Hi All, I wonder can I do NAT+mangle+tc on same maschine? I want to shape outgoing traffic per IP on my gateway computer. Regards Emil Terziev _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 11 October 2004 07:29, emo terziev wrote:> Hi All, > I wonder can I do NAT+mangle+tc on same maschine? I want to shape > outgoing traffic per IP on my gateway computer.Sure, you can do that on the same machine. You can do NAT with a variety of scripts or just hand written iptables rules. Personally, I use the gShield iptables firewall. As for `tc`, you might look into the LARTC HOWTO. http://lartc.org/ -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi , Jason
I know LARTC HOWTO. mi download shapers work fine, but
I don''t know can i limit upload when i have NAT because source IP
address is changed
and i cannot make u32 src filter.
in other hand package marking isn''t usable in my case because i want
user A to have for example 128K to Group A networks and 64K to group B
user B to have 256k to group A and 1Mbit to group B
download is easy, but for upload i unfortunatly don''t know how should
to be :(
,This is over my knowlage i think.
Please anyone with more experience just to give mi idea how can be done.
+-----------+ | S |
| User A |---+ W | +NAT
+----------+ | I | eth1 eth0 group A
+----------+ | T | +--------+ +--- 180 diferent
Networks -----------------+
| User B |----+ C +-----| Router |--------|
Internet
+----------+ | H | +--------+ +---all rest
internet ---------------------------+
.... ... / ...
group B
+----------+ | H |
| User N |---+ U |
+-----------+ | B | ---------------->
+-----+
Best Regards
emo terziev
On Mon, 11 Oct 2004 12:09:24 -0400, Jason Boxman <jasonb@edseek.com>
wrote:> On Monday 11 October 2004 07:29, emo terziev wrote:
> > Hi All,
> > I wonder can I do NAT+mangle+tc on same maschine? I want to shape
> > outgoing traffic per IP on my gateway computer.
>
> Sure, you can do that on the same machine.
>
> You can do NAT with a variety of scripts or just hand written iptables
rules.
> Personally, I use the gShield iptables firewall. As for `tc`, you might
look
> into the LARTC HOWTO.
>
> http://lartc.org/
>
> --
>
> Jason Boxman
> Perl Programmer / *NIX Systems Administrator
> Shimberg Center for Affordable Housing | University of Florida
> http://edseek.com/ - Linux and FOSS stuff
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi What you can do is mark the packets in netfilter (iptables) and then use the marks to assign the packets to classes you can do something like iptables -t mangle -A PREROUTING -s AddrIWantToShape -j mark 0x02 iptables -t mangle -A PREROUTING -s AddrIWantToShape2 -j mark 0x03 iptables -t nat -A POSTROUTING -s AddrIWantToShape -o InternetInt -j MASQ iptables -t nat -A POSTROUTING -s AddrIWantToShape2 -o InternetInt -j MASQ tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 2 fw flowid 1:30 tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 3 fw flowid 1:40 Something like that Alex On Mon, Oct 11, 2004 at 07:45:02PM +0300, emo terziev wrote:> Hi , Jason > I know LARTC HOWTO. mi download shapers work fine, but > I don''t know can i limit upload when i have NAT because source IP > address is changed > and i cannot make u32 src filter. > > in other hand package marking isn''t usable in my case because i want > user A to have for example 128K to Group A networks and 64K to group B > user B to have 256k to group A and 1Mbit to group B > > download is easy, but for upload i unfortunatly don''t know how should to be :( > ,This is over my knowlage i think. > > Please anyone with more experience just to give mi idea how can be done. > > > +-----------+ | S | > | User A |---+ W | +NAT > +----------+ | I | eth1 eth0 group A > +----------+ | T | +--------+ +--- 180 diferent > Networks -----------------+ > | User B |----+ C +-----| Router |--------| > Internet > +----------+ | H | +--------+ +---all rest > internet ---------------------------+ > .... ... / ... > group