|
iptables mark combine with tc
i've been having a headache trying to configure iptables mark to work with tc
so far this is what i do in firewall.sh ... ## outbound trafic $IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.11 -d ! 192.168.1.0/24 -j MARK --set-mark 11 $IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.12 -d ! 192.168.1.0/24 -j MARK --set-mark 12 $IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.13 -d ! 192.168.1.0/24 -j MARK --set-mark 13 $IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.14 -d ! 192.168.1.0/24 -j MARK --set-mark 14 $IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.15 -d ! 192.168.1.0/24 -j MARK --set-mark 15 $IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.16 -d ! 192.168.1.0/24 -j MARK --set-mark 16 ##inbound trafic $IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.11 -s ! 192.168.1.0/24 -j MARK --set-mark 11 $IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.12 -s ! 192.168.1.0/24 -j MARK --set-mark 12 $IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.13 -s ! 192.168.1.0/24 -j MARK --set-mark 13 $IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.14 -s ! 192.168.1.0/24 -j MARK --set-mark 14 $IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.15 -s ! 192.168.1.0/24 -j MARK --set-mark 15 $IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.16 -s ! 192.168.1.0/24 -j MARK --set-mark 16 and in qdisc.sh #!/bin/sh CEIL_CLIENT=60 CEIL_SU=130 RATE_CLIENT=10 RATE_SU=60 ## deleting old rules tc qdisc del dev eth0 root ## defining classes tc qdisc add dev eth0 root handle 1: htb default 200 tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL_SU}kbit ceil ${CEIL_SU}kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 80kbit ceil 80kbit prio 0 tc class add dev eth0 parent 1:1 classid 1:11 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5 tc class add dev eth0 parent 1:1 classid 1:12 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5 tc class add dev eth0 parent 1:1 classid 1:13 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5 tc class add dev eth0 parent 1:1 classid 1:14 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5 tc class add dev eth0 parent 1:1 classid 1:15 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5 tc class add dev eth0 parent 1:1 classid 1:16 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5 tc class add dev eth0 parent 1:1 classid 1:200 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 7 ## adding filter tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 handle 11 fw classid 1:11 tc filter add dev eth0 parent 1: protocol ip prio 1 handle 12 fw classid 1:12 tc filter add dev eth0 parent 1: protocol ip prio 1 handle 13 fw classid 1:13 tc filter add dev eth0 parent 1: protocol ip prio 1 handle 14 fw classid 1:14 tc filter add dev eth0 parent 1: protocol ip prio 1 handle 15 fw classid 1:15 tc filter add dev eth0 parent 1: protocol ip prio 1 handle 16 fw classid 1:16 but all trafic will still goes to class 200 ( default for unspecified packet) where did i do wrong? anyone can help correct me? |
Do these marking rules even work? iptables can list rules and counts of matched packets per rule for you, if these are zero, the rules are bad. Is in PREROUTING the destination IP of the clients in the LAN already known? I think these rules should probably go into the FORWARD chain.
Also be aware that mark values are actually hexadecimal, to be specified as 0x01, 0x02, ... and so on. There were some problems in the past with different interpretation of a value like "16", I think iptables interpreted it as decimal number and tc as hexadecimal, causing the filter rules to mismatch. |
my network configuration is more or less like this
-------------------Gateway------------------------ clients -------------|eth0 (i put squid in here) eth1 | ------------------ the world ------------------------------------------------------- i redirect all request for web to my squid iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -i eth0 --dport 80 -j DNAT --to 192.168.1.1:3128 iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -i eth0 --dport 3128 -j DNAT --to 192.168.1.1:3128 iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -i eth0 --dport 8080 -j DNAT --to 192.168.1.1:3128 hence all web traffic in the gate way will change source address ( am i correct? ) so if i want to limit traffic to and from internet, but free traffic from client to gateway and vice versa what should i do? the reason i want to free traffic from client to gateway and vice versa is because i think that web stuff fetch already stored in squid should not be limited. and only traffic from client forwarded directly to internet, from gateway to internet and vice versa should be controlled. currently with htb i'm trying this solution ( i only have 160kbit internet connection for 10 computers) eth0 R2Q=1 DEFAULT=5 eth0-2.root RATE=560kbit CBURST=2kb LEAF=sfq eth0-2:3.local RATE=400kbit RULE=192.168.1.1, RULE=192.168.1.1 eth0-2:5.inet RATE=160kbit eth0-2:5:11.client1 RATE=10kbit CEIL=60kbit RULE=192.168.1.11 (my clients ip start from 11 to 21) RULE=192.168.1.11, and the same configuration except for ip rule for eth0-2:5:12.client2 to eth0-2:5:21.client10 what should i do next? |
| All times are GMT -5. The time now is 08:57 PM. |