LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-11-2005, 08:18 AM   #1
Kendo1979
Member
 
Registered: Aug 2004
Location: Bandung, Indonesia
Distribution: Red Hat 9
Posts: 51

Rep: Reputation: 15
iptables mark combine with tc


i've been having a headache trying to configure iptables mark to work with tc

so far this is what i do

in firewall.sh

...
## outbound trafic

$IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.11 -d ! 192.168.1.0/24 -j MARK --set-mark 11
$IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.12 -d ! 192.168.1.0/24 -j MARK --set-mark 12
$IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.13 -d ! 192.168.1.0/24 -j MARK --set-mark 13
$IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.14 -d ! 192.168.1.0/24 -j MARK --set-mark 14
$IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.15 -d ! 192.168.1.0/24 -j MARK --set-mark 15
$IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.1.16 -d ! 192.168.1.0/24 -j MARK --set-mark 16

##inbound trafic

$IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.11 -s ! 192.168.1.0/24 -j MARK --set-mark 11
$IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.12 -s ! 192.168.1.0/24 -j MARK --set-mark 12
$IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.13 -s ! 192.168.1.0/24 -j MARK --set-mark 13
$IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.14 -s ! 192.168.1.0/24 -j MARK --set-mark 14
$IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.15 -s ! 192.168.1.0/24 -j MARK --set-mark 15
$IPTABLES -t mangle -A PREROUTING -p tcp -d 192.168.1.16 -s ! 192.168.1.0/24 -j MARK --set-mark 16


and in qdisc.sh

#!/bin/sh
CEIL_CLIENT=60
CEIL_SU=130
RATE_CLIENT=10
RATE_SU=60

## deleting old rules

tc qdisc del dev eth0 root

## defining classes

tc qdisc add dev eth0 root handle 1: htb default 200
tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL_SU}kbit ceil ${CEIL_SU}kbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 80kbit ceil 80kbit prio 0
tc class add dev eth0 parent 1:1 classid 1:11 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5
tc class add dev eth0 parent 1:1 classid 1:12 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5
tc class add dev eth0 parent 1:1 classid 1:13 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5
tc class add dev eth0 parent 1:1 classid 1:14 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5
tc class add dev eth0 parent 1:1 classid 1:15 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5
tc class add dev eth0 parent 1:1 classid 1:16 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 5
tc class add dev eth0 parent 1:1 classid 1:200 htb rate ${RATE_CLIENT}kbit ceil ${CEIL_CLIENT}kbit prio 7

## adding filter

tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw classid 1:10
tc filter add dev eth0 parent 1: protocol ip prio 1 handle 11 fw classid 1:11
tc filter add dev eth0 parent 1: protocol ip prio 1 handle 12 fw classid 1:12
tc filter add dev eth0 parent 1: protocol ip prio 1 handle 13 fw classid 1:13
tc filter add dev eth0 parent 1: protocol ip prio 1 handle 14 fw classid 1:14
tc filter add dev eth0 parent 1: protocol ip prio 1 handle 15 fw classid 1:15
tc filter add dev eth0 parent 1: protocol ip prio 1 handle 16 fw classid 1:16


but all trafic will still goes to class 200 ( default for unspecified packet)

where did i do wrong?

anyone can help correct me?
 
Old 11-12-2005, 05:31 AM   #2
frostschutz
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 95

Rep: Reputation: 28
Do these marking rules even work? iptables can list rules and counts of matched packets per rule for you, if these are zero, the rules are bad. Is in PREROUTING the destination IP of the clients in the LAN already known? I think these rules should probably go into the FORWARD chain.

Also be aware that mark values are actually hexadecimal, to be specified as 0x01, 0x02, ... and so on. There were some problems in the past with different interpretation of a value like "16", I think iptables interpreted it as decimal number and tc as hexadecimal, causing the filter rules to mismatch.
 
Old 11-14-2005, 11:59 PM   #3
Kendo1979
Member
 
Registered: Aug 2004
Location: Bandung, Indonesia
Distribution: Red Hat 9
Posts: 51

Original Poster
Rep: Reputation: 15
my network configuration is more or less like this

-------------------Gateway------------------------
clients -------------|eth0 (i put squid in here) eth1 | ------------------ the world
-------------------------------------------------------

i redirect all request for web to my squid

iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -i eth0 --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -i eth0 --dport 3128 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -i eth0 --dport 8080 -j DNAT --to 192.168.1.1:3128

hence all web traffic in the gate way will change source address ( am i correct? )

so if i want to limit traffic to and from internet, but free traffic from client to gateway and vice versa what should i do?

the reason i want to free traffic from client to gateway and vice versa is because i think that web stuff fetch already
stored in squid should not be limited. and only traffic from client forwarded directly to internet,
from gateway to internet and vice versa should be controlled.

currently with htb i'm trying this solution ( i only have 160kbit internet connection for 10 computers)

eth0
R2Q=1
DEFAULT=5

eth0-2.root
RATE=560kbit
CBURST=2kb
LEAF=sfq

eth0-2:3.local
RATE=400kbit
RULE=192.168.1.1,
RULE=192.168.1.1

eth0-2:5.inet
RATE=160kbit

eth0-2:5:11.client1
RATE=10kbit
CEIL=60kbit
RULE=192.168.1.11 (my clients ip start from 11 to 21)
RULE=192.168.1.11,

and the same configuration except for ip rule for eth0-2:5:12.client2 to eth0-2:5:21.client10

what should i do next?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible to combine kernels? JimBass Linux - Newbie 1 10-06-2004 05:52 PM
Best way to combine files? JockVSJock Programming 4 04-25-2004 07:38 PM
iptables mark question paulos Linux - Networking 0 01-21-2004 07:20 AM
combine lan card slack66 Linux - Networking 1 07-29-2003 07:12 AM
Is it possible to combine archives with ar? Griffon26 Linux - Software 2 07-02-2002 02:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration