LARTC - May 2001 - Marking packets for shaping

Greetings earthlings,

I am batteling to get NATted packets marked with iptables, 
to shape them later using the fw filter.

Has anyone tried to mark packets that are masqueraded, or
to shape masqueraded connections?

It doesn''t seem to work.

If any knows what to do, please help.

Regards

- Jaco van der Schyff
  jvds@netgroup.co.za

  +27 12 803 7591  
  +27 12 803 7285 (f)
  +27 83 680 4922 (mobile)

  f6e2eb48937f22e159a408c84533cdcb

what is/are your setup/rules? It should work just fine.

Ramin

On Wed, May 16, 2001 at 04:32:00PM +0200, Jaco van der Schyff wrote:
> Greetings earthlings,
> 
> I am batteling to get NATted packets marked with iptables, 
> to shape them later using the fw filter.
> 
> Has anyone tried to mark packets that are masqueraded, or
> to shape masqueraded connections?
> 
> It doesn''t seem to work.
> 
> If any knows what to do, please help.
> 
> Regards
> 
> - Jaco van der Schyff
>   jvds@netgroup.co.za
> 
>   +27 12 803 7591  
>   +27 12 803 7285 (f)
>   +27 83 680 4922 (mobile)
> 
>   f6e2eb48937f22e159a408c84533cdcb
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/

I removed the comments from the file below, also this isnt the 
complete file, but it should be enough to give you an idea what
I want to acheive.



iptables -A PREROUTING -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j
MARK \
 --set-mark 1

tc qdisc add dev eth1 root handle 10: cbq bandwidth 64Kbit avpkt 1000

tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 64Kbit rate
\
   64Kbit allot 1514 weight 6Kbit prio 8 maxburst 20 avpkt 1000

tc class add dev eth1 parent 10:1 classid 10:100 cbq bandwidth 64Kbit
rate \
 32Kbit allot 1514 weight 3Kbit prio 5 maxburst 20 avpkt 100 bounded

tc qdisc add dev eth1 parent 10:100 sfq quantum 1514b perturb 15

tc filter add dev eth1 protocol ip parent 10:1 prio 100 handle 1 fw
classid 1:100




Regards
 - Jaco van der Schyff
   jvds@netgroup.co.za

   +27 12 803 7591
   +27 12 803 7285 (f)
   +27 83 680 4922 (mobile)

   f6e2eb48937f22e159a408c84533cdcb



Ramin Alidousti wrote:
> 
> what is/are your setup/rules? It should work just fine.
> 
> Ramin
> 
> On Wed, May 16, 2001 at 04:32:00PM +0200, Jaco van der Schyff wrote:
> 
> > Greetings earthlings,
> >
> > I am batteling to get NATted packets marked with iptables,
> > to shape them later using the fw filter.
> >
> > Has anyone tried to mark packets that are masqueraded, or
> > to shape masqueraded connections?
> >
> > It doesn''t seem to work.
> >
> > If any knows what to do, please help.
> >
> > Regards
> >
> > - Jaco van der Schyff
> >   jvds@netgroup.co.za
> >
> >   +27 12 803 7591
> >   +27 12 803 7285 (f)
> >   +27 83 680 4922 (mobile)
> >
> >   f6e2eb48937f22e159a408c84533cdcb
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/

I assume that the packets come in on eth0, right? And I''m not sure
if the mangle table sees the destination as 192.168.62.0/24 or as
the original destination address. Try this:

iptables -A PREROUTING -t mangle -p tcp -i eth0 -d 192.168.62.0/24 \
	-j MARK --set-mark 1

If it doesn''t work, try:

iptables -A PREROUTING -t mangle -p tcp -i eth0 -d <orig dst
IP''s>
	-j MARK --set-mark 1

Hope it works,
Ramin

On Wed, May 16, 2001 at 04:52:30PM +0200, Jaco van der Schyff wrote:
> I removed the comments from the file below, also this isnt the 
> complete file, but it should be enough to give you an idea what
> I want to acheive.
> 
> 
> 
> iptables -A PREROUTING -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j
> MARK \
>  --set-mark 1
> 
> tc qdisc add dev eth1 root handle 10: cbq bandwidth 64Kbit avpkt 1000
> 
> tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 64Kbit rate
> \
>    64Kbit allot 1514 weight 6Kbit prio 8 maxburst 20 avpkt 1000
> 
> tc class add dev eth1 parent 10:1 classid 10:100 cbq bandwidth 64Kbit
> rate \
>  32Kbit allot 1514 weight 3Kbit prio 5 maxburst 20 avpkt 100 bounded
> 
> tc qdisc add dev eth1 parent 10:100 sfq quantum 1514b perturb 15
> 
> tc filter add dev eth1 protocol ip parent 10:1 prio 100 handle 1 fw
> classid 1:100
> 
> 
> 
> 
> Regards
>  - Jaco van der Schyff
>    jvds@netgroup.co.za
> 
>    +27 12 803 7591
>    +27 12 803 7285 (f)
>    +27 83 680 4922 (mobile)
> 
>    f6e2eb48937f22e159a408c84533cdcb
> 
> 
> 
> Ramin Alidousti wrote:
> > 
> > what is/are your setup/rules? It should work just fine.
> > 
> > Ramin
> > 
> > On Wed, May 16, 2001 at 04:32:00PM +0200, Jaco van der Schyff wrote:
> > 
> > > Greetings earthlings,
> > >
> > > I am batteling to get NATted packets marked with iptables,
> > > to shape them later using the fw filter.
> > >
> > > Has anyone tried to mark packets that are masqueraded, or
> > > to shape masqueraded connections?
> > >
> > > It doesn''t seem to work.
> > >
> > > If any knows what to do, please help.

I just checked with the iptables guru''s and it appears that the
mangle table is checked before the nat table meaning that the
second example below works and not the first one, which also
explains why your setup didn''t work.

Ramin

On Wed, May 16, 2001 at 11:07:07AM -0400, Ramin Alidousti wrote:
> I assume that the packets come in on eth0, right? And I''m not sure
> if the mangle table sees the destination as 192.168.62.0/24 or as
> the original destination address. Try this:
> 
> iptables -A PREROUTING -t mangle -p tcp -i eth0 -d 192.168.62.0/24 \
> 	-j MARK --set-mark 1
> 
> If it doesn''t work, try:
> 
> iptables -A PREROUTING -t mangle -p tcp -i eth0 -d <orig dst
IP''s>
> 	-j MARK --set-mark 1
> 
> Hope it works,
> Ramin
> 
> On Wed, May 16, 2001 at 04:52:30PM +0200, Jaco van der Schyff wrote:
> 
> > I removed the comments from the file below, also this isnt the 
> > complete file, but it should be enough to give you an idea what
> > I want to acheive.
> > 
> > 
> > 
> > iptables -A PREROUTING -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j
> > MARK \
> >  --set-mark 1
> > 
> > tc qdisc add dev eth1 root handle 10: cbq bandwidth 64Kbit avpkt 1000
> > 
> > tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 64Kbit
rate
> > \
> >    64Kbit allot 1514 weight 6Kbit prio 8 maxburst 20 avpkt 1000
> > 
> > tc class add dev eth1 parent 10:1 classid 10:100 cbq bandwidth 64Kbit
> > rate \
> >  32Kbit allot 1514 weight 3Kbit prio 5 maxburst 20 avpkt 100 bounded
> > 
> > tc qdisc add dev eth1 parent 10:100 sfq quantum 1514b perturb 15
> > 
> > tc filter add dev eth1 protocol ip parent 10:1 prio 100 handle 1 fw
> > classid 1:100
> > 
> > 
> > 
> > 
> > Regards
> >  - Jaco van der Schyff
> >    jvds@netgroup.co.za
> > 
> >    +27 12 803 7591
> >    +27 12 803 7285 (f)
> >    +27 83 680 4922 (mobile)
> > 
> >    f6e2eb48937f22e159a408c84533cdcb
> > 
> > 
> > 
> > Ramin Alidousti wrote:
> > > 
> > > what is/are your setup/rules? It should work just fine.
> > > 
> > > Ramin
> > > 
> > > On Wed, May 16, 2001 at 04:32:00PM +0200, Jaco van der Schyff
wrote:
> > > 
> > > > Greetings earthlings,
> > > >
> > > > I am batteling to get NATted packets marked with iptables,
> > > > to shape them later using the fw filter.
> > > >
> > > > Has anyone tried to mark packets that are masqueraded, or
> > > > to shape masqueraded connections?
> > > >
> > > > It doesn''t seem to work.
> > > >
> > > > If any knows what to do, please help.

Aren''t you making any mistake here, Johan? OUTPUT chain is meant
for the outgoing packets from the firewall itself. What Jaco is
doing is receiving packets from the network which will never pass
the OUTPUT chain.

Ramin

On Thu, May 17, 2001 at 06:29:00AM -0400, johan@pinguind.co.id wrote:
> I had ever met this condition
> I change chain rule at iptables,try like this
> 
> iptables -I OUTPUT -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j MARK
> --set-mark 1
> 
> and it works.
> 
> Regards
> 
> Johan
> 
> On Wed, May 16, 2001 at 11:07:07AM -0400, Ramin Alidousti wrote:
> > I assume that the packets come in on eth0, right? And I''m not
sure
> > if the mangle table sees the destination as 192.168.62.0/24 or as
> > the original destination address. Try this:
> > 
> > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d 192.168.62.0/24 \
> > 	-j MARK --set-mark 1
> > 
> > If it doesn''t work, try:
> > 
> > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d <orig dst
IP''s>
> > 	-j MARK --set-mark 1
> > 
> > Hope it works,
> > Ramin

I had ever met this condition
I change chain rule at iptables,try like this

iptables -I OUTPUT -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j MARK
--set-mark 1

and it works.

Regards

Johan

On Wed, May 16, 2001 at 11:07:07AM -0400, Ramin Alidousti
wrote:
> I assume that the packets come in on eth0, right? And I''m not sure
> if the mangle table sees the destination as 192.168.62.0/24 or as
> the original destination address. Try this:
> 
> iptables -A PREROUTING -t mangle -p tcp -i eth0 -d 192.168.62.0/24 \
> 	-j MARK --set-mark 1
> 
> If it doesn''t work, try:
> 
> iptables -A PREROUTING -t mangle -p tcp -i eth0 -d <orig dst
IP''s>
> 	-j MARK --set-mark 1
> 
> Hope it works,
> Ramin
> 
> On Wed, May 16, 2001 at 04:52:30PM +0200, Jaco van der Schyff wrote:
> 
> > I removed the comments from the file below, also this isnt the 
> > complete file, but it should be enough to give you an idea what
> > I want to acheive.
> > 
> > 
> > 
> > iptables -A PREROUTING -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j
> > MARK \
> >  --set-mark 1
> > 
> > tc qdisc add dev eth1 root handle 10: cbq bandwidth 64Kbit avpkt 1000
> > 
> > tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 64Kbit
rate
> > \
> >    64Kbit allot 1514 weight 6Kbit prio 8 maxburst 20 avpkt 1000
> > 
> > tc class add dev eth1 parent 10:1 classid 10:100 cbq bandwidth 64Kbit
> > rate \
> >  32Kbit allot 1514 weight 3Kbit prio 5 maxburst 20 avpkt 100 bounded
> > 
> > tc qdisc add dev eth1 parent 10:100 sfq quantum 1514b perturb 15
> > 
> > tc filter add dev eth1 protocol ip parent 10:1 prio 100 handle 1 fw
> > classid 1:100
> > 
> > 
> > 
> > 
> > Regards
> >  - Jaco van der Schyff
> >    jvds@netgroup.co.za
> > 
> >    +27 12 803 7591
> >    +27 12 803 7285 (f)
> >    +27 83 680 4922 (mobile)
> > 
> >    f6e2eb48937f22e159a408c84533cdcb
> > 
> > 
> > 
> > Ramin Alidousti wrote:
> > > 
> > > what is/are your setup/rules? It should work just fine.
> > > 
> > > Ramin
> > > 
> > > On Wed, May 16, 2001 at 04:32:00PM +0200, Jaco van der Schyff
wrote:
> > > 
> > > > Greetings earthlings,
> > > >
> > > > I am batteling to get NATted packets marked with iptables,
> > > > to shape them later using the fw filter.
> > > >
> > > > Has anyone tried to mark packets that are masqueraded, or
> > > > to shape masqueraded connections?
> > > >
> > > > It doesn''t seem to work.
> > > >
> > > > If any knows what to do, please help.
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/
-- 
             -''-      
             (o o)     
---------ooO--(_)--Ooo-------------------------------------------------
  (  )/  \( )( ) (  ) ( \( )      Visit us at http://www.pinguind.co.id
 __)(( () ))__(  /__\  )  (   Feel free to contact me at ICQ  #47240718       
(___/ \__/(_)(_)(_)(_)(_)\_)                 email:johan@pinguind.co.id
-----------------------------------------------------------------------

OK. My question is: where are you doing the ftp from?

