thr3ads.net - LARTC - Problem with iptables and CONNTRACK [Jun 2003]

If this information is useful, please help other people find it:
Share via:

GoMi .

2003-Jun-18 11:20 UTC

Problem with iptables and CONNTRACK

I know this is not the right place to ask this question, but i have an 
stateful firewall and i am doing CONNTRACKING to mark the tcp connections, 
and then with filters based on fw marks put them in the right qdisc.

The problem is that i have an uplink bandwith of 300kbit restricted to 
250kbit by the htb class. Here is my script to mark my traffic with qdiscs:

DEV=eth0
tc qdisc add dev ${DEV} handle 1: root htb default 20
tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit

## Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil 
200kbit
tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10

## Non Interactive
tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit ceil 
200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20


## ICMP
tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40

## Web-Server
tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit ceil 200kbit 
quantum 1500
tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst perturb 10 
depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw flowid 1:50

and here is my mangle setup

  iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
  iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
  iptables -t mangle -A POSTROUTING -m mark --mark 0 -j kazaa
  iptables -t mangle -A POSTROUTING -m mark --mark 0 -j marks
  iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

marks and kazaa are just -j MARK according the traffic

I am monitoring at wich speed is each class sending data, and it only goes 
up to 10KB alltogether..

Does anybody know why is it not going up to at least 20-23 KB ¿? i am going 
crazy! :)
Interactive traffic goes quite good actually, but since i am getting so low 
uplink speed, i suppose i am not getting a good usage of the downlink 
traffic, maybe because it does not send ack packets quickly enough.

Anybody willing to help? :)

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.yupimsn.com/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

LARTC - Jun 2003 - Problem with iptables and CONNTRACK

Problem with iptables and CONNTRACK