B > +----------+ | H | > | User N |---+ U | > +-----------+ | B | ----------------> > +-----+ > > > > Best Regards > emo terziev > > On Mon, 11 Oct 2004 12:09:24 -0400, Jason Boxman <jasonb@edseek.com> wrote: > > On Monday 11 October 2004 07:29, emo terziev wrote: > > > Hi All, > > > I wonder can I do NAT+mangle+tc on same maschine? I want to shape > > > outgoing traffic per IP on my gateway computer. > > > > Sure, you can do that on the same machine. > > > > You can do NAT with a variety of scripts or just hand written iptables rules. > > Personally, I use the gShield iptables firewall. As for `tc`, you might look > > into the LARTC HOWTO. > > > > http://lartc.org/ > > > > -- > > > > Jason Boxman > > Perl Programmer / *NIX Systems Administrator > > Shimberg Center for Affordable Housing | University of Florida > > http://edseek.com/ - Linux and FOSS stuff > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >
On Tue, 12 Oct 2004 07:04:17 +1000 Alexander Samad <alex@samad.com.au> wrote:> you can do something like > > iptables -t mangle -A PREROUTING -s AddrIWantToShape -j mark 0x02 > iptables -t mangle -A PREROUTING -s AddrIWantToShape2 -j mark 0x03-- SNIP --> > tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 2 fw flowid 1:30 > tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 3 fw flowid 1:40 >Hi All. I am also fighting this for some time now. And I got: (icmp incoming thru eth1 should be put into output eth2 flow 1:1) iptables -t mangle -A PREROUTING -i eth1 -p icmp -j MARK --set-mark 1 tc filter add dev eth2 protocol ip parent 1: pref 1 handle 1 fw flowid 1:1 RTNETLINK answers: Invalid argument Linux Slackware 8.1 iptables v1.2.6a Kernel 2.4.20-pre10 with <*> Firewall based classifier tc downloaded from docum.org The funny thing is that the line bellow do not give me any errors: tc filter add dev $INTERNET protocol ip \ parent 1:0 prio 1 u32 \ match ip src X.Y.W.Z/29 \ flowid 1:FFFE It is another classifier I know. But what am I doing wrong? -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Tue, 12 Oct 2004, Robert Felber wrote:> try: > > tc filter add dev eth2 protocol ip parent 1: prio 1 handle 1 fw classid 1:X > > X is your class, it should not be 1 since this is usually a root class (I > guess you are using HTB). Example:Ok. I created two special classes under ''1:'' for each interface to acomodate the icmp traffic. Now the ''tc filter ... fw ... '' lines works flawlessly. But after I execute the ''tc filter ... fw ... '' command, every ''tc filter ... match ... '' after those gives me the ''RTNETLINK answers: Invalid argument'' error. Aren''t they (fw and match) supposed to cohexist? If I comment the 2 ''filter fw'' lines the errors desappear. Any ideas? Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wed, 2004-10-13 at 01:29, Ethy H. Brito wrote:> Ok. I created two special classes under ''1:'' for each interface to acomodate > the icmp traffic. > Now the ''tc filter ... fw ... '' lines works flawlessly. > > But after I execute the ''tc filter ... fw ... '' command, every > ''tc filter ... match ... '' after those gives me the > ''RTNETLINK answers: Invalid argument'' error. > > Aren''t they (fw and match) supposed to cohexist?Hm, no. I have a setup based soley on fw-marks. After adding an u32 match filter i get no RTNETLINK messages: # tc filter show dev imq0 filter parent 1: protocol ip pref 1 fw filter parent 1: protocol ip pref 1 fw handle 0x1 classid 1:10 filter parent 1: protocol ip pref 2 fw filter parent 1: protocol ip pref 2 fw handle 0x2 classid 1:20 filter parent 1: protocol ip pref 10 u32 filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:30 match 312c0404/ffffffff at 12 probably some version bug? I have # tc -V tc utility, iproute2-ss020116 -- Robert Felber (EDV-Leitung) Autohaus Erich Kuttendreier Drosselweg 21 81827 Muenchen Tel: +49 (0) 89 / 453 12-86 Fax: +49 (0) 89 / 453 12-80 PGP: 896CF30B PGP-Fingerprint: CF36 AA93 9716 63E8 962F 15CC A80E 1A79 BF77 25EA