Hello, lart? users!
Can you help me understand hot to make HTB work with NAT in my situation?
---------------
| linux | eth0 -------
| 193.220.70.33 |------|switch |--|cisco|<-->internet
| NAT | ---------
----------------- |
|
------------ eth0 |
client1 |-------------
192.168.1.1 |
-------------
Client''s(192.168.1.2) default route is to 193.220.70.33
On linux server(193.220.70.33) there is rule:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to
193.220.70.33
As i understand i can control traffic bandwidth going to client1 and
from client1 on linux server due to one interface on linux server.(maybe
i''m wrong)
On linux server i need to mark packets with iptables and then use fw to
put that packets in corresponding class. I''m not sure about hot to do
that if i have NAT on linux server eth0. For example:
/usr/local/iproute2/sbin/tc qdisc add dev eth0 root handle 1: htb
/usr/local/iproute2/sbin/tc class add dev eth0 parent 1:1 classid 1:20
htb rate 32kbit ceil 60Mbit
/usr/local/iproute2/sbin/tc qdisc add dev eth0 parent 1:20 handle 20: sfq
/usr/local/iproute2/sbin/tc filter add dev eth0 parent 1:0 protocol ip
handle 1 fw flowid 1:20
/sbin/iptables -t mangle -A POSTROUTING -s 192.168.1.2 -j MARK --set-mark 1
Will be packet with src 192.168.1.2 put into classid 1:20, or for that
moment it will be already nated and his source will be 193.220.70.33?
Looking at ''Kernel Packet Traveling Diagram'' at docum.org, i
may suggest
, that it will be marked and put before it will be nated, but if you
can give advice about that i will greatly appreciate that.
Thanks a lot for your help.
Bets regards,
Ruslan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ruslan, : Can you help me understand hot to make HTB work with NAT in my situation? You appear to have the right solution in mind. Mark the packets before the address has been altered, and add the filter command to put the packets into your 60Mbit class. : --------------- : | linux | eth0 ------- : | 193.220.70.33 |------|switch |--|cisco|<-->internet : | NAT | --------- : ----------------- | : | : ------------ eth0 | : client1 |------------- : 192.168.1.1 | : ------------- : : Client''s(192.168.1.2) default route is to 193.220.70.33 : : On linux server(193.220.70.33) there is rule: : iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to : 193.220.70.33 : : As i understand i can control traffic bandwidth going to client1 and : from client1 on linux server due to one interface on linux server.(maybe : i''m wrong) I noticed your question earlier about using a machine with a single interface as a router. Is that what you are doing here? If so, then you''ll want to add one other command, and here''s why: - Your linux machine will only shape data it is transmitting. - You are shaping only data transmitted from client1 through the gateway (practically speaking this means you are capping the outbound flow from client1). : /usr/local/iproute2/sbin/tc qdisc add dev eth0 root handle 1: htb : /usr/local/iproute2/sbin/tc class add dev eth0 parent 1:1 classid 1:20 \ : htb rate 32kbit ceil 60Mbit : /usr/local/iproute2/sbin/tc qdisc add dev eth0 parent 1:20 handle 20: sfq : /usr/local/iproute2/sbin/tc filter add dev eth0 parent 1:0 protocol ip \ : handle 1 fw flowid 1:20 Your tc commands look correct. You have an implicit class which will transmit as fast as the hardware allows--that is HTB''s default. : /sbin/iptables -t mangle -A POSTROUTING -s 192.168.1.2 -j MARK --set-mark 1 Now, simply add this: /sbin/iptables -t mangle -A POSTROUTING -d 192.168.1.2 -j MARK --set-mark 1 Now, you''ll be shaping both upload (from source client1) and download (to destination client1). : Will be packet with src 192.168.1.2 put into classid 1:20, or for that : moment it will be already nated and his source will be 193.220.70.33? The mark will survive while the packet is being handled by the kernel, so even after NAT, the mark will be available. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Martin A. Brown wrote:>Ruslan, > > : Can you help me understand hot to make HTB work with NAT in my situation? > >You appear to have the right solution in mind. Mark the packets before >the address has been altered, and add the filter command to put the >packets into your 60Mbit class. > > : --------------- > : | linux | eth0 ------- > : | 193.220.70.33 |------|switch |--|cisco|<-->internet > : | NAT | --------- > : ----------------- | > : | > : ------------ eth0 | > : client1 |------------- > : 192.168.1.1 | > : ------------- > : > : Client''s(192.168.1.2) default route is to 193.220.70.33 > : > : On linux server(193.220.70.33) there is rule: > : iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to > : 193.220.70.33 > : > : As i understand i can control traffic bandwidth going to client1 and > : from client1 on linux server due to one interface on linux server.(maybe > : i''m wrong) > >I noticed your question earlier about using a machine with a single >interface as a router. Is that what you are doing here? If so, then >you''ll want to add one other command, and here''s why: > > - Your linux machine will only shape data it is transmitting. > - You are shaping only data transmitted from client1 through the gateway > (practically speaking this means you are capping the outbound flow > from client1). > > : /usr/local/iproute2/sbin/tc qdisc add dev eth0 root handle 1: htb > : /usr/local/iproute2/sbin/tc class add dev eth0 parent 1:1 classid 1:20 \ > : htb rate 32kbit ceil 60Mbit > : /usr/local/iproute2/sbin/tc qdisc add dev eth0 parent 1:20 handle 20: sfq > : /usr/local/iproute2/sbin/tc filter add dev eth0 parent 1:0 protocol ip \ > : handle 1 fw flowid 1:20 > >Your tc commands look correct. You have an implicit class which will >transmit as fast as the hardware allows--that is HTB''s default. > > : /sbin/iptables -t mangle -A POSTROUTING -s 192.168.1.2 -j MARK --set-mark 1 > >Now, simply add this: > > /sbin/iptables -t mangle -A POSTROUTING -d 192.168.1.2 -j MARK --set-mark 1 > >Now, you''ll be shaping both upload (from source client1) and download >(to destination client1). > > : Will be packet with src 192.168.1.2 put into classid 1:20, or for that > : moment it will be already nated and his source will be 193.220.70.33? > >The mark will survive while the packet is being handled by the kernel, so >even after NAT, the mark will be available. > >-Martin > > >Thanks a lot for your valuable reply, Martin! Can you tell me how to make so that i will have three htb classes (''local'' - 60Mbit, ''internet'' - 512Kbit, ''outgoing inet'' - 128Kbit) under root qdisc, so that they won''t borrow each other? Best regards, Ruslan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi again, Ruslan,
No problem at all--that''s what mailing lists are for....
: Can you tell me how to make so that i will have three htb classes
: (''local'' - 60Mbit, ''internet'' - 512Kbit,
''outgoing inet'' - 128Kbit)
: under root qdisc,
If you trawl back through the archive some, you''ll find plenty of
examples.
I''d recommend looking at the wondershaper, too....but here''s
the brief
answer:
classes
cap (100Mbit?)
1:1 -----+----------- 1:2 (sfq qdisc) rate = ceil = 60Mbit
|
+----------- 1:3 (sfq qdisc) rate = ceil = 128kbit
|
+----------- 1:4 (sfq qdisc) rate = ceil = 512kbit
You might consider making 1:2 the default class.
: so that they won''t borrow each other?
HTB classes never borrow from each other. They only (optionally) borrow
up to ceil from their parent.
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/