1) When you use OUTPUT the packets originating from your firewall
   will be marked.
2) When you use INPUT the packets destined for your firewall
   will be marked. (you don''t use this because it''s too late
for tc).
3) When you use PREROUTING the packets received from the network
   will be marked.
4) When you use POSTROUTING the packets leaving your firewall will
   be marked. (you don''t use this because it''s too late for
tc).

It all depends on your application, what you want to mark, in which
direction and where in the forwarding process.


Ramin




On Thu, May 17, 2001 at 05:57:35PM -0400, johan@pinguind.co.id wrote:
> This is the result when I use with OUTPUT chain
> 
> 150 Opening BINARY mode data connection for iproute-2.2.4-2.i386.rpm
(327439
> bytes).
> 226 Transfer complete.
> 327439 bytes received in 21 secs (15 Kbytes/sec)
> 
> With configuration like this
> 
> bash# iptables -t mangle -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> MARK       tcp  --  fvbs.pinguind.co.id  anywhere           state
RELATED,ESTABLISHED MARK set 0x1
> MARK       tcp  --  fvbs.pinguind.co.id  anywhere           tcp spt:www
MARK set 0x2
> 
> ---[ eth0: configured classes ]---------------------------
> 
> class cbq 10: root rate 10Mbit (bounded,isolated) prio no-transmit
> class cbq 10:2 parent 10: rate 10Mbit prio 4
> class cbq 10:4 parent 10:2 leaf 8001: rate 128Kbit prio 4
> class cbq 10:5 parent 10:2 leaf 8002: rate 256Kbit prio 4
> 
> ---[ eth0: queueing disciplines ]-------------------------
> 
> qdisc tbf 8002: rate 256Kbit burst 10Kb lat 190.7ms 
> qdisc tbf 8001: rate 128Kbit burst 10Kb lat 381.5ms 
> qdisc cbq 10: rate 10Mbit (bounded,isolated) prio no-transmit
> 
> 
> On Wed, May 16, 2001 at 07:30:57PM -0400, Ramin Alidousti wrote:
> > Aren''t you making any mistake here, Johan? OUTPUT chain is
meant
> > for the outgoing packets from the firewall itself. What Jaco is
> > doing is receiving packets from the network which will never pass
> > the OUTPUT chain.
> > 
> > Ramin
> > 
> > On Thu, May 17, 2001 at 06:29:00AM -0400, johan@pinguind.co.id wrote:
> > 
> > > I had ever met this condition
> > > I change chain rule at iptables,try like this
> > > 
> > > iptables -I OUTPUT -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j
MARK
> > > --set-mark 1
> > > 
> > > and it works.
> > > 
> > > Regards
> > > 
> > > Johan
> > > 
> > > On Wed, May 16, 2001 at 11:07:07AM -0400, Ramin Alidousti wrote:
> > > > I assume that the packets come in on eth0, right? And
I''m not sure
> > > > if the mangle table sees the destination as 192.168.62.0/24
or as
> > > > the original destination address. Try this:
> > > > 
> > > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d
192.168.62.0/24 \
> > > > 	-j MARK --set-mark 1
> > > > 
> > > > If it doesn''t work, try:
> > > > 
> > > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d <orig
dst IP''s>
> > > > 	-j MARK --set-mark 1
> > > > 
> > > > Hope it works,
> > > > Ramin
> 
> -- 
>              -''-      
>              (o o)     
> ---------ooO--(_)--Ooo-------------------------------------------------
>   (  )/  \( )( ) (  ) ( \( )      Visit us at http://www.pinguind.co.id
>  __)(( () ))__(  /__\  )  (   Feel free to contact me at ICQ  #47240718
> (___/ \__/(_)(_)(_)(_)(_)\_)                 email:johan@pinguind.co.id
> -----------------------------------------------------------------------
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/
-- 
Ramin Alidousti                                         ramin@UU.NET
Advanced Development                             tel +1 703 886 2640
UUNET, A WorldCom Company                        fax +1 703 886 0536

On Thu, May 17, 2001 at 07:49:59PM -0400, johan@pinguind.co.id wrote:
> I see,
> I''m doing ftp from packets originating from my CBQ host (not
firewall dual home,
> because I just have one interface card)
> OK, thanks for your "enlightenment"
> my configuration works well in case of packets originating from my host.
> But my question,
>  
> Can we limit packets that originating from my CBQ host with using 
> PREROUTING chain ?
No. In your case with OUTPUT chain.

