Alejandro, So, i did try the script that you give to me, and the problems its continues.- Maybe the problem was in the IPTABLES rules, i attach the complete script below: ##################### ifconfig imq0 up tc qdisc add dev imq0 handle 1: root htb default 30 tc class add dev imq0 parent 1: classid 1:1 htb rate 500kbit ceil 2000kbit tc class add dev imq0 parent 1:1 classid 1:10 htb rate 100kbit ceil 2000kbit tc class add dev imq0 parent 1:1 classid 1:20 htb rate 100kbit ceil 2000kbit tc class add dev imq0 parent 1:1 classid 1:30 htb rate 100kbit ceil 2000kbit tc qdisc add dev imq0 parent 1:10 handle 2 sfq tc qdisc add dev imq0 parent 1:20 handle 3 sfq iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid 1:10 tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid 1:20 iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK --set-mark 3 ##################### The traffic it continues goes out by the "default" qdisc (1:30), and it was not clasified by the correct qdisc. I did try a ftp transfererence using the 20 and 21 TCP ports, this should to use the 1:20 qdisc asociated with the "handle 3"...BUT DID NOT WORK...!!! PLease, help me...!!! -- terraja-based _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On Saturday 28 April 2007 19:33, terraja-based wrote:> [...] > iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 > > tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid 1:10 > tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid 1:20 > iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK > --set-mark 2 > iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK > --set-mark 3 > iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK > --set-mark 3 > [...] > The traffic it continues goes out by the "default" qdisc (1:30), and it was > not clasified by the correct qdisc.Hmm, you are trying to "redirect" all packets from eth1 to imq0, and then you are trying to mark packets for http and ftp connections. Well, I think you need to change again your configuration: if you put ''-j IMQ --todev 0'' as first rule, then all packets will match and will not pass through the chain, so any rule after that one, will never match against a packet. You need to mark packets before, and send to imq device later. Maybe something like this: --------------------------------8<-------------------------8<----------------------------------- [...] iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid 1:10 tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid 1:20 [...] --------------------------------8<-------------------------8<----------------------------------- PS: as long as I know, marks 0, 1, and 2 are iptables marks (reserved marks), so if I were you, I start marking with number 3 or greater. -- Alejandro Ramos Encinosa <alex@uh.cu> Fac. Matemática Computación Universidad de La Habana
Hallo terraja-based, terraja-based wrote: [snip]> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK > --set-mark 2 > iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK > --set-mark 3 > iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK > --set-mark 3[snip]> The traffic it continues goes out by the "default" qdisc (1:30), and it was > not clasified by the correct qdisc.[snip] the marks you set here will be gone as soon as the packet leaves, connmark could do the trick here. Still, matching --sport on the imq device should do the job as well, at least for http at port 80. For ftp, passive mode (data) connections will go to the default-class as the server''s port is chosen at runtime, to catch them better use a level-7 filter (e.g. http://sourceforge.net/projects/l7-filter/). Bye, Andreas.