Hi,
Thanks for help to me, but i have problems with iptables because i am
working with the kernel 2.2.16-22 and i need 2.4 kernel, but i think
ipchains is an alternative form my problem.
What i really want is to control incoming and outgoing bandwidth to
160Kbit, but i need to divide this in 64 to ttopic, 16 to morteg, 16 to
mcaden, 64 Kbit to others.
And i need to control all ports minus 5003, i made my cbq.init script,
but i think it doesn''t works, can you say to me what is the error.
Internet eth1 |---------------| 207.100.136.193
(Intranet)
-----------------| Linux Server
|----------------------|
(public ip) |---------------| eth0
(private ip)
The Next is my cbq.init script:
================================================
#!/bin/sh
DEVETH0="dev eth0"
DEVETH1="dev eth1"
TTOPIC=207.100.136.194
MORTEG=207.100.136.208
MCADEN=207.100.136.233
OTHERS=207.100.136.0/24
IPCHAINS=/sbin/ipchains
#================================================== #
# ===>> Control para la Interfaz Externa eth0 <<=== #
#================================================== #
# Reglas de IPCHAINS
$IPCHAINS -I input ! -y -p tcp -i eth0 -s $TTOPIC 0:5002 -d 0/0 -j
ACCEPT -m 1
$IPCHAINS -I input ! -y -p tcp -i eth0 -s $TTOPIC 5004:65535 -d 0/0 -j
ACCEPT -m 1
$IPCHAINS -I input -p udp -i eth0 -s $TTOPIC 0:5002 -d 0/0 -j ACCEPT -m
1
$IPCHAINS -I input -p udp -i eth0 -s $TTOPIC 5004:65535 -d 0/0 -j ACCEPT
-m 1
$IPCHAINS -A input ! -y -p tcp -i eth0 -s $MORTEG 0:5002 -d 0/0 -j
ACCEPT -m 2
$IPCHAINS -A input ! -y -p tcp -i eth0 -s $MORTEG 5004:65535 -d 0/0 -j
ACCEPT -m 2
$IPCHAINS -A input -p udp -i eth0 -s $MORTEG 0:5002 -d 0/0 -j ACCEPT -m
2
$IPCHAINS -A input -p udp -i eth0 -s $MORTEG 5004:65535 -d 0/0 -j ACCEPT
-m 2
$IPCHAINS -A input ! -y -p tcp -i eth0 -s $MCADEN 0:5002 -d 0/0 -j
ACCEPT -m 3
$IPCHAINS -A input ! -y -p tcp -i eth0 -s $MCADEN 5004:65535 -d 0/0 -j
ACCEPT -m 3
$IPCHAINS -A input -p udp -i eth0 -s $MCADEN 0:5002 -d 0/0 -j ACCEPT -m
3
$IPCHAINS -A input -p udp -i eth0 -s $MCADEN 5004:65535 -d 0/0 -j ACCEPT
-m 3
$IPCHAINS -A input ! -y -p tcp -i eth0 -s $OTHERS 0:5002 -d 0/0 -j
ACCEPT -m 4
$IPCHAINS -A input ! -y -p tcp -i eth0 -s $OTHERS 5004:65535 -d 0/0 -j
ACCEPT -m 4
$IPCHAINS -A input -p udp -i eth0 -s $OTHERS 0:5002 -d 0/0 -j ACCEPT -m
4
$IPCHAINS -A input -p udp -i eth0 -s $OTHERS 5004:65535 -d 0/0 -j ACCEPT
-m 4
#eth0
tc qdisc add $DEVETH0 root handle 10: cbq bandwidth 100Mbit avpkt 1000
tc class add $DEVETH0 parent 10:0 classid 10:1 cbq bandwidth 100Mbit
rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000
tc class add $DEVETH0 parent 10:1 classid 10:10 cbq bandwidth 100Mbit
rate 160Kbit allot 1514 weight 16Kbit prio 5 maxburst 20 avpkt 1000
bounded
# ===>> Configuracion Ing. Tomislav Topic <<=== #
tc class add $DEVETH0 parent 10:10 classid 10:100 cbq bandwidth 160Kbit
rate 64Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add $DEVETH0 parent 10:100 tbf rate 64Kbit buffer 10Kb/8 limit
15Kb
tc filter add $DEVETH0 parent 10:0 protocol ip prio 100 handle 1 fw
classid 10:100
# ===>> Configuracion Ing. Mario Ortega <<=== #
tc class add $DEVETH0 parent 10:10 classid 10:200 cbq bandwidth 160Kbit
rate 16Kbit allot 1514 weight 1Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add $DEVETH0 parent 10:200 tbf rate 16Kbit buffer 10Kb/8 limit
15Kb
tc filter add $DEVETH0 parent 10:0 protocol ip prio 100 handle 2 fw
classid 10:200
# ===>> Configuracion Ing. Miguel Cadena <<=== #
tc class add $DEVETH0 parent 10:10 classid 10:300 cbq bandwidth 160Kbit
