Having study a number of documents on linux traffic shaper, I started to setup my shaping rules in my network. My linux box is running RH AS3 U3, shorewall 2.0.9. It is using PPPoE connected to the Internet firewall: eth0: connect to the adsl modem eth1: private net ppp0: virtual dial up interface for pppoe There is a ftp server on the private net It is listen for port 21 and configured 50000:51000 for PASV connection my related config file as follows /etc/shorewall/rules . DNAT all loc:192.168.103.100 tcp 21,20,50000:51000 . . /etc/shorewall/tcrules 1 ppp0 0.0.0.0 tcp - 80 2 ppp0 0.0.0.0 tcp 21,20,50000:51000 21,20,50000:51000 3 ppp0 0.0.0.0 all /etc/shorewall/tcstart #!/bin/bash tc qdisc add dev ppp0 root handle 1: htb default 30 tc class add dev ppp0 parent 1: classid 1:1 htb rate 440kbit burst 15k tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 300kbit tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 56kbit tc class add dev ppp0 parent 1:1 classid 1:30 htb rate 84kbit ceil 440kbit tc filter add dev ppp0 protocol ip parent 1:0 handle 1 fw classid 1:10 tc filter add dev ppp0 protocol ip parent 1:0 handle 2 fw classid 1:20 tc filter add dev ppp0 protocol ip parent 1:0 handle 3 fw classid 1:30 all settings configured and restart shorewall. no error message. Then I ask somebody on the Internet tried to download files from my ftp server to see whether the shaping rules worked or nor. I use tc -s -d class show dev ppp0 It only has data send to and from on class 1:30 (because it is the default) the class 1:20 which I support ftp traffic should go there, shown zero send bytes What settings I was missed ? Any one can help ?
On Wed, 2004-11-24 at 17:20 +0800, Adrian Mak wrote:> What settings I was missed ? Any one can help ?a) Have you set TC_ENABLED=Yes in shorewall.conf? b) The passive ports used by ftp (I assume that is what 50000:51000 is there for) will be the SOURCE port on outbound traffic, not the DESTINATION port so your marking rules aren''t marking that traffic. Similarly, 20 is the SOURCE port for active mode transfers. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
a) I have set TC_ENABLED=Yes in shorewall.conf file. b) SOURCE port ?? the tcrules file format is MARK SOURCE DEST PROTO PORT CLIENT_PORT USER So what is should be look like in my case ? On Wed, 24 Nov 2004 07:55:46 -0800, Tom Eastep <teastep@shorewall.net> wrote:> On Wed, 2004-11-24 at 17:20 +0800, Adrian Mak wrote: > > > What settings I was missed ? Any one can help ? > > a) Have you set TC_ENABLED=Yes in shorewall.conf? > b) The passive ports used by ftp (I assume that is what 50000:51000 is > there for) will be the SOURCE port on outbound traffic, not the > DESTINATION port so your marking rules aren''t marking that traffic. > Similarly, 20 is the SOURCE port for active mode transfers. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >
On Thu, 2004-11-25 at 07:06 +0800, Adrian Mak wrote:> a) I have set TC_ENABLED=Yes in shorewall.conf file. > b) SOURCE port ?? the tcrules file format is > MARK SOURCE DEST PROTO PORT CLIENT_PORT USER > > So what is should be look like in my case ?SOURCE PORT(S) = CLIENT PORTS(S). In the next 2.2.0 Beta/RC, I will rename the column to avoid future confusion. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I changed my tcrules /etc/shorewall/tcrules 1 ppp0 0.0.0.0 tcp - 80 2 ppp0 0.0.0.0 tcp - 21,20,50000:51000 3 ppp0 0.0.0.0 all But the ftp shaping still not work. It didn''t go to the desired rule On Wed, 24 Nov 2004 15:14:39 -0800, Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 2004-11-25 at 07:06 +0800, Adrian Mak wrote: > > a) I have set TC_ENABLED=Yes in shorewall.conf file. > > b) SOURCE port ?? the tcrules file format is > > MARK SOURCE DEST PROTO PORT CLIENT_PORT USER > > > > So what is should be look like in my case ? > > SOURCE PORT(S) = CLIENT PORTS(S). > > In the next 2.2.0 Beta/RC, I will rename the column to avoid future > confusion. > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >
On Thu, 2004-11-25 at 08:15 +0800, Adrian Mak wrote:> I changed my tcrules > /etc/shorewall/tcrules > 1 ppp0 0.0.0.0 tcp - 80 > 2 ppp0 0.0.0.0 tcp - 21,20,50000:51000 > 3 ppp0 0.0.0.0 all > > But the ftp shaping still not work. It didn''t go to the desired ruleThe destination address you have specified is 0.0.0.0 -- that is clearly wrong. You need 0.0.0.0/0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I modified 0.0.0.0 to 0.0.0.0/0 and then restart shorewall. Still not work. I''m thinking of is there any other setting to make it work .?? On Wed, 24 Nov 2004 16:21:28 -0800, Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 2004-11-25 at 08:15 +0800, Adrian Mak wrote: > > I changed my tcrules > > /etc/shorewall/tcrules > > 1 ppp0 0.0.0.0 tcp - 80 > > 2 ppp0 0.0.0.0 tcp - 21,20,50000:51000 > > 3 ppp0 0.0.0.0 all > > > > But the ftp shaping still not work. It didn''t go to the desired rule > > The destination address you have specified is 0.0.0.0 -- that is clearly > wrong. You need 0.0.0.0/0. > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >
On Thu, 2004-11-25 at 09:51 +0800, Adrian Mak wrote:> I modified 0.0.0.0 to 0.0.0.0/0 and then restart shorewall. > Still not work. I''m thinking of is there any other setting to make it work .??It is time to send a real problem report. See http://shorewall.net/support.htm and pay attention to the part that starts "This is Important!". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Is it a bug ?? Let''s check. I removed all entry in file, /etc/shorewall/tcrules , then I modified a tc filter rule from tc filter add dev ppp0 protocol ip parent 1:0 handle 1 fw classid 1:10 to tc filter add dev ppp0 protocol ip parent 1:0 u32 match ip sport 80 0xffff flowid 1:10 And it works. All http traffic is shaped by classid 1:10 Then go further to modify ftp server filter rule to tc filter add dev ppp0 protocol ip parent 1:0 u32 match ip sport 50000:51000 0xffff flowid 1:20 When restarting shorewall, "Processing /etc/shorewall/tcstart....." returned Illegal "match" So I have two question to raise. 1.) I can use u32 classifer correctly put desired traffic in a class Does it mean that shorewall has problem generate iptables syntax from tcrules file ? 2.) how to specify port range in the tc filter u32 classifier ? On Wed, 24 Nov 2004 17:54:18 -0800, Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 2004-11-25 at 09:51 +0800, Adrian Mak wrote: > > I modified 0.0.0.0 to 0.0.0.0/0 and then restart shorewall. > > Still not work. I''m thinking of is there any other setting to make it work .?? > > It is time to send a real problem report. See > http://shorewall.net/support.htm and pay attention to the part that > starts "This is Important!". > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >
On Thu, 2004-11-25 at 15:49 +0800, Adrian Mak wrote:> Is it a bug ?? Let''s check. > > I removed all entry in file, /etc/shorewall/tcrules , then I modified > a tc filter rule from > tc filter add dev ppp0 protocol ip parent 1:0 handle 1 fw classid 1:10 > to > tc filter add dev ppp0 protocol ip parent 1:0 u32 match ip sport 80 > 0xffff flowid 1:10 > > And it works. All http traffic is shaped by classid 1:10 > > Then go further to modify ftp server filter rule to > tc filter add dev ppp0 protocol ip parent 1:0 u32 match ip sport > 50000:51000 0xffff flowid 1:20 > > When restarting shorewall, "Processing /etc/shorewall/tcstart....." > returned Illegal "match" > > So I have two question to raise. > 1.) I can use u32 classifer correctly put desired traffic in a class > Does it mean that shorewall has problem generate iptables syntax from > tcrules file ?Adrian -- I''m going to tell you one more time and then I''m going to just ignore you. I need a real problem report to answer your question. At a minimum, I need to see your tcrules file AND the output of "shorewall show mangle". I don''t believe that there is a problem in Shorewall but all I''ve seen so far from you is "I tried this and it didn''t work".> 2.) how to specify port range in the tc filter u32 classifier ?I have no idea. That has nothing to do with Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''m sorry. As I just want to figure what is the problem I had, anyway
I post all the information of my current configuration files help to
investigate.
My firewall config.
