hi all i did the following test again but ..:( .. failed again !! i need some guidance now from Gurus here.. iptables -A PREROUTING -t mangle -i eth1 -s ..... -j mark 101 iptables -A PREROUTING -t nat -i eth1 -s ... -j REDIRECT --to-port 3128 tc qdisc ............... handle 101 fw flowid 1:170 iptables -nvL INPUT , iptables -nvL -t mangle , iptables -nvL -t nat did show data passing BUT i couldnt limit bandwidth !!! tc -s -d class/qdisc...... command didnt show any data pasing thru--i.e it remained ZERO ! i am already running a bandwidth restrictor(cbq+sfq) & while doing this test i only changed the above tc command ! my requirement is to provide bandwidth based on port network(local net). iproute2 verision ss010803 iptables version v1.2.4 kernel 2.4.17 i would be grateful for some direction .... thanx in anticipation arindam haldar
On Wednesday 02 January 2002 05:59, Arindam Haldar wrote:> hi all > > i did the following test again but ..:( .. failed again !! > i need some guidance now from Gurus here..If you execute iptables -L -v -n -t nat, you can see the byte counters for each rule you inserted. Are these incremented or not if you generate some traffic ? Stef> > iptables -A PREROUTING -t mangle -i eth1 -s ..... -j mark 101 > iptables -A PREROUTING -t nat -i eth1 -s ... -j REDIRECT --to-port 3128 > > tc qdisc ............... handle 101 fw flowid 1:170 > > iptables -nvL INPUT , iptables -nvL -t mangle , iptables -nvL -t nat did > show data passing BUT i couldnt limit bandwidth !!! > tc -s -d class/qdisc...... command didnt show any data pasing thru--i.e > it remained ZERO !-- stef.coene@docum.org More QOS info : http://www.docum.org/ Title : "Using Linux as bandwidth manager"
hi i did those test & as i said in my last mail there is trafic passing thru ir bytes counter r increasing but the tc command doesnt show any restircition. seem like marked pkts r not going thru the iproute any suggestions ?? thanx in anticipation arindam haldar On Wednesday 02 January 2002 05:59, Arindam Haldar wrote:> hi all > > i did the following test again but ..:( .. failed again !! > i need some guidance now from Gurus here..If you execute iptables -L -v -n -t nat, you can see the byte counters for=20 each rule you inserted. Are these incremented or not if you generate some=20 traffic ? Stef> > iptables -A PREROUTING -t mangle -i eth1 -s ..... -j mark 101 > iptables -A PREROUTING -t nat -i eth1 -s ... -j REDIRECT --to-port 3128 > > tc qdisc ............... handle 101 fw flowid 1:170 > > iptables -nvL INPUT , iptables -nvL -t mangle , iptables -nvL -t nat did > show data passing BUT i couldnt limit bandwidth !!> tc -s -d class/qdisc...... command didnt show any data pasing thru--i.e > it remained ZERO !--=20 stef.coene@docum.org More QOS info : http://www.docum.org/ Title : "Using Linux as bandwidth manager" =20
On Thursday 03 January 2002 15:17, Arindam Haldar wrote:> hi > i did those test & as i said in my last mail there is trafic passing thru > ir bytes counter r increasing but the tc command doesnt show any > restircition. seem like marked pkts r not going thru the iprouteSorry, you wrote to encrypted for me to understand everything ;-) If I understand correctly, everything works if you use CBQ & SFQ, but the fw filter is not working like it should be ?> any suggestions ??Can you post the scripts you are using so I can try them myself ? Stef -- stef.coene@docum.org More QOS info : http://www.docum.org/ Title : "Using Linux as bandwidth manager"
hi, Stef Coene wrote:> On Thursday 03 January 2002 15:17, Arindam Haldar wrote: >>hi >>i did those test & as i said in my last mail there is trafic passing thru >>ir bytes counter r increasing but the tc command doesnt show any >>restircition. seem like marked pkts r not going thru the iproute >> > Sorry, you wrote to encrypted for me to understand everything ;-) > If I understand correctly, everything works if you use CBQ & SFQ, but the fw > filter is not working like it should be ?YES !!! .. UR ABSOLUTELY RIGHT !!!! :-)> >>any suggestions ?? >> > Can you post the scripts you are using so I can try them myself ? > > Stef >THIS IS MY TRUNCATED SCRIPT(MARK RELATED) ! iptables -A INPUT -i eth4 -s 192.168.1.1 -j ACCEPT iptables -A FORWARD -o eth0 -s 192.168.1.1 -j ACCEPT iptables -A PREROUTING -t nat -i eth4 -p 6 --dport 80 -j REDIRECT --to-port 3128 iptables -A PREROUTING -t mangle -i eth4 -s 192.168.1.1 -d a.b.c.d -j MARK --set-mark 55 iptables -A PREROUTING -t mangle -i eth4 -s 192.168.1.1 -d ! a.b.c.d -j MARK --set-mark 51 iptables -A POSTROUTING -t mangle -o eth0 -s 192.168.1.1 -j MASQUERADE iptables -A PREROUTING -t nat -i eth0 -d 192.168.1.1 -s a.b.c.d -j MARK --set-mark 56 iptables -A PREROUTING -t mangle -i eth0 -d 192.168.1.1 -s ! a.b.c.d -j MARK --set-mark 52 ###--32kbps for x-LAN tc class add dev eth4 parent 5:1 classid 5:191 est 2sec 10sec cbq bandwidth 512Kbit rate 32Kbit allot 5\1514 weight 3.2Kbit prio 2 maxbrust 5 avpkt 1500 bounded tc qdisc add dev eth4 parent 5:191 sfq perturb 10 tc filter add dev eth4 parent 5:0 protocol ip prio 10 handle 51 fw flowid 5:191 tc filter add dev eth4 parent 5:0 protocol ip prio 10 handle 52 fw flowid 5:191 ###--128 for LAN tc class add dev eth4 parent 5:1 classid 5:192 est 2sec 10sec cbq bandwidth 512Kbit rate 128Kbit allot 5\1514 weight 3.2Kbit prio 2 maxbrust 5 avpkt 1500 bounded tc qdisc add dev eth4 parent 5:192 sfq perturb 10 tc filter add dev eth4 parent 5:0 protocol ip prio 10 handle 55 fw flowid 5:192 tc filter add dev eth4 parent 5:0 protocol ip prio 10 handle 56 fw flowid 5:192 similar for eth0 too !! thanx in anticipation arindam haldar