Ramin
> 
> thanks

Hi,

I think with the following rules you can get it done:

iptables -t mangle -I PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1

So each packet going through your router will first be marked if it comes from
192.168.1.0/24 (PREROUTING) and after routing and tc queuing it will be NATed
(POSTROUTING).

That works for marking packets going out of your network through your NATing
box.

To mark packets coming into your network, since mangle only has PREROUTING and
OUTPUT, it could be done with this:

iptables -t mangle -I PREROUTING -s 192.168.2.1/32 -j MARK --set-mark 2

It marks the packets before they are deNATed, but works asuming that no traffic
is comming directly to your NAT box, or these will be marked as well.

These examples seemed to work on a test router here (only I used marking TOS so
I could watch it with tcpdump, outgoing packets marked with TOS 0x2 and incoming
with TOS 0x4):

On client 192.168.1.99 made a "ping altavista.com -n -c 1". Router is
192.168.2.1 (there is other NAT after it, but doesn''t affect it).

13:40:12.446406 eth1 < 192.168.1.99 > 209.73.180.2: icmp: echo request
(DF) [tos 0x2,ECT]  (ttl 64, id 0)
13:40:12.446440 eth0 > 192.168.2.1 > 209.73.180.2: icmp: echo request (DF)
[tos 0x2,ECT]  (ttl 63, id 0)

13:40:12.554895 eth0 < 209.73.180.2 > 192.168.1.99: icmp: echo reply [tos
0x4]  (ttl 241, id 56493)
13:40:12.554916 eth1 > 209.73.180.2 > 192.168.1.99: icmp: echo reply [tos
0x4]  (ttl 240, id 56493)

Hope this helps.

Cheers,

Rodrigo

On Wed, May 16, 2001 at 04:32:00PM +0200, Jaco van der Schyff
wrote:
> Greetings earthlings,
> 
> I am batteling to get NATted packets marked with iptables, 
> to shape them later using the fw filter.
> 
> Has anyone tried to mark packets that are masqueraded, or
> to shape masqueraded connections?
> 
> It doesn''t seem to work.
> 
> If any knows what to do, please help.
> 
> Regards
> 
> - Jaco van der Schyff
>   jvds@netgroup.co.za
> 
>   +27 12 803 7591  
>   +27 12 803 7285 (f)
>   +27 83 680 4922 (mobile)
> 
>   f6e2eb48937f22e159a408c84533cdcb
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/

No..
I had proved that
My configuration works well
I think CBQ stack below the iptables stack program, and 
almost ''stay at'' layer 2 networking.
had you proved with OUTPUT chain to limit bandwidth ?
cause, I had tried  when limit with PREROUTING chain, the result is not
satisfied.

Johan


 

On Wed, May 16, 2001 at 07:30:57PM -0400, Ramin Alidousti
wrote:
> Aren''t you making any mistake here, Johan? OUTPUT chain is meant
> for the outgoing packets from the firewall itself. What Jaco is
> doing is receiving packets from the network which will never pass
> the OUTPUT chain.
> 
> Ramin
> 
> On Thu, May 17, 2001 at 06:29:00AM -0400, johan@pinguind.co.id wrote:
> 
> > I had ever met this condition
> > I change chain rule at iptables,try like this
> > 
> > iptables -I OUTPUT -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j MARK
> > --set-mark 1
> > 
> > and it works.
> > 
> > Regards
> > 
> > Johan
> > 
> > On Wed, May 16, 2001 at 11:07:07AM -0400, Ramin Alidousti wrote:
> > > I assume that the packets come in on eth0, right? And
I''m not sure
> > > if the mangle table sees the destination as 192.168.62.0/24 or as
> > > the original destination address. Try this:
> > > 
> > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d
192.168.62.0/24 \
> > > 	-j MARK --set-mark 1
> > > 
> > > If it doesn''t work, try:
> > > 
> > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d <orig dst
IP''s>
> > > 	-j MARK --set-mark 1
> > > 
> > > Hope it works,
> > > Ramin
-- 
             -''-      
             (o o)     
---------ooO--(_)--Ooo-------------------------------------------------
  (  )/  \( )( ) (  ) ( \( )      Visit us at http://www.pinguind.co.id
 __)(( () ))__(  /__\  )  (   Feel free to contact me at ICQ  #47240718       
(___/ \__/(_)(_)(_)(_)(_)\_)                 email:johan@pinguind.co.id
-----------------------------------------------------------------------

