A Linux gateway has two interfaces: eth0, with a routable address on an
ISP''s network, and eth1, which is 10.0.0.1 on a private network.
There are several hosts connected to eth1, and these are allowed to send
packets out of eth0 only after they login via a form at http://10.0.0.1.
Once a host logs out, the gateway should no longer route packets for it.
Each host also has a specific bandwidth allocation.
I configured the gateway as follows (and it works fine):
iptables -t nat -A POSTROUTING -s 10/8 -o eth0 -j SNAT --to ...
## Per-user rules, created upon login and deleted upon logout.
#
# One class per interface. N is some arbitrary number.
tc class add dev eth1 parent 1: classid 1:N htb rate ... ceil ...
tc class add dev eth0 parent 1: classid 1:N htb rate ... ceil ...
# Mark traffic from host A.B.C.D with a unique mark 0xABCD.
iptables -t mangle -I PREROUTING 1 -i eth1 -s A.B.C.D -j MARK --set-mark
0xABCD
iptables -t mangle -I PREROUTING 2 -i eth1 -s A.B.C.D -j RETURN
# Classify outgoing traffic by mark; incoming by private destination.
tc filter add dev eth0 parent 1: protocol ip handle 0xABCD fw classid 1:N
tc filter add dev eth1 parent 1: protocol ip u32 match ip dst A.B.C.D flowid
1:N
My problem is with efficiently discarding all unmarked traffic. I am now
doing this as follows:
# This goes after all the per-user "good mark" rules:
iptables -t mangle -A PREROUTING -j MARK --set-mark 0xfffffff
# And this throws away "bad mark" packets.
tc filter add dev eth0 parent 1: protocol ip handle 0xfffffff fw \
police mpu 0 mtu 1 action drop/drop
This works fine, but I''d love to hear any suggestions about how to do
it
in a better way. (I tried a few other approaches, such as having a rule
in filter/FORWARD that ACCEPTed only "-m mark \! --mark 0" packets,
but
that and similar solutions that are O(1) in the number of hosts did not
work as I expected, due to the persistence of conntrack entries.)
Questions, comments, and suggestions are welcome.
-- ams
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
