LARTC - Mar 2006 - my shaping rules wont work on nat box

I am currently running the following script on an internal machine to 
shape outbound ftp and email traffic.

I am trying to move the script to my nat router (ipcop with 2 nic cards) 
so that it shapes the whole network and not only the outbound of 1 box.

I have cable modem -> ipcop (eth1) >(eth0 - 192.168.1.1)  > 
192.168.1.100 and 192.168.1.101.

The scripts works great running on 192.168.1.101.  But I cannot get it 
to work on either of the ipcop interfaces.

Does it have something to do with NAT ?

Script:
#!/bin/bash
#shaping passive and active outbound ftp traffic on an internal computer 
without affecting inbound and lan speed

# mark the outbound passive ftp packets on ports 50000-51000
iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null > 
/dev/null
iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -N MYSHAPER-OUT
iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
# mark packets: 20 is lan traffic, 26 is active ftp and passive ftp, 30 
is ACK for downloads, 35 is email
iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 20
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 59999 -j MARK 
--set-mark 26
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK 
--set-mark 26
iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK 
--set-mark 30
iptables -t mangle -A MYSHAPER-OUT -m tcp -p tcp --dport 25 -j MARK 
--set-mark 35
# clear it
tc qdisc del dev eth0 root

#add the root qdisk
tc qdisc add dev eth0 root handle 1: htb default 20

#add main rate limit class
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit

#add leaf classes, 1:2 is lan, 1:3 is outbound max
tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100mbit
tc class add dev eth0 parent 1:1 classid 1:3 htb rate 40kbps
# 1:31 is ftp with lower prio, 1:32 is ACk AND email higher prio
tc class add dev eth0 parent 1:3 classid 1:31 htb rate 1kbps ceil 40kbps 
prio 2
tc class add dev eth0 parent 1:3 classid 1:32 htb rate 20kbps ceil 
40kbps prio 1

#filter traffic into classes
tc filter add dev eth0 parent 1:0  prio 0 protocol ip handle 20 fw 
flowid 1:2
tc filter add dev eth0 parent 1:0  prio 0 protocol ip handle 26 fw 
flowid 1:31
tc filter add dev eth0 parent 1:0  prio 0 protocol ip handle 30 fw 
flowid 1:32
tc filter add dev eth0 parent 1:0  prio 0 protocol ip handle 35 fw 
flowid 1:32

Jody Shumaker wrote:
>On 3/3/06, nix4me <nix4me@cfl.rr.com> wrote:
>  
>
>>I am currently running the following script on an internal machine to
>>shape outbound ftp and email traffic.
>>
>>I am trying to move the script to my nat router (ipcop with 2 nic cards)
>>so that it shapes the whole network and not only the outbound of 1 box.
>>
>>I have cable modem -> ipcop (eth1) >(eth0 - 192.168.1.1)  >
>>192.168.1.100 and 192.168.1.101.
>>
>>    
>>
>
>Does this mean the cable modem is on eth1? You need to use whichever
>device is connected to the cable modem. Based on the above, it seems
>like eth0 is for the local network and yet all of your rules below are
>for eth0.  This would only be useful for shaping incoming bandwidth
>from the internet, not bandwidth to the internet.
>
>  
>
>>The scripts works great running on 192.168.1.101.  But I cannot get it
>>to work on either of the ipcop interfaces.
>>
>>Does it have something to do with NAT ?
>>    
>>
>
>Since you''re not matching on addresses, it shouldn''t have
to do with
>NAT. I also noticed in your rules you have a local traffic 100mbit
>class, if your cable modem is the only thing connected to the pc you
>shouldn''t have such a class as it serves no purpose and could break
>things.
>
>- Jody
>
>  
>
I have changed the eth0 to eth1 and changed the 100mbit root class to 1mbit.