This is the result when I use with OUTPUT chain

150 Opening BINARY mode data connection for iproute-2.2.4-2.i386.rpm (327439
bytes).
226 Transfer complete.
327439 bytes received in 21 secs (15 Kbytes/sec)

With configuration like this

bash# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
MARK       tcp  --  fvbs.pinguind.co.id  anywhere           state
RELATED,ESTABLISHED MARK set 0x1
MARK       tcp  --  fvbs.pinguind.co.id  anywhere           tcp spt:www MARK set
0x2

---[ eth0: configured classes ]---------------------------

class cbq 10: root rate 10Mbit (bounded,isolated) prio no-transmit
class cbq 10:2 parent 10: rate 10Mbit prio 4
class cbq 10:4 parent 10:2 leaf 8001: rate 128Kbit prio 4
class cbq 10:5 parent 10:2 leaf 8002: rate 256Kbit prio 4

---[ eth0: queueing disciplines ]-------------------------

qdisc tbf 8002: rate 256Kbit burst 10Kb lat 190.7ms 
qdisc tbf 8001: rate 128Kbit burst 10Kb lat 381.5ms 
qdisc cbq 10: rate 10Mbit (bounded,isolated) prio no-transmit


On Wed, May 16, 2001 at 07:30:57PM -0400, Ramin Alidousti
wrote:
> Aren''t you making any mistake here, Johan? OUTPUT chain is meant
> for the outgoing packets from the firewall itself. What Jaco is
> doing is receiving packets from the network which will never pass
> the OUTPUT chain.
> 
> Ramin
> 
> On Thu, May 17, 2001 at 06:29:00AM -0400, johan@pinguind.co.id wrote:
> 
> > I had ever met this condition
> > I change chain rule at iptables,try like this
> > 
> > iptables -I OUTPUT -t mangle -p tcp -s 0/0 -d 192.168.62.0/24 -j MARK
> > --set-mark 1
> > 
> > and it works.
> > 
> > Regards
> > 
> > Johan
> > 
> > On Wed, May 16, 2001 at 11:07:07AM -0400, Ramin Alidousti wrote:
> > > I assume that the packets come in on eth0, right? And
I''m not sure
> > > if the mangle table sees the destination as 192.168.62.0/24 or as
> > > the original destination address. Try this:
> > > 
> > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d
192.168.62.0/24 \
> > > 	-j MARK --set-mark 1
> > > 
> > > If it doesn''t work, try:
> > > 
> > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d <orig dst
IP''s>
> > > 	-j MARK --set-mark 1
> > > 
> > > Hope it works,
> > > Ramin
-- 
             -''-      
             (o o)     
---------ooO--(_)--Ooo-------------------------------------------------
  (  )/  \( )( ) (  ) ( \( )      Visit us at http://www.pinguind.co.id
 __)(( () ))__(  /__\  )  (   Feel free to contact me at ICQ  #47240718       
(___/ \__/(_)(_)(_)(_)(_)\_)                 email:johan@pinguind.co.id
-----------------------------------------------------------------------

I see,
I''m doing ftp from packets originating from my CBQ host (not firewall
dual home,
because I just have one interface card)
OK, thanks for your "enlightenment"
my configuration works well in case of packets originating from my host.
But my question,
 
Can we limit packets that originating from my CBQ host with using 
PREROUTING chain ?