Redhat Advanced Server 3.0 Update 3
eth0 - private lan 192.168.103.190
eth1 - external interface connected to a adsl model , 192.168.100.1
ppp0 - PPPoE virtual dialup interface , IP address is dynamic assigned by ISP
shorewall version
2.0.2f
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:b0:d0:aa:60:c6 brd ff:ff:ff:ff:ff:ff
inet 192.168.103.190/24 brd 192.168.103.255 scope global eth0
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:02:a0:c1:68 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global eth1
9: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc htb qlen 3
link/ppp
inet 202.60.232.45 peer 202.60.229.1/32 scope global ppp0
ip route show
202.60.229.1 dev ppp0 proto kernel scope link src 202.60.232.45
192.168.100.0/24 dev eth1 scope link
192.168.103.0/24 dev eth0 scope link
169.254.0.0/16 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 202.60.229.1 dev ppp0
/etc/shorewall/start
default configuration file. I didn''t add any commands at all
/etc/shorewall/reset
default configuration file. I didn''t add any commands at all
shorewall status
http://vip.cyberec.com/~kaichung/status.txt
shorewall show mangle
http://vip.cyberec.com/~kaichung/mangle.txt
Thanks!!
On Sun, 2004-11-28 at 08:54 +0800, Adrian Mak wrote:> I''m sorry. As I just want to figure what is the problem I had, anyway > I post all the information of my current configuration files help to > investigate.You are marking traffic COMING IN on ppp0: Chain tcpre (1 references) pkts bytes target prot opt in out source destination -- 55 40353 MARK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK set 0x1 0 0 MARK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 MARK set 0x2 0 0 MARK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 MARK set 0x2 0 0 MARK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spts:50000:51000 MARK set 0x2 125 45652 MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x3 ---- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Do you mean I mark wrongly in the tcrules file ? If so, how do I mark it ? On Sat, 27 Nov 2004 16:59:05 -0800, Tom Eastep <teastep@shorewall.net> wrote:> On Sun, 2004-11-28 at 08:54 +0800, Adrian Mak wrote: > > I''m sorry. As I just want to figure what is the problem I had, anyway > > I post all the information of my current configuration files help to > > investigate. > > You are marking traffic COMING IN on ppp0: > > Chain tcpre (1 references) > pkts bytes target prot opt in out source destination > -- > 55 40353 MARK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK set 0x1 > 0 0 MARK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 MARK set 0x2 > 0 0 MARK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 MARK set 0x2 > 0 0 MARK tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spts:50000:51000 MARK set 0x2 > 125 45652 MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x3 > ---- > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >
On Sun, 2004-11-28 at 11:13 +0800, Adrian Mak wrote:> Do you mean I mark wrongly in the tcrules file ? If so, how do I mark it ?Adrian -- I''m not going to code your rules for you. You may as well stop asking me to. There are not enough hours in a day for me to write every Shorewall user''s configuration files for them. YOU have to understand how Shorewall works so YOU can maintain YOUR own firewall. That having been said, if it were me I would mark those packets that came from my internal interface (eth0 in your case):p-o[0 Here is ONE example: #MARK SOURCE DEST PROTO PORT(S) CLIENT # PORT(S) 1 eth0 0.0.0.0/0 tcp - 80 And if you are silly enough to have a web server running on your firewall, you can add: #MARK SOURCE DEST PROTO PORT(S) CLIENT # PORT(S) 1 fw 0.0.0.0/0 tcp - 80 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you very much, Tom. I though of the wrong direction in old days. And it now works of marking on the internal interface. On Sat, 27 Nov 2004 19:32:51 -0800, Tom Eastep <teastep@shorewall.net> wrote:> On Sun, 2004-11-28 at 11:13 +0800, Adrian Mak wrote: > > Do you mean I mark wrongly in the tcrules file ? If so, how do I mark it ? > > Adrian -- I''m not going to code your rules for you. You may as well stop > asking me to. There are not enough hours in a day for me to write every > Shorewall user''s configuration files for them. YOU have to understand > how Shorewall works so YOU can maintain YOUR own firewall. > > That having been said, if it were me I would mark those packets that > came from my internal interface (eth0 in your case):p-o[0 > > Here is ONE example: > > #MARK SOURCE DEST PROTO PORT(S) CLIENT > # PORT(S) > 1 eth0 0.0.0.0/0 tcp - 80 > > And if you are silly enough to have a web server running on your > firewall, you can add: > > #MARK SOURCE DEST PROTO PORT(S) CLIENT > # PORT(S) > 1 fw 0.0.0.0/0 tcp - 80 > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >