LARTC - Oct 2002 - iptables, IP accounting and traffic shaping

I''m having a big problem with a Linux box I have configured as a NAT
router
and for IP accounting.  These two functions work without a hitch, but now I
want to do some traffic shaping.  I''m using cbq.init, but have the
issue
that no packets are hitting the shaping class.

My machine has two ethernet cards, both on the same subnet, but eth1 being
connected to a number of internal NAT networks.  I''m using proxy arp to
pass
data between the two ethernet cards.  I hope the following segment of my
iptables script isn''t too big, but it should give a pretty good idea of
what
I''m doing.

# beginning of script
/usr/sbin/iptables -F
/usr/sbin/iptables -X
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t mangle -F
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.2 -j DNAT --to 10.102.106.2
iptables -t nat -A POSTROUTING -o eth0 -s 10.102.106.2 -j SNAT --to 64.251.69.2
iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.3 -j DNAT --to 10.101.106.2
iptables -t nat -A POSTROUTING -o eth0 -s 10.101.106.2 -j SNAT --to 64.251.69.3

echo [/etc/rc.d/rc.iptables] Recreating NAT tables...
#iptables -t nat -A POSTROUTING -o eth0 -s 10.101.104.0/21 -d 0/0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth0 -s 10.102.104.0/21 -d 0/0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth0 -s 10.103.104.0/21 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.101.104.0/21 -j SNAT --to 64.251.68.21
iptables -t nat -A POSTROUTING -s 10.102.104.0/21 -j SNAT --to 64.251.68.21
iptables -t nat -A POSTROUTING -s 10.103.104.0/21 -j SNAT --to 64.251.68.21

echo [/etc/rc.d/rc.iptables] Recreating Waverider accounting rules...
/usr/sbin/iptables -N waverid
/usr/sbin/iptables -A FORWARD -j waverid

/usr/sbin/iptables -A waverid -i eth0 -d 64.251.68.19/32
/usr/sbin/iptables -A waverid -i eth1 -s 64.251.68.19/32
/usr/sbin/iptables -A waverid -i eth0 -d 64.251.69.4/32
/usr/sbin/iptables -A waverid -i eth1 -s 64.251.69.4/32

/usr/sbin/iptables -A waverid -i eth0 -d 10.101.106.2/32
/usr/sbin/iptables -A waverid -i eth1 -s 10.101.106.2/32

-- 
Aaron Clausen

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

And where is the script you use to shape the traffic ??
My guess is that you have a filter problem.

Stef

On Tuesday 08 October 2002 00:52, Aaron Clausen wrote:
> I''m having a big problem with a Linux box I have configured as a
NAT router
> and for IP accounting.  These two functions work without a hitch, but now I
> want to do some traffic shaping.  I''m using cbq.init, but have the
issue
> that no packets are hitting the shaping class.
>
> My machine has two ethernet cards, both on the same subnet, but eth1 being
> connected to a number of internal NAT networks.  I''m using proxy
arp to
> pass data between the two ethernet cards.  I hope the following segment of
> my iptables script isn''t too big, but it should give a pretty good
idea of
> what I''m doing.
>
> # beginning of script
> /usr/sbin/iptables -F
> /usr/sbin/iptables -X
> /usr/sbin/iptables -t nat -F
> /usr/sbin/iptables -t nat -X
> /usr/sbin/iptables -t mangle -F
> /usr/sbin/iptables -P FORWARD ACCEPT
> /usr/sbin/iptables -P INPUT ACCEPT
> /usr/sbin/iptables -P OUTPUT ACCEPT
>
> iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.2 -j DNAT --to
> 10.102.106.2 iptables -t nat -A POSTROUTING -o eth0 -s 10.102.106.2 -j SNAT
> --to 64.251.69.2 iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.3 -j
> DNAT --to 10.101.106.2 iptables -t nat -A POSTROUTING -o eth0 -s
> 10.101.106.2 -j SNAT --to 64.251.69.3
>
> echo [/etc/rc.d/rc.iptables] Recreating NAT tables...
> #iptables -t nat -A POSTROUTING -o eth0 -s 10.101.104.0/21 -d 0/0 -j
> MASQUERADE #iptables -t nat -A POSTROUTING -o eth0 -s 10.102.104.0/21 -d
> 0/0 -j MASQUERADE #iptables -t nat -A POSTROUTING -o eth0 -s
> 10.103.104.0/21 -d 0/0 -j MASQUERADE iptables -t nat -A POSTROUTING -s
> 10.101.104.0/21 -j SNAT --to 64.251.68.21 iptables -t nat -A POSTROUTING -s
> 10.102.104.0/21 -j SNAT --to 64.251.68.21 iptables -t nat -A POSTROUTING -s
> 10.103.104.0/21 -j SNAT --to 64.251.68.21
>
> echo [/etc/rc.d/rc.iptables] Recreating Waverider accounting rules...
> /usr/sbin/iptables -N waverid
> /usr/sbin/iptables -A FORWARD -j waverid
>
> /usr/sbin/iptables -A waverid -i eth0 -d 64.251.68.19/32
> /usr/sbin/iptables -A waverid -i eth1 -s 64.251.68.19/32
> /usr/sbin/iptables -A waverid -i eth0 -d 64.251.69.4/32
> /usr/sbin/iptables -A waverid -i eth1 -s 64.251.69.4/32
>
> /usr/sbin/iptables -A waverid -i eth0 -d 10.101.106.2/32
> /usr/sbin/iptables -A waverid -i eth1 -s 10.101.106.2/32
-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Tue, 8 Oct 2002, Stef Coene wrote:
> And where is the script you use to shape the traffic ??
> My guess is that you have a filter problem.
Well, I''m using cbq.init, and just had a basic shaping class.  I can
shape
traffic providing I just use 64.251.68.21, which is the IP address for eth0.
Unfortunately, I want to be able to shape specific NAT addresses, not just
the whole pie.  This tells me that the packets are never hitting the traffic
shaper.  I just wondered if anybody had any thoughts.

-- 
Aaron Clausen

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/