Still doesnt work.

nix4me

Am Samstag, 4. März 2006 01:00 schrieb nix4me:
> I am currently running the following script on an internal machine to
> shape outbound ftp and email traffic.
>
> I am trying to move the script to my nat router (ipcop with 2 nic
> cards) so that it shapes the whole network and not only the outbound
> of 1 box.
>
> I have cable modem -> ipcop (eth1) >(eth0 - 192.168.1.1)  >
> 192.168.1.100 and 192.168.1.101.
>
> The scripts works great running on 192.168.1.101.  But I cannot get
> it to work on either of the ipcop interfaces.
>
> Does it have something to do with NAT ?
>
> Script:
> #!/bin/bash
> #shaping passive and active outbound ftp traffic on an internal
> computer without affecting inbound and lan speed
>
> # mark the outbound passive ftp packets on ports 50000-51000
> iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null >
> /dev/null
> iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
> iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
> iptables -t mangle -N MYSHAPER-OUT
> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
you must mark your traffic in FORWARD or POSTROUTING chain. OUTPUT is 
only for locally generated traffic.


-- 
Markus Schulz

"One disk to rule them all, One disk to find them. One disk to bring 
them all and in the darkness grind them. In the Land of Redmond where 
the shadows lie." -- The Silicon Valley Tarot   Henrique Holschuh

Markus Schulz wrote:
>you must mark your traffic in FORWARD or POSTROUTING chain. OUTPUT is 
>only for locally generated traffic.
>
>  
>
I have a 1 mbit upstream cable service (approx 120kbytes/sec)
Ok, here is my plan:

+---------+
| root 1: |
+---------+
     |
+---------------------------------------+
| class 1:1  (1 mbit send speed total)  |
+---------------------------------------+
  |                       |            
+-------------------+    +--------------------------+ 
|1:2 Default 1 mbit |    |1:3 Capped outbound 105 Kb| 
+-------------------+    +--------------------------+ 

                                      |                                  |
                                 1:31                               1:32
                             50k ceil 105K               50K ceil 105k
                              prio 2                             prio 1
                            FTP traffic                    Email, ACK

This allows me to set a cap on 1:3 and then divide that cap into 2 
classes.  1:31 for lower prio FTP traffic and 1:32 for higher prio email 
and ACK traffic.  This allows the FTP to consume all 105K until i send 
an email or download a huge file, then the email or ACK from the 
download can borrow from the ftp due to its higher priority.

All other traffic will be lumped into the default 1:2 (I think)

I will use these rules:

iptables -t mangle -I POSTROUTING -o eth1 -j BW-OUT
iptables -t mangle -A BW-OUT -m mark --mark 0 -j MARK --set-mark 20
iptables -t mangle -A BW-OUT -p tcp --sport 59999 -j MARK --set-mark 26
iptables -t mangle -A BW-OUT -p tcp --sport 50000:51000 -j MARK 
--set-mark 26
iptables -t mangle -A BW-OUT -p tcp -m length --length :64 -j MARK 
--set-mark 30
iptables -t mangle -A BW-OUT -m tcp -p tcp --dport 25 -j MARK --set-mark 35

tc qdisc add dev eth1 root handle 1: htb default 20
tc class add dev eth1 parent 1: classid 1:1 htb rate 1mbit
tc class add dev eth1 parent 1:1 classid 1:2 htb rate 1mbit
tc class add dev eth1 parent 1:1 classid 1:3 htb rate 105kbps

tc class add dev eth1 parent 1:3 classid 1:31 htb rate 50kbps ceil 
105kbps prio 2
tc class add dev eth1 parent 1:3 classid 1:32 htb rate 50kbps ceil 
105kbps prio 1

tc filter add dev eth1 parent 1:0  prio 0 protocol ip handle 20 fw 
flowid 1:2
tc filter add dev eth1 parent 1:0  prio 0 protocol ip handle 26 fw 
flowid 1:31
tc filter add dev eth1 parent 1:0  prio 0 protocol ip handle 30 fw 
flowid 1:32
tc filter add dev eth1 parent 1:0  prio 0 protocol ip handle 35 fw 
flowid 1:32

This should work on my linux router on eth1 which is the interface 
facing the internet.
I am assuming that the POSTROUTING chain is the correct way to do this.

Any issues here?

nix4me