thr3ads.net - Shorewall users - Bndwidth limiting/shaping [Oct 2006]

If this information is useful, please help other people find it:
Share via:
Ismael Milach da Silveira
2006-Oct-13 13:54 UTC
Bndwidth limiting/shaping

Hey guys,

Want some help here...
.
I''m trying to use shorewall to limit the traffic on my network 

eth0 is the lan interface (192.168.100.254)
###########################
neve:/etc/shorewall# uname -r
2.6.8
####################
tried also w/ kernel 2.6.12, w/ qos/htb support, with no luck.

######################
neve:/etc/shorewall# shorewall version
3.0.5
#########################

ppp0 has a dynamic IP address:
##############################
neve:/etc/shorewall# ip route ls
201.32.44.254 dev ppp0  proto kernel  scope link  src 201.67.183.127
192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.254
default via 201.32.44.254 dev ppp0
##############################

Everything works fine except traffic shaping...

shorewall config:

interfaces:
#####################################
net     ppp0            -
loc     eth0            detect
loc     eth1            detect          #maclist
#######################################


tcdevices
##############################
ppp0            1024kbit        1024kbit
##############################

If I configure eth0 (local interface) here, can I limit incoming traffic also?
well, I tried that and didn''t work :-)

tcclasses
################################################################
ppp0            1       1024kbit           full             1      
tcp-ack,tos-minimize-delay
ppp0            2       100kbit       100kbit       2   default
ppp0            3      200kbit         200kbit     2
###############################################################

tcrules
######################################################
1       192.168.100.202      0.0.0.0/0      all
2       192.168.100.201      0.0.0.0/0      all
3       192.168.100.203      0.0.0.0/0      all
######################################################


