Well it appears i have no clue what im doing. I thought i had the below script working to shape outbound ftp traffic....however, it is shaping inbound traffic too. I have NO clue why. Please comment if anyone has any ideas why this doesnt work. I want to shape only outbound ftp traffic and not inbound or lan traffic. #!/bin/bash #shaping passive and active outbound ftp traffic on an internal computer without affecting inbound and lan speed # mark the outbound passive ftp packets on ports 50000-51000 iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 # clear it tc qdisc del dev eth0 root #add the root qdisk tc qdisc add dev eth0 root handle 1: htb default 26 #add main rate limit class tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit #add leaf classes tc class add dev eth0 parent 1:1 classid 1:20 htb rate 40kbps tc class add dev eth0 parent 1:1 classid 1:26 htb rate 100mbit #filter traffic into classes tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 24 November 2004 04:23, nix4me wrote:> Well it appears i have no clue what im doing. I thought i had the below > script working to shape outbound ftp traffic....however, it is shaping > inbound traffic too. I have NO clue why.Me neither. What''s your setup? Where is eth0 connected to ? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene wrote:>On Wednesday 24 November 2004 04:23, nix4me wrote: > > >>Well it appears i have no clue what im doing. I thought i had the below >>script working to shape outbound ftp traffic....however, it is shaping >>inbound traffic too. I have NO clue why. >> >> >Me neither. What''s your setup? Where is eth0 connected to ? > >Stef > > >The machine is a local machine behind a router. Mark _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
nix4me wrote:> > Stef Coene wrote: > >>On Wednesday 24 November 2004 04:23, nix4me wrote: >> >>>Well it appears i have no clue what im doing. I thought i had the below >>>script working to shape outbound ftp traffic....however, it is shaping >>>inbound traffic too. I have NO clue why. >>> >>Me neither. What''s your setup? Where is eth0 connected to ? >> >>Stef >> > The machine is a local machine behind a router. > MarkMark, <SCOLD> Learn how to answer the question, damnit! I have been watching you repeatedly post this with NO information and ignoring you because of that. Explain in words and with a diagram what your setup is and why you are specifiying those "fifty thousand series" port numbers (my FTP server returns data on any high port the receiver can get data on). We are not psychic. </SCOLD> gypsy _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
24.xxx.xxx.xxx
|router|
192.168.1.1
|switch|
192.168.1.100 & 192.168.1.101
I am running proftpd on (192.168.1.101) with the port set to 65437 and
with passive ports set to 50000-51000. Proftpd allows you to specify a
range of ports to use on passive transfers. I need to be able to limit
my outbound ftp traffic to 40 Kbytes per second.
The only way I can see to do this is limit by marking packets with
iptables. I am marking traffic on 65436 which is the active ftp data
port (65437-1) and 50000-60000. Outbound shaping is working
fine....however....inbound ftp traffic is also being shaped to 40K. I
have no idea why.
Seems to me the below rules should mark outbound packets and shape only
outbound packets. I dont understand why inbound packets are getting shaped.
Here is the script:
#!/bin/bash
#shaping passive and active outbound ftp traffic on an internal computer
without affecting inbound and lan speed
# mark the outbound passive ftp packets on ports 50000-51000
iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null >
/dev/null
iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -N MYSHAPER-OUT
iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK
--set-mark 20
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
--set-mark 20
iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26
# clear it
tc qdisc del dev eth0 root
#add the root qdisk
tc qdisc add dev eth0 root handle 1: htb default 26
#add main rate limit class
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit
#add leaf classes
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 40kbps
tc class add dev eth0 parent 1:1 classid 1:26 htb rate 100mbit
#filter traffic into classes
tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw
flowid 1:20
tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw
flowid 1:26
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
gypsy wrote:>nix4me wrote: > > >>Stef Coene wrote: >> >> >> >>>On Wednesday 24 November 2004 04:23, nix4me wrote: >>> >>> >>> >>>>Well it appears i have no clue what im doing. I thought i had the below >>>>script working to shape outbound ftp traffic....however, it is shaping >>>>inbound traffic too. I have NO clue why. >>>> >>>> >>>> >>>Me neither. What''s your setup? Where is eth0 connected to ? >>> >>>Stef >>> >>> >>> >>The machine is a local machine behind a router. >>Mark >> >> > >Mark, > ><SCOLD> >Learn how to answer the question, damnit! I have been watching you >repeatedly post this with NO information and ignoring you because of >that. > >Explain in words and with a diagram what your setup is and why you are >specifiying those "fifty thousand series" port numbers (my FTP server >returns data on any high port the receiver can get data on). > >We are not psychic. ></SCOLD> > >gypsy >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > >I apolozize for not providing enough information. My next post will explain exactly what i am trying to do. Mark _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
nix4me wrote:> 24.xxx.xxx.xxx > |router| > 192.168.1.1 > |switch| > 192.168.1.100 & 192.168.1.101So can we assume that 192.168.1.1 has 2 NICs, eth0 facing 24.x.x.x/32 and eth1 facing 192.168.1.0/24?> I am running proftpd on (192.168.1.101) with the port set to 65437 and > with passive ports set to 50000-51000. Proftpd allows you to specify a > range of ports to use on passive transfers. I need to be able to limit > my outbound ftp traffic to 40 Kbytes per second. > The only way I can see to do this is limit by marking packets with > iptables. I am marking traffic on 65436 which is the active ftp data > port (65437-1) and 50000-60000. Outbound shaping is working > fine....however....inbound ftp traffic is also being shaped to 40K. I > have no idea why. > > Seems to me the below rules should mark outbound packets and shape only > outbound packets. I dont understand why inbound packets are getting shaped. > > Here is the script: > #!/bin/bash > #shaping passive and active outbound ftp traffic on an internal computer > without affecting inbound and lan speed > > # mark the outbound passive ftp packets on ports 50000-51000 > iptables -t mangle -N MYSHAPER-OUT > iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT > > iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK > --set-mark 20 > iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK > --set-mark 20 > iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 261) Are you sure these rules are correctly marking and that the marks exist at the time the tc filter sees the packet? My hunch is NOT. ASIDE: We _really_ need a way for filters to report hit counts! 2) Since 1:26 is htb default, why is it necessary to ''--set-mark 26''? gypsy _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
gypsy wrote:>nix4me wrote: > > >>24.xxx.xxx.xxx >> |router| >>192.168.1.1 >> |switch| >>192.168.1.100 & 192.168.1.101 >> >> > >So can we assume that 192.168.1.1 has 2 NICs, eth0 facing 24.x.x.x/32 >and eth1 facing 192.168.1.0/24? > >Yes. Although I am not running the script on this box. Its a plain Ipcop linux firewall.> > > >>I am running proftpd on (192.168.1.101) with the port set to 65437 and >>with passive ports set to 50000-51000. Proftpd allows you to specify a >>range of ports to use on passive transfers. I need to be able to limit >>my outbound ftp traffic to 40 Kbytes per second. >>The only way I can see to do this is limit by marking packets with >>iptables. I am marking traffic on 65436 which is the active ftp data >>port (65437-1) and 50000-60000. Outbound shaping is working >>fine....however....inbound ftp traffic is also being shaped to 40K. I >>have no idea why. >> >>Seems to me the below rules should mark outbound packets and shape only >>outbound packets. I dont understand why inbound packets are getting shaped. >> >>Here is the script: >>#!