rate 16Kbit allot 1514 weight 1Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add $DEVETH0 parent 10:300 tbf rate 16Kbit buffer 10Kb/8 limit
15Kb
tc filter add $DEVETH0 parent 10:0 protocol ip prio 100 handle 3 fw
classid 10:300
# ===>> Configuracion TelcoData <<=== #
tc class add $DEVETH0 parent 10:10 classid 10:400 cbq bandwidth 160Kbit
rate 64Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add $DEVETH0 parent 10:400 tbf rate 64Kbit buffer 10Kb/8 limit
15Kb
tc filter add $DEVETH0 parent 10:0 protocol ip prio 100 handle 4 fw
classid 10:400
#================================================== #
# ===>> Control para la Interfaz Externa eth1 <<=== #
#================================================== #
# Reglas de IPCHAINS
$IPCHAINS -I input ! -y -p tcp -i eth1 -s $TTOPIC 0:5002 -d 0/0 -j
ACCEPT -m 11
$IPCHAINS -I input ! -y -p tcp -i eth1 -s $TTOPIC 5004:65535 -d 0/0 -j
ACCEPT -m 11
$IPCHAINS -I input -p udp -i eth1 -s $TTOPIC 0:5002 -d 0/0 -j ACCEPT -m
11
$IPCHAINS -I input -p udp -i eth1 -s $TTOPIC 5004:65535 -d 0/0 -j ACCEPT
-m 11
$IPCHAINS -A input ! -y -p tcp -i eth1 -s $MORTEG 0:5002 -d 0/0 -j
ACCEPT -m 12
$IPCHAINS -A input ! -y -p tcp -i eth1 -s $MORTEG 5004:65535 -d 0/0 -j
ACCEPT -m 12
$IPCHAINS -A input -p udp -i eth1 -s $MORTEG 0:5002 -d 0/0 -j ACCEPT -m
12
$IPCHAINS -A input -p udp -i eth1 -s $MORTEG 5004:65535 -d 0/0 -j ACCEPT
-m 12
$IPCHAINS -A input ! -y -p tcp -i eth1 -s $MCADEN 0:5002 -d 0/0 -j
ACCEPT -m 13
$IPCHAINS -A input ! -y -p tcp -i eth1 -s $MCADEN 5004:65535 -d 0/0 -j
ACCEPT -m 13
$IPCHAINS -A input -p udp -i eth1 -s $MCADEN 0:5002 -d 0/0 -j ACCEPT -m
13
$IPCHAINS -A input -p udp -i eth1 -s $MCADEN 5004:65535 -d 0/0 -j ACCEPT
-m 13
$IPCHAINS -A input ! -y -p tcp -i eth1 -s $OTHERS 0:5002 -d 0/0 -j
ACCEPT -m 14
$IPCHAINS -A input ! -y -p tcp -i eth1 -s $OTHERS 5004:65535 -d 0/0 -j
ACCEPT -m 14
$IPCHAINS -A input -p udp -i eth1 -s $OTHERS 0:5002 -d 0/0 -j ACCEPT -m
14
$IPCHAINS -A input -p udp -i eth1 -s $OTHERS 5004:65535 -d 0/0 -j ACCEPT
-m 14
#eth1
tc qdisc add $DEVETH1 root handle 20: cbq bandwidth 100Mbit avpkt 1000
tc class add $DEVETH1 parent 20:0 classid 20:1 cbq bandwidth 100Mbit
rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000
tc class add $DEVETH1 parent 20:1 classid 20:10 cbq bandwidth 100Mbit
rate 160Kbit allot 1514 weight 16Kbit prio 5 maxburst 20 avpkt 1000
bounded
# ===>> Configuracion Ing. Tomislav Topic <<=== #
tc class add $DEVETH1 parent 20:10 classid 20:100 cbq bandwidth 160Kbit
rate 64Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add $DEVETH1 parent 20:100 tbf rate 64Kbit buffer 10Kb/8 limit
15Kb
tc filter add $DEVETH1 parent 20:0 protocol ip prio 100 handle 11 fw
classid 20:100
# ===>> Configuracion Ing. Mario Ortega <<=== #
tc class add $DEVETH1 parent 20:10 classid 20:200 cbq bandwidth 160Kbit
rate 16Kbit allot 1514 weight 1Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add $DEVETH1 parent 20:200 tbf rate 16Kbit buffer 10Kb/8 limit
15Kb
tc filter add $DEVETH1 parent 20:0 protocol ip prio 100 handle 12 fw
classid 20:200
# ===>> Configuracion Ing. Miguel Cadena <<=== #
tc class add $DEVETH1 parent 20:10 classid 20:300 cbq bandwidth 160Kbit
rate 16Kbit allot 1514 weight 1Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add $DEVETH1 parent 20:300 tbf rate 16Kbit buffer 10Kb/8 limit
15Kb
tc filter add $DEVETH1 parent 20:0 protocol ip prio 100 handle 13 fw
classid 20:300