thanks

On Thu, May 17, 2001 at 07:24:54AM -0400, Ramin Alidousti
wrote:
> OK. My question is: where are you doing the ftp from?
> 
> 1) When you use OUTPUT the packets originating from your firewall
>    will be marked.
> 2) When you use INPUT the packets destined for your firewall
>    will be marked. (you don''t use this because it''s too
late for tc).
> 3) When you use PREROUTING the packets received from the network
>    will be marked.
> 4) When you use POSTROUTING the packets leaving your firewall will
>    be marked. (you don''t use this because it''s too late
for tc).
> 
> It all depends on your application, what you want to mark, in which
> direction and where in the forwarding process.
> 
> 
> Ramin
> 
> 
> 
> 
> On Thu, May 17, 2001 at 05:57:35PM -0400, johan@pinguind.co.id wrote:
> 
> > This is the result when I use with OUTPUT chain
> > 
> > 150 Opening BINARY mode data connection for iproute-2.2.4-2.i386.rpm
(327439
> > bytes).
> > 226 Transfer complete.
> > 327439 bytes received in 21 secs (15 Kbytes/sec)
> > 
> > With configuration like this
> > 
> > bash# iptables -t mangle -L
> > Chain PREROUTING (policy ACCEPT)
> > target     prot opt source               destination         
> > 
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination         
> > MARK       tcp  --  fvbs.pinguind.co.id  anywhere           state
RELATED,ESTABLISHED MARK set 0x1
> > MARK       tcp  --  fvbs.pinguind.co.id  anywhere           tcp
spt:www MARK set 0x2
> > 
> > ---[ eth0: configured classes ]---------------------------
> > 
> > class cbq 10: root rate 10Mbit (bounded,isolated) prio no-transmit
> > class cbq 10:2 parent 10: rate 10Mbit prio 4
> > class cbq 10:4 parent 10:2 leaf 8001: rate 128Kbit prio 4
> > class cbq 10:5 parent 10:2 leaf 8002: rate 256Kbit prio 4
> > 
> > ---[ eth0: queueing disciplines ]-------------------------
> > 
> > qdisc tbf 8002: rate 256Kbit burst 10Kb lat 190.7ms 
> > qdisc tbf 8001: rate 128Kbit burst 10Kb lat 381.5ms 
> > qdisc cbq 10: rate 10Mbit (bounded,isolated) prio no-transmit
> > 
> > 
> > On Wed, May 16, 2001 at 07:30:57PM -0400, Ramin Alidousti wrote:
> > > Aren''t you making any mistake here, Johan? OUTPUT chain
is meant
> > > for the outgoing packets from the firewall itself. What Jaco is
> > > doing is receiving packets from the network which will never pass
> > > the OUTPUT chain.
> > > 
> > > Ramin
> > > 
> > > On Thu, May 17, 2001 at 06:29:00AM -0400, johan@pinguind.co.id
wrote:
> > > 
> > > > I had ever met this condition
> > > > I change chain rule at iptables,try like this
> > > > 
> > > > iptables -I OUTPUT -t mangle -p tcp -s 0/0 -d
192.168.62.0/24 -j MARK
> > > > --set-mark 1
> > > > 
> > > > and it works.
> > > > 
> > > > Regards
> > > > 
> > > > Johan
> > > > 
> > > > On Wed, May 16, 2001 at 11:07:07AM -0400, Ramin Alidousti
wrote:
> > > > > I assume that the packets come in on eth0, right? And
I''m not sure
> > > > > if the mangle table sees the destination as
192.168.62.0/24 or as
> > > > > the original destination address. Try this:
> > > > > 
> > > > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d
192.168.62.0/24 \
> > > > > 	-j MARK --set-mark 1
> > > > > 
> > > > > If it doesn''t work, try:
> > > > > 
> > > > > iptables -A PREROUTING -t mangle -p tcp -i eth0 -d
<orig dst IP''s>
> > > > > 	-j MARK --set-mark 1
> > > > > 
> > > > > Hope it works,
> > > > > Ramin
> > 
> > -- 
> >              -''-      
> >              (o o)     
> >
---------ooO--(_)--Ooo-------------------------------------------------
> >   (  )/  \( )( ) (  ) ( \( )      Visit us at
http://www.pinguind.co.id
> >  __)(( () ))__(  /__\  )  (   Feel free to contact me at ICQ 
#47240718
> > (___/ \__/(_)(_)(_)(_)(_)\_)                
email:johan@pinguind.co.id
> >
-----------------------------------------------------------------------
> > 
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/
> 
> -- 
> Ramin Alidousti                                         ramin@UU.NET
> Advanced Development                             tel +1 703 886 2640
> UUNET, A WorldCom Company                        fax +1 703 886 0536
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/
-- 
             -''-      
             (o o)     
---------ooO--(_)--Ooo-------------------------------------------------
  (  )/  \( )( ) (  ) ( \( )      Visit us at http://www.pinguind.co.id
 __)(( () ))__(  /__\  )  (   Feel free to contact me at ICQ  #47240718       
(___/ \__/(_)(_)(_)(_)(_)\_)                 email:johan@pinguind.co.id
-----------------------------------------------------------------------