/bin/bash >>#shaping passive and active outbound ftp traffic on an internal computer >>without affecting inbound and lan speed >> >># mark the outbound passive ftp packets on ports 50000-51000 >>iptables -t mangle -N MYSHAPER-OUT >>iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT >> >>iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK >>--set-mark 20 >>iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK >>--set-mark 20 >>iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 >> >> > >1) Are you sure these rules are correctly marking and that the marks >exist at the time the tc filter sees the packet? My hunch is NOT. >ASIDE: We _really_ need a way for filters to report hit counts! > > >No, I am not sure. I have used the command ''watch -n1 tc -s class ls dev eth0'' to see the packets flying but i dont really know how to make sure they are being marked correctly. I must assume that ALL packets on ports 65436 and 50000-510000 are being marked because they are being shaped. Just not sure why incoming packets are being markek and shaped. Outbound shaping is working just fine.>2) Since 1:26 is htb default, why is it necessary to ''--set-mark 26''? > > >I thought it was necessary.>gypsy >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>>> I am running proftpd on (192.168.1.101) with the port set to 65437 and >>> with passive ports set to 50000-51000. Proftpd allows you to specify a >>> range of ports to use on passive transfers. I need to be able to limit >>> my outbound ftp traffic to 40 Kbytes per second.Could you post the bits of the proftpd config that do this - I have (but rarely use) proftpd and could test.>>> The only way I can see to do this is limit by marking packets with >>> iptables. I am marking traffic on 65436 which is the active ftp data >>> port (65437-1) and 50000-60000. Outbound shaping is working >>> fine....however....inbound ftp traffic is also being shaped to 40K. I >>> have no idea why.Is this when there is ftp traffic both ways or just inbound?>>> >>> Seems to me the below rules should mark outbound packets and shape only >>> outbound packets. I dont understand why inbound packets are getting >>> shaped. >>> >>> Here is the script: >>> #!/bin/bash >>> #shaping passive and active outbound ftp traffic on an internal computer >>> without affecting inbound and lan speed >>> >>> # mark the outbound passive ftp packets on ports 50000-51000 >>> iptables -t mangle -N MYSHAPER-OUT >>> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT >>> >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK >>> --set-mark 20 >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK >>> --set-mark 20 >>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK >>> --set-mark 26 >>> >> >> >> 1) Are you sure these rules are correctly marking and that the marks >> exist at the time the tc filter sees the packet? My hunch is NOT. >> ASIDE: We _really_ need a way for filters to report hit counts! >> >> >> > No, I am not sure. I have used the command ''watch -n1 tc -s class ls > dev eth0'' to see the packets flying but i dont really know how to make > sure they are being marked correctly. I must assume that ALL packets on > ports 65436 and 50000-510000 are being marked because they are being > shaped. Just not sure why incoming packets are being markek and > shaped. Outbound shaping is working just fine.You can see counters for iptables rules with iptables -t mangle -L -v -n Andy. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Andy Furniss wrote:> >>>> I am running proftpd on (192.168.1.101) with the port set to 65437 and >>>> with passive ports set to 50000-51000. Proftpd allows you to >>>> specify a >>>> range of ports to use on passive transfers. I need to be able to >>>> limit >>>> my outbound ftp traffic to 40 Kbytes per second. >>> > > Could you post the bits of the proftpd config that do this - I have > (but rarely use) proftpd and could test. >PassivePorts 50000 51000 # Port 21 is the standard FTP port. Port 65437>>>> The only way I can see to do this is limit by marking packets with >>>> iptables. I am marking traffic on 65436 which is the active ftp data >>>> port (65437-1) and 50000-60000. Outbound shaping is working >>>> fine....however....inbound ftp traffic is also being shaped to 40K. I >>>> have no idea why. >>> > > Is this when there is ftp traffic both ways or just inbound? >Both ways.