# ===>> Configuracion TelcoData <<=== #
tc class add $DEVETH1 parent 20:10 classid 20:400 cbq bandwidth 160Kbit
rate 64Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add $DEVETH1 parent 20:400 tbf rate 64Kbit buffer 10Kb/8 limit
15Kb
tc filter add $DEVETH1 parent 20:0 protocol ip prio 100 handle 14 fw
classid 20:400
Thanks
Alexandra
================================================
Rodrigo Goya wrote:>
> Hi,
>
> Ok, with this command:
> # iptables -I PREROUTING -t mangle -p tcp --dport 25 -j MARK --set-mark 1
>
> You''re telling it that all packets going to port 25 are marked
with the value of 1, ok? This works on all mail traffic for instance. It means
that when a packet arrives for routing, check it before routing it and if the
packet''s desination port is 25 then mark it.
>
> You can use a variety of options with iptables to mark different packets,
you could, for instance, repeat this rule with port 110, port 80 and other
ports, they will all be marked with 1.
>
> Now, in tc filter with this command:
> # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid
1:1
>
> You''re telling it that whatever is marked with the value 1 belongs
to this class 1:1, wheter it''s source port 25, or destination port 25,
or 80 or whichever you marked with 1 in iptables.
>
> If you need more help send me more data of ryour network setup and details
of what you want to do =)
>
> Hope this helps.
>
> Cheers,
>
> Rodrigo
>
> On Mon, May 07, 2001 at 12:30:14PM +0000, Alexandra Alvarado wrote:
> > Hi,
> >
> > Can you please give me an example.
> >
> >
> > Thanks.
> >
> > A.A.A.A.B.
> >
> > Rodrigo Goya wrote:
> > >
> > > Hello,
> > >
> > > You mean to get ports 20, 21, 22, 25, 80, 110 and 3128 to share
one "64Kbit link"? or each have it''s own "64Kbit
link"?
> > >
> > > If you want them all to share one link, I don''t know
what others would say, but I''d go with marking those packets with
netfilter and then using the fwmark filter. You could mark the rest with a
different value so they go to another class.
> > >
> > > You can see an example in section 13.1 in the HOWTO:
> > >
http://www.ds9a.nl/2.4Routing/HOWTO//cvs/2.4routing/output/2.4routing-13.html#ss13.1
> > >
> > > tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1
fw classid 1:1
> > > Being the command needed to filter packets marked with the value
1 (handle 1), for example.
> > >
> > > If you want each to get it''s own 64kbps, I''d
think you need to use the u32 filter for each 64kbps class, specifying which
port belongs to which class.
> > >
> > > Was this it?
> > >
> > > Cheers,
> > >
> >
> > > Rodrigo
> > >
> > > On Mon, May 07, 2001 at 11:41:30AM +0000, Alexandra Alvarado
wrote:
> > > > hello, I''m Alexandra
> > > >
> > > > I have a problem i need somebody help to me, i need to
control all ports
> > > > minus 1 the 5003 how can i do that, or if it can''t
do it, I only need
> > > > control the 20, 21, 22, 25, 80, 110, 3128 ports for all have
64Kbit
> > > > shaped.
> > > >
> > > > Can somebody give me some example, i don''t know how
to specific it in
> > > > "tc filter"
> > > >
> > > >
> > > > Thanks
> > > >
> > > > Alexandra
> > > >
> > > > _______________________________________________
> > > > LARTC mailing list / LARTC@mailman.ds9a.nl
> > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/
> > >
> > > _______________________________________________
> > > LARTC mailing list / LARTC@mailman.ds9a.nl
> > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/