Hi all I have a linux gateway box,eth1 internet and eth0 lan Now I made my qdisk for eth1 but now I want to mark them with iptables. The thing it I dont now wht to use,-A FORWARD or PREROUTING? Please can someone help thanks eddie _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I mark everything on my internal interface. I have classes for incoming websurfing traffic which I use HTB to control the traffic. This is done on my internal NIC. I also have classes on my external interface which controls my outgoing traffic such as web (port 80) and smtp (port 25). This is done on my external NIC. Mike Fetherston> -----Original Message----- > From: Eddie [mailto:eddieknows@ananzi.co.za] > Sent: Monday, December 08, 2003 10:02 AM > To: Mike > Subject: RE: [LARTC] mangle > > So you put all rules on your internal interface? > > On Mon, 2003-12-08 at 16:43, Mike wrote: > > *This message was transferred with a trial version ofCommuniGate(tm)> Pro* > > In my case eth1 is my internal NIC. I''m giving certain groups ofIP''s> > certain amounts of bandwidth. If you''re trying to give fullbandwidth> > to ssh traffic, you could mark on destination port 22 and assignthat> > mark to a flowid with full bandwidth. I believe you would still usethe> > PREROUTING table to mark with. > > > > Why do you want to give SSH traffic full bandwidth? > > > > Mike Fetherston > > > > > -----Original Message----- > > > From: Eddie [mailto:eddieknows@ananzi.co.za] > > > Sent: Monday, December 08, 2003 9:53 AM > > > To: Mike > > > Subject: RE: [LARTC] mangle > > > > > > ok that is how I have,if eth1 is external,this will shape trafficfor> > > all the lan people,right. > > > BUT what do I do to give me full bandwidth when I ssh remotely towork> > > on the box.Will I use OUTPUT?? > > > Thanks,it helped allot:-)realy > > > > > > > > > On Mon, 2003-12-08 at 16:31, Mike wrote: > > > > *This message was transferred with a trial version of > > CommuniGate(tm) > > > Pro* > > > > I''ve been using PREROUTING to mark packets and it''s been working > > very > > > > well. > > > > > > > > iptables -t mangle -I PREROUTING -i eth1 -s $IP --j MARK--set-mark> > 3 > > > > > > > > and if you''re using HTB, this command: > > > > > > > > tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 3 fw > > flowid > > > > 1:13 > > > > > > > > will act on those marked packets. It''s the ''handle 3'' whichuses> > the > > > > --set-mark 3. > > > > > > > > Mike Fetherston > > > > > > > > > -----Original Message----- > > > > > From: Eddie [mailto:eddieknows@ananzi.co.za] > > > > > Sent: Monday, December 08, 2003 8:40 AM > > > > > To: lartc > > > > > Subject: [LARTC] mangle > > > > > > > > > > Hi all > > > > > I have a linux gateway box,eth1 internet and eth0 lan > > > > > Now I made my qdisk for eth1 but now I want to mark them with > > > > iptables. > > > > > The thing it I dont now wht to use,-A FORWARD or PREROUTING? > > > > > Please can someone help > > > > > thanks > > > > > > > > > > eddie > > > > > > > > > > _______________________________________________ > > > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > > http://lartc.org/ > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday, 08 December 2003, at 15:39:48 +0200, Eddie wrote:> I have a linux gateway box,eth1 internet and eth0 lan > Now I made my qdisk for eth1 but now I want to mark them with iptables. > The thing it I dont now wht to use,-A FORWARD or PREROUTING? >Check for the Kernel Packet Traveling Diagram at: http://www.docum.org/stef.coene/qos/kptd/ You will see very clearly the path of packets traversing your Linux box, and will be able to know the exact place where to mark traffic. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test10-mm1) _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> On Monday, 08 December 2003, at 15:39:48 +0200, > Eddie wrote: > > > I have a linux gateway box,eth1 internet and eth0 lan > > Now I made my qdisk for eth1 but now I want to mark them with iptables. > > The thing it I dont now wht to use,-A FORWARD or PREROUTING? > > > Check for the Kernel Packet Traveling Diagram at: > http://www.docum.org/stef.coene/qos/kptd/Please note that this diagram is not valid for iptables. When using iptables, packets that are "traversing" the linux box (forwarded trafic) do not go thru the INPUT and OUTPUT chains. You''ll find an iptable packet traversal diagram at : http://www.knowplace.org/netfilter/packet_traversal.gif Rgds, Ronnie. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Whoa!! Back up the truck! : > Check for the Kernel Packet Traveling Diagram at: : > http://www.docum.org/stef.coene/qos/kptd/ : : Please note that this diagram is not valid for iptables. I think I disagree. : When using iptables, packets that are "traversing" the linux box : (forwarded trafic) do not go thru the INPUT and OUTPUT chains. The KPTD hosted on docum.org certainly does accurately reflect the traversal of iptables. Please send corrections if you find something wrong with the KPTD. This was a collective effort by Leonardo Balliache, Stef Coene, and some others on this very list. It doesn''t depict the relationship between iptables and bridging, but that is a well-known exception to this diagram. : You''ll find an iptable packet traversal diagram at : : http://www.knowplace.org/netfilter/packet_traversal.gif This is a fine picture, too, though, Ron. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday, 08 December 2003, at 17:18:52 +0100, Ronnie Garcia wrote:> Please note that this diagram is not valid for iptables. >I think you did not interpret the diagram correctly. For "iptables" you will have to focus just on the BLUE boxes with the CAPITAL names, and forget about the lowercase ones, that are for "ipchains". And each packet entering the box will follow just one path, and this path is determined after the routing stage: any packet going through the box (neither generated nor destined to it) will go the path on the right, though the FORWARD chain of "iptables". From then on the travel is simple to follow. Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test10-mm1) _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> On Monday, 08 December 2003, at 17:18:52 +0100, > Ronnie Garcia wrote: > > > Please note that this diagram is not valid for iptables. > > > I think you did not interpret the diagram correctly. For "iptables" you > will have to focus just on the BLUE boxes with the CAPITAL names, and > forget about the lowercase ones, that are for "ipchains".My bad, thats right. The diagram is a bit confusing like this, what about drawing two different diagrams, since ipchains and netfilter behave quite differently ? I can send diff''s if needed =) Rgds, Ronnie. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi, i have two question about the diagram.> The KPTD hosted on docum.org certainly does accurately reflect the > traversal of iptables. Please send corrections if you find something > wrong with the KPTD. This was a collective effort by Leonardo Balliache, > Stef Coene, and some others on this very list.first: what does PDBB stand for? is this the point where the RPDB is asked? second: isn't there a hook between the OUTPUT and the POSTROUTING chain, to handle the routing for packets generated by local processes? Descriped in Figure 3.3.2 from http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH03.web.html thx, Jan Gerritsen