subject:"Re\: \[LARTC\] IPTables script"

Re: [LARTC] IPTables script

2005-05-12 Thread Andy Furniss

Lee Sanders wrote:
Ok I thought you were trying to match src addresses, and that would be a
problem because of masquerading ;)
yep. 

So you need to use addresses before nat - just mark them in iptables 
postrouting like.

iptables -t mangle -A POSTROUTING --src 192.168.0.2 -j MARK --set-mark 32
then filter them with tc something like -
tc filter add dev $UPIF parent 1:0 prio 4 protocol ip handle 32 fw 
flowid 1:32

On this, can anyone help with: http://lartc.org/howto/lartc.adv-filter.html
12.1.3. Specific selectors
The following table contains a list of all specific selectors the author of 
this section has found in the tc program source code. They simply make your 
life easier and increase readability of your filter's configuration.

FIXME: table placeholder - the table is in separate file ,,selector.html''
FIXME: it's also still in Polish :-(
FIXME: must be sgml'ized
I'm quite happy to read polish to get at the list they are offering.
They may well be outdated now anyway - there is work going on currently 
with tc eg. ematches - just not many docs yet.

Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

2005-05-12 Thread Sylvain BERTRAND

On Jeu 12 mai 2005 12:42, Lee Sanders a écrit :
> Interesting because in the L7 FAQ it says they take advantage of
> netfilters
> connection tracking capabilities to classify connections based on their
> first
> few packets and then classify packets based on what connection they are
> in.
>
> To my thinking this precludes what you say above, but I don't know much
> about
> netfilters connection tracking. Have you seen the behaviour you describe ?
>

I have not seem the problem occur. However, the webpage gives a warning
and recommends not to use l7 matching to DROP packets. It should not be a
problem if you only want to shape.

Sylvain

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

2005-05-12 Thread Lee Sanders

> Ok I thought you were trying to match src addresses, and that would be a
> problem because of masquerading ;)
>
yep. 

> > Along my travels I ran into this: http://l7-filter.sourceforge.net/
> > Have you played with L7 and can you rate it good/bad ?
>
> I've installed it and used it for 2 month, though I can't say I've
> thoroughly tested the patterns. So far, it works out pretty good. The
> website has a page that lists supported protocols, and rates the quality
> of each pattern. I would not recommend it for production use, though.
> There can be side effects : if you visit a web page that describes the
> SMTP protocol, the packet will contain data that looks like SMTP, and who
> knows which pattern the packet is going to match...
>
Interesting because in the L7 FAQ it says they take advantage of netfilters 
connection tracking capabilities to classify connections based on their first 
few packets and then classify packets based on what connection they are in.

To my thinking this precludes what you say above, but I don't know much about 
netfilters connection tracking. Have you seen the behaviour you describe ?


> Iptables may give you more options to separate trafic to different classes
> by MARKing them.
> Then tc allocates bandwidth for each class.
> You'll have much more flexibility this way.
>

On this, can anyone help with: http://lartc.org/howto/lartc.adv-filter.html

12.1.3. Specific selectors

The following table contains a list of all specific selectors the author of 
this section has found in the tc program source code. They simply make your 
life easier and increase readability of your filter's configuration.

FIXME: table placeholder - the table is in separate file ,,selector.html''
FIXME: it's also still in Polish :-(
FIXME: must be sgml'ized

I'm quite happy to read polish to get at the list they are offering.

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

2005-05-12 Thread Sylvain BERTRAND

On Jeu 12 mai 2005 10:52, Lee Sanders a écrit :
> Hi Sylvain,
>
> Thanks for that, exactly what I'm doing :)
>

Ok I thought you were trying to match src addresses, and that would be a
problem because of masquerading ;)

> Along my travels I ran into this: http://l7-filter.sourceforge.net/
> Have you played with L7 and can you rate it good/bad ?

I've installed it and used it for 2 month, though I can't say I've
thoroughly tested the patterns. So far, it works out pretty good. The
website has a page that lists supported protocols, and rates the quality
of each pattern. I would not recommend it for production use, though.
There can be side effects : if you visit a web page that describes the
SMTP protocol, the packet will contain data that looks like SMTP, and who
knows which pattern the packet is going to match...

> The script you sent didn't answer one question, how to match on IP so I
> can
> add a further level of htb to equally share bandwidth amongst computers.

You can create a class for each client on the LAN link, and limit upload
from your server to each client. If you want to limit upload from client
to server, you can restrict bandwidth with 'ingress'.

> I think I know how to do this though, filter by MAC. I don't know if
> iptables
> at this point has munted the mac so I'm going to try that in a sec and see
> if
> I can get a match.
>

Iptables may give you more options to separate trafic to different classes
by MARKing them.
Then tc allocates bandwidth for each class.
You'll have much more flexibility this way.