################################################
neve:/etc/shorewall# iptables-save
# Generated by iptables-save v1.3.3 on Fri Oct 13 10:36:27 2006
*raw
:PREROUTING ACCEPT [845:334082]
:OUTPUT ACCEPT [246:31531]
COMMIT
# Completed on Fri Oct 13 10:36:27 2006
# Generated by iptables-save v1.3.3 on Fri Oct 13 10:36:27 2006
*mangle
:PREROUTING ACCEPT [845:334082]
:INPUT ACCEPT [275:15038]
:FORWARD ACCEPT [570:319044]
:OUTPUT ACCEPT [521382:282249120]
:POSTROUTING ACCEPT [900:352019]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
-A tcfor -s 192.168.100.201 -j MARK --set-mark 0x5
-A tcfor -d 192.168.100.201 -j MARK --set-mark 0x5
COMMIT
# Completed on Fri Oct 13 10:36:27 2006
# Generated by iptables-save v1.3.3 on Fri Oct 13 10:36:27 2006
*nat
:PREROUTING ACCEPT [74:4725]
:POSTROUTING ACCEPT [8:333]
:OUTPUT ACCEPT [0:0]
:net_dnat - [0:0]
:ppp0_masq - [0:0]
-A PREROUTING -i ppp0 -j net_dnat
-A POSTROUTING -o ppp0 -j ppp0_masq
-A net_dnat -p tcp -m tcp --dport 3901 -j DNAT --to-destination
192.168.100.201:3389
-A ppp0_masq -s 192.168.100.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Fri Oct 13 10:36:27 2006
# Generated by iptables-save v1.3.3 on Fri Oct 13 10:36:27 2006
*filter
:Drop - [0:0]
:INPUT DROP [3:87]
:FORWARD DROP [6:356]
:OUTPUT DROP [0:0]
:Reject - [0:0]
:all2all - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:fw2all - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2all - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:ppp0_fwd - [0:0]
:ppp0_in - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
-A Drop -p tcp -m tcp --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -j DROP
-A Drop -p udp -m udp --dport 137:139 -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A Drop -p udp -m udp --dport 1900 -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -j ppp0_in
-A INPUT -i eth0 -j eth0_in
-A INPUT -i eth1 -j eth1_in
-A INPUT -j Reject
-A INPUT -j ULOG --ulog-prefix "Shorewall:INPUT:REJECT:"
-A INPUT -j reject
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i ppp0 -j ppp0_fwd
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -i eth1 -j eth1_fwd
-A FORWARD -j Reject
-A FORWARD -j ULOG --ulog-prefix "Shorewall:FORWARD:REJECT:"
-A FORWARD -j reject
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o ppp0 -j fw2net
-A OUTPUT -o eth0 -j fw2loc
-A OUTPUT -o eth1 -j fw2loc
-A OUTPUT -j ACCEPT
-A Reject -p tcp -m tcp --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -j DROP
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j Reject
-A all2all -j ULOG --ulog-prefix "Shorewall:all2all:REJECT:"
-A all2all -j reject
-A dropBcast -m pkttype --pkt-type broadcast -j DROP
-A dropBcast -m pkttype --pkt-type multicast -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -o ppp0 -j loc2net
-A eth0_fwd -o eth1 -j ACCEPT
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -j loc2fw
-A eth1_fwd -m state --state INVALID,NEW -j dynamic
-A eth1_fwd -o ppp0 -j loc2net
-A eth1_fwd -o eth0 -j ACCEPT
-A eth1_in -m state --state INVALID,NEW -j dynamic
-A eth1_in -j loc2fw
-A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2all -j ACCEPT
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 80 -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 443 -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 22 -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 21 -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 110 -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 995 -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 25 -j ACCEPT
-A fw2loc -p udp -m udp --dport 33434:33524 -j ACCEPT
-A fw2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A fw2loc -j fw2all
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p tcp -m tcp --dport 80 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 443 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 22 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 21 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 110 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 995 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 25 -j ACCEPT
-A fw2net -p udp -m udp --dport 33434:33524 -j ACCEPT
-A fw2net -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A fw2net -p gre -j ACCEPT
-A fw2net -j fw2all
-A loc2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2all -j ACCEPT
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 80 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 443 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 21 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 110 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 995 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 25 -j ACCEPT
-A loc2fw -p udp -m udp --dport 33434:33524 -j ACCEPT
-A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A loc2fw -j loc2all
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -p tcp -m tcp --dport 80 -j ACCEPT
-A loc2net -p tcp -m tcp --dport 443 -j ACCEPT
-A loc2net -p tcp -m tcp --dport 22 -j ACCEPT
-A loc2net -p tcp -m tcp --dport 21 -j ACCEPT
-A loc2net -p tcp -m tcp --dport 110 -j ACCEPT
-A loc2net -p tcp -m tcp --dport 995 -j ACCEPT
-A loc2net -p tcp -m tcp --dport 25 -j ACCEPT
-A loc2net -p udp -m udp --dport 33434:33524 -j ACCEPT
-A loc2net -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A loc2net -j loc2all
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 80 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 443 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 22 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 21 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 110 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 995 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 25 -j ACCEPT
-A net2fw -p udp -m udp --dport 33434:33524 -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 3128 -j DROP
-A net2fw -p gre -j ACCEPT
-A net2fw -p tcp -m tcp --dport 1723 -j ACCEPT
-A net2fw -j all2all
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -p tcp -m tcp --dport 80 -j ACCEPT
-A net2loc -p tcp -m tcp --dport 443 -j ACCEPT
-A net2loc -p tcp -m tcp --dport 22 -j ACCEPT
-A net2loc -p tcp -m tcp --dport 21 -j ACCEPT
-A net2loc -p tcp -m tcp --dport 110 -j ACCEPT
-A net2loc -p tcp -m tcp --dport 995 -j ACCEPT
-A net2loc -p tcp -m tcp --dport 25 -j ACCEPT
-A net2loc -p udp -m udp --dport 33434:33524 -j ACCEPT
-A net2loc -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net2loc -d 192.168.100.201 -p tcp -m tcp --dport 3389 -j ACCEPT
-A net2loc -j all2all
-A ppp0_fwd -m state --state INVALID,NEW -j dynamic
-A ppp0_fwd -o eth0 -j net2loc
-A ppp0_fwd -o eth1 -j net2loc
-A ppp0_in -m state --state INVALID,NEW -j dynamic
-A ppp0_in -j net2fw
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 192.168.100.255 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 192.168.100.255 -j LOG --log-prefix
"Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.100.255 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix
"Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix
"Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
COMMIT
# Completed on Fri Oct 13 10:36:27 2006
###################################################

what I want to do is limit the traffic to 100kbits to 192.168.100.201...
it''s not working, neither outgoing nor incoming traffic."


Any help would be appreciated!!!

Cheers from Brazil,
Ismael

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Shorewall users - Oct 2006 - Bndwidth limiting/shaping

Bndwidth limiting/shaping