Hi, I''m new to this list and I was wondering if any of you could help me out with my traffic problem. I did get some limiting to work but it''s not working the way I want and that''s mostly because I still don''t understand some of the commands I''m using. I want to limit my total bandwidth to a maximum of 256kbits but I don''t want one user to take it all. I also don''t want to have everyone suffer because one site has a lot of hits. I want to make the site with the high traffic slower than the other sites but I don''t want the total to go over 256kbits. The IP of the high traffic site is 209.150.199.225. All others should be able to download at a speed up to 200k and have priority over the high traffic site. Also does anyone have a nice traffic monitor that shows me the traffic of each IP which I can use with rrdtool? I have cban right now but it only shows overall traffic on the adapter. Here is what I have right now. It is limiting traffic at 256kbits more or less but I still get spikes over 1mbits which kills my avarage and gets me the high ISP bill at the end of the month. This is what I want (kind of): ************************************************* * eth0 (Limit to 256kbits) * * ********************** ********************** * * * Lower Priority * * Higher Priority * * * * 209.58.199.225 * * All other IPs * * * * (150k Max total)* * (200k Max total) * * * * (100K max per * * (180k max per * * * * connection) * * connection) * * * ********************** ********************** * ************************************************ This is what I''m doing: # I don''t know if I have to do this at all /sbin/ip address add 209.58.199.225 dev eth0 /sbin/ip address add 209.58.199.226 dev eth0 /sbin/ip address add 209.58.199.227 dev eth0 /sbin/ip address add 209.58.199.228 dev eth0 /sbin/ip address add 209.58.199.229 dev eth0 /sbin/ip address add 209.58.199.230 dev eth0 /sbin/ip address add 209.58.199.231 dev eth0 /sbin/ip address add 209.58.199.232 dev eth0 /sbin/ip address add 209.58.199.233 dev eth0 /sbin/ip address add 209.58.199.234 dev eth0 /sbin/ip address add 209.58.199.235 dev eth0 /sbin/ip address add 209.58.199.236 dev eth0 /sbin/ip address add 209.58.199.237 dev eth0 /sbin/ip address add 209.58.199.238 dev eth0 /sbin/ip address add 209.58.199.239 dev eth0 # Here I think I''m making some kind of parent which limits all traffic to 256kbits, its name is 1 /sbin/tc qdisc add dev eth0 root handle 1: cbq bandwidth 256kbit avpkt 1000 # create a subparanet of parent 1:0 called 1:1 with also a 256kbits limit? Not sure what the other half of the comand does?!allot? weight? /sbin/tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 256Kbit rate 256Kbit allot 1500 weight 16 avpkt 1000 #create a child of parent 1:1 called 1:10 and some limiting I don''t undertand?! /sbin/tc class add dev eth0 parent 1:1 classid 1:10 cbq bandwidth 200Kbit rate 180Kbit allot 1500 weight 100kbit prio 5 maxburst 20 avpkt 1000 bounded /sbin/tc class add dev eth0 parent 1:1 classid 1:11 cbq bandwidth 150Kbit rate 100Kbit allot 1500 weight 64kbit prio 5 maxburst 20 avpkt 1000 bounded #??? u32?? /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 1: u32 divisor 1 #Filter IPs to certain children /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.225 flowid 1:11 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.226 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.227 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.228 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.229 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.230 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.231 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.232 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.233 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.234 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.235 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.236 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.237 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.238 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.199.239 flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip u32 match ip src 209.58.150.51 flowid 1:10 Do I make any sense? thanks for any help you can give me. -Stefan stefan@techdroid.com
On Fri, Jan 04, 2002 at 02:18:26AM -0500, Stefan Schueller wrote:> I did get some limiting to work but it''s not working the way I want and > that''s mostly because I still don''t understand some of the commands I''m > using. I want to limit my total bandwidth to a maximum of 256kbits but I > don''t want one user to take it all. I also don''t want to have everyone > suffer because one site has a lot of hits. I want to make the site with the > high traffic slower than the other sites but I don''t want the total to go > over 256kbits. The IP of the high traffic site is 209.150.199.225. All > others should be able to download at a speed up to 200k and have priority > over the high traffic site.Ok. What you want is a 256kbit/s CBQ with SFQ within.> Also does anyone have a nice traffic monitor that shows me the traffic of > each IP which I can use with rrdtool? I have cban right now but it only > shows overall traffic on the adapter.I use iptables to make rules matching each IP, and then hook that up to rrdtool with some sed/grep magic.> Here is what I have right now. It is limiting traffic at 256kbits more or > less but I still get spikes over 1mbits which kills my avarage and gets me > the high ISP bill at the end of the month.You may want to read http://ds9a.nl/lartc/manpages - It will explain the stuff you are guessing at. How does your ISP measure your usage? 10 second interval? The ISPs I know use a 5 minute interval. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk Netherlabs BV / Rent-a-Nerd.nl - Nerd Available - Linux Advanced Routing & Traffic Control: http://ds9a.nl/lartc