Sylvain

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

2005-05-12 Thread Lee Sanders

Hi Sylvain,

Thanks for that, exactly what I'm doing :)

Along my travels I ran into this: http://l7-filter.sourceforge.net/
Have you played with L7 and can you rate it good/bad ?

The script you sent didn't answer one question, how to match on IP so I can 
add a further level of htb to equally share bandwidth amongst computers.

I think I know how to do this though, filter by MAC. I don't know if iptables 
at this point has munted the mac so I'm going to try that in a sec and see if 
I can get a match.

Alex: from what I read you can do more with netfilter than you can with tc 
filter. Depending on your needs you would use the simplest one as I believe 
tc filter to be easier to understand. L7 above also uses netfilter so there's 
possibly another reason.

:L

> > #!/bin/bash
> >
> > UPLINK_EXT=950  # outgoing DSL bandwidth, kbps
> > DEV_EXT=eth1# DSL link
> >
> > tc qdisc del dev ${DEV_EXT} root2> /dev/null > /dev/null
> >
> > tc qdisc add dev ${DEV_EXT} root handle 1: htb default 20
> >
> > # root class
> > tc class add dev ${DEV_EXT} parent 1: classid 1:1 htb rate
> > $[${UPLINK_EXT}]kbit prio 0
> > # fast ( 80% )
> > tc class add dev ${DEV_EXT} parent 1:1 classid 1:10 htb rate
> > $[8*${UPLINK_EXT}/10]kbit ceil $[${UPLINK_EXT}]kbit burst 10k prio 1
> > # slow ( 20% )
> > tc class add dev ${DEV_EXT} parent 1:1 classid 1:20 htb rate
> > $[2*${UPLINK_EXT}/10]kbit ceil $[8*${UPLINK_EXT}/10]kbit burst 2k prio 5
> >
> > # stochastic fairness
> > tc qdisc add dev ${DEV_EXT} parent 1:10 handle 10: sfq perturb 10
> > tc qdisc add dev ${DEV_EXT} parent 1:20 handle 20: sfq perturb 10
> >
> > # trafic with priority
> > # CLIENT
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 22 0x flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 25 0x flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 53 0x flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 80 0x flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 110 0x flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 143 0x flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 443 0x flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 993 0x flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 995 0x flowid 1:10
> > # SERVER
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > sport 22 0xfffd flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > sport 25 0xfffd flowid 1:10
> > tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> > dport 53 0x flowid 1:10
> >
> >
> > ___
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

-- 
_
Lee Sanders  Computer
Systems Engineer  Consultant
Email: [EMAIL PROTECTED]Professionals
Mobile: 040048163277 122 550 929
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

2005-05-12 Thread Sylvain BERTRAND

On Jeu 12 mai 2005 10:31, Alexander Samad a écrit :
> Sylvain
>
> Q) why use do your matching in tc filter and not netfilter ?  Is one way
> better than the other.
>
> I started out doing it via filter and then moved to netfilter instead
> using mark.
>
> Curious to hear what other people have/do do
>
> Alex
>

If I wanted to match via netfilter, I'd have to MARK the packets, and then
use tc to classify packets according to this mark. It would be a "better
thing" (tm), but this is a very simple configuration, so I chose to use tc
directly.


Sylvain

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

2005-05-12 Thread Alexander Samad

On Thu, May 12, 2005 at 09:40:56AM +0200, Sylvain BERTRAND wrote:
> On Jeu 12 mai 2005 8:14, Lee Sanders a ?crit :
> > Hi All,
> >
> > I've been playing with QOS for a short while now and have worked out how
> > to do
> > what I want using HTB. Great queuing discipline btw.
> >
> > My problem is the tc filters I want to setup aren't working because
> > iptables is getting to the packets first and mangling the src address.
> >
> > The iptables script I am using is MonMotha's Firewall 2.3.8 and it
> > includes
> > lots of nice goodies like syn flood rate limiting. The extra bits like
> > this
> > are why I'm using it rather than figuring the iptables configuration out
> > myself.
> >
> > My network configuration is trivial, adsl router connected to linux box
> > connected to two networks, LAN and WLAN.
> >
> > I like having these iptables features but MonMotha's Firewall isn't
> > designed
> > with QOS in mind.
> >
> > My question for this list, is there a recommended iptables router script
> > that
> > everyone here uses designed with QOS in mind or have you all written your
> > own ?
> >
> > Thanks in Advance
> >
> > Lee
> >
> 
> Hi Lee,
> 
> Below is my script. It's inspired from LARTC, for the same configuration
> as you : home Linux routeur with DSL on eth1, masquerading trafic from
> LAN. The server is running a few services (http,mail,dns), and I want
> these services to have priority, and also the users must have priority for
> their mail & http over the default class. The trafic to/from the services
> not defined below goes to default class, which is fine (ftp, im, ...).
> Hope you can use it, though it's certainly not perfect.
> 
> Sylvain
> 

Sylvain

Q) why use do your matching in tc filter and not netfilter ?  Is one way
better than the other.

