, FORWARD,OUTPUT and POSTROUTING have in table mangle.
It depends if the traffic is generated locally or forwarded.

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] htb/iptables: incoming vs. outgoing shaping?

2002-09-06 Thread Christian Parpart 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

there's something I really don't understand. What I wanna 
do is to shape my incoming _and_ my outgoing traffic in speperate 
queues. I have a 256kbit up and 256kbit down link on eth1.
I want to use iptables to set the marks.

wan=eth1
lowin=1   # ; highin=2
lowout=5  # ; highout=6

# mark incoming traffic
iptables -t mangle -A PREROUTING -i $wan -p tcp --sport 80  \
   -j MARK --set-mark $lowin
# mark outgoing traffic
iptables -t mangle -A OUTPUT -o $wan -p tcp --dport 80 \
   -j MARK --set-mark $lowout

tc qdisc handle add dev $wan root handle 1:0 htb
tc class add dev $wan parent 1:0 classid 1:1 htb rate 256kbit # input shaping
tc class add dev $wan parent 1:0 classid 1:2 htb rate 256kbit # output shaping
tc class add dev $wan parent 1:1 classid 1:11 htb rate 64kbit # low in
tc class add dev $wan parent 1:1 classid 1:12 htb rate 192kbit # high in
tc class add dev $wan parent 1:2 classid 1:21 htb rate 64kbit # low out
tc class add dev $wan parent 1:2 classid 1:22 htb rate 192kbit # high out

tc filter add dev $wan parent 1:1 protocol ip prio 1 \
fw handle $lowin flowid 1:11
tc filter add dev $wan parent 1:2 protocol ip prio 1 \
fw handle $lowout flowid 1:21

What I think I have done is that I've created to main queues (1:1 and 1:2) 
each one rating up to 256kbit. Each main queue got devided into a queue for 
low traffic (non priorized) and one high traffic (priorized).
Then, I attatched the filter that anchors the iptables marked ip packets to 
their corresponding queue.

But does this really work? I also notices somewhere that you just can shape 
input traffic, and for output you need a special IMQ target for iptables, 
why? And why doesn't it work in that way? 

Furthermore, is this right how I mark the outgoing traffic? should this be 
done in POSTROUTING, or even somewhere else? It's that we've 
PREROUTING,INPUT, FORWARD,OUTPUT and POSTROUTING have in table mangle.

Please, would you help me solving my problem?

Thanks in advance,
Christian Parpart.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9eWOpPpa2GmDVhK0RAgYtAJ9EgbgblPUgeB+1C0rbBMGE2u6MCACdFpOh
ZIoj8dQQ3GYpWjxHrgTT/5Y=
=hq5D
-END PGP SIGNATURE-

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/