I started out doing it via filter and then moved to netfilter instead
using mark.

Curious to hear what other people have/do do

Alex

> 
> #!/bin/bash
> 
> UPLINK_EXT=950  # outgoing DSL bandwidth, kbps
> DEV_EXT=eth1# DSL link
> 
> tc qdisc del dev ${DEV_EXT} root2> /dev/null > /dev/null
> 
> tc qdisc add dev ${DEV_EXT} root handle 1: htb default 20
> 
> # root class
> tc class add dev ${DEV_EXT} parent 1: classid 1:1 htb rate
> $[${UPLINK_EXT}]kbit prio 0
> # fast ( 80% )
> tc class add dev ${DEV_EXT} parent 1:1 classid 1:10 htb rate
> $[8*${UPLINK_EXT}/10]kbit ceil $[${UPLINK_EXT}]kbit burst 10k prio 1
> # slow ( 20% )
> tc class add dev ${DEV_EXT} parent 1:1 classid 1:20 htb rate
> $[2*${UPLINK_EXT}/10]kbit ceil $[8*${UPLINK_EXT}/10]kbit burst 2k prio 5
> 
> # stochastic fairness
> tc qdisc add dev ${DEV_EXT} parent 1:10 handle 10: sfq perturb 10
> tc qdisc add dev ${DEV_EXT} parent 1:20 handle 20: sfq perturb 10
> 
> # trafic with priority
> # CLIENT
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 22 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 25 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 53 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 80 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 110 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 143 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 443 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 993 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 995 0x flowid 1:10
> # SERVER
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> sport 22 0xfffd flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> sport 25 0xfffd flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 53 0x flowid 1:10
> 
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

2005-05-12 Thread Sylvain BERTRAND

On Jeu 12 mai 2005 8:14, Lee Sanders a écrit :
> Hi All,
>
> I've been playing with QOS for a short while now and have worked out how
> to do
> what I want using HTB. Great queuing discipline btw.
>
> My problem is the tc filters I want to setup aren't working because
> iptables is getting to the packets first and mangling the src address.
>
> The iptables script I am using is MonMotha's Firewall 2.3.8 and it
> includes
> lots of nice goodies like syn flood rate limiting. The extra bits like
> this
> are why I'm using it rather than figuring the iptables configuration out
> myself.
>
> My network configuration is trivial, adsl router connected to linux box
> connected to two networks, LAN and WLAN.
>
> I like having these iptables features but MonMotha's Firewall isn't
> designed
> with QOS in mind.
>
> My question for this list, is there a recommended iptables router script
> that
> everyone here uses designed with QOS in mind or have you all written your
> own ?
>
> Thanks in Advance
>
> Lee
>

Hi Lee,

Below is my script. It's inspired from LARTC, for the same configuration
as you : home Linux routeur with DSL on eth1, masquerading trafic from
LAN. The server is running a few services (http,mail,dns), and I want
these services to have priority, and also the users must have priority for
their mail & http over the default class. The trafic to/from the services
not defined below goes to default class, which is fine (ftp, im, ...).
Hope you can use it, though it's certainly not perfect.

Sylvain


#!/bin/bash

UPLINK_EXT=950  # outgoing DSL bandwidth, kbps
DEV_EXT=eth1# DSL link

tc qdisc del dev ${DEV_EXT} root2> /dev/null > /dev/null

tc qdisc add dev ${DEV_EXT} root handle 1: htb default 20

# root class
tc class add dev ${DEV_EXT} parent 1: classid 1:1 htb rate
$[${UPLINK_EXT}]kbit prio 0
# fast ( 80% )
tc class add dev ${DEV_EXT} parent 1:1 classid 1:10 htb rate
$[8*${UPLINK_EXT}/10]kbit ceil $[${UPLINK_EXT}]kbit burst 10k prio 1
# slow ( 20% )
tc class add dev ${DEV_EXT} parent 1:1 classid 1:20 htb rate
$[2*${UPLINK_EXT}/10]kbit ceil $[8*${UPLINK_EXT}/10]kbit burst 2k prio 5

# stochastic fairness
tc qdisc add dev ${DEV_EXT} parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev ${DEV_EXT} parent 1:20 handle 20: sfq perturb 10

# trafic with priority
# CLIENT
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 22 0x flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 25 0x flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 53 0x flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 80 0x flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 110 0x flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 143 0x flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 443 0x flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 993 0x flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 995 0x flowid 1:10
# SERVER
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
sport 22 0xfffd flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
sport 25 0xfffd flowid 1:10
tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
dport 53 0x flowid 1:10


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

Re: [LARTC] IPTables script

Re: [LARTC] IPTables script

Re: [LARTC] IPTables script

Re: [LARTC] IPTables script

Re: [LARTC] IPTables script

Re: [LARTC] IPTables script

Re: [LARTC] IPTables script

8 matches

Site Navigation

Mail list logo

Footer information