>>>> >>>> Seems to me the below rules should mark outbound packets and shape >>>> only >>>> outbound packets. I dont understand why inbound packets are >>>> getting shaped. >>>> >>>> Here is the script: >>>> #!/bin/bash >>>> #shaping passive and active outbound ftp traffic on an internal >>>> computer >>>> without affecting inbound and lan speed >>>> >>>> # mark the outbound passive ftp packets on ports 50000-51000 >>>> iptables -t mangle -N MYSHAPER-OUT >>>> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT >>>> >>>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK >>>> --set-mark 20 >>>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK >>>> --set-mark 20 >>>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK >>>> --set-mark 26 >>>> >>> >>> >>> >>> 1) Are you sure these rules are correctly marking and that the marks >>> exist at the time the tc filter sees the packet? My hunch is NOT. >>> ASIDE: We _really_ need a way for filters to report hit counts! >>> >>> >>> >> No, I am not sure. I have used the command ''watch -n1 tc -s class ls >> dev eth0'' to see the packets flying but i dont really know how to >> make sure they are being marked correctly. I must assume that ALL >> packets on ports 65436 and 50000-510000 are being marked because they >> are being shaped. Just not sure why incoming packets are being >> markek and shaped. Outbound shaping is working just fine. > > > You can see counters for iptables rules with iptables -t mangle -L -v -n > > Andy. >Thanks for helping.> _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
nix4me wrote:> Andy Furniss wrote: > >> >>>>> I am running proftpd on (192.168.1.101) with the port set to 65437 and >>>>> with passive ports set to 50000-51000. Proftpd allows you to >>>>> specify a >>>>> range of ports to use on passive transfers. I need to be able to >>>>> limit >>>>> my outbound ftp traffic to 40 Kbytes per second. >>>> >>>> >> >> Could you post the bits of the proftpd config that do this - I have >> (but rarely use) proftpd and could test. >> > PassivePorts 50000 51000 > # Port 21 is the standard FTP port. > Port 65437 > >>>>> The only way I can see to do this is limit by marking packets with >>>>> iptables. I am marking traffic on 65436 which is the active ftp data >>>>> port (65437-1) and 50000-60000. Outbound shaping is working >>>>> fine....however....inbound ftp traffic is also being shaped to 40K. I >>>>> have no idea why. >>>> >>>> >> >> Is this when there is ftp traffic both ways or just inbound? >> > Both ways.You need to add another rule to stop the acks for the upload getting put in the queue for the outbound. Just marking on size would be OK for you I think, as a test try adding - iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK --set-mark 26 . Andy. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Andy Furniss wrote:> > >>> I am running proftpd on (192.168.1.101) with the port set to 65437 and > >>> with passive ports set to 50000-51000. Proftpd allows you to specify a > >>> range of ports to use on passive transfers. I need to be able to limit > >>> my outbound ftp traffic to 40 Kbytes per second. > > Could you post the bits of the proftpd config that do this - I have (but > rarely use) proftpd and could test. > > >>> The only way I can see to do this is limit by marking packets with > >>> iptables. I am marking traffic on 65436 which is the active ftp data > >>> port (65437-1) and 50000-60000. Outbound shaping is working > >>> fine....however....inbound ftp traffic is also being shaped to 40K. I > >>> have no idea why. > > Is this when there is ftp traffic both ways or just inbound? > > >>> > >>> Seems to me the below rules should mark outbound packets and shape only > >>> outbound packets. I dont understand why inbound packets are getting > >>> shaped. > >>> > >>> Here is the script: > >>> #!/bin/bash > >>> #shaping passive and active outbound ftp traffic on an internal computer > >>> without affecting inbound and lan speed > >>> > >>> # mark the outbound passive ftp packets on ports 50000-51000 > >>> iptables -t mangle -N MYSHAPER-OUT > >>> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT > >>> > >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK > >>> --set-mark 20 > >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK > >>> --set-mark 20 > >>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK > >>> --set-mark 26 > >>> > >> > >> > >> 1) Are you sure these rules are correctly marking and that the marks > >> exist at the time the tc filter sees the packet? My hunch is NOT. > >> ASIDE: We _really_ need a way for filters to report hit counts! > >> > >> > >> > > No, I am not sure. I have used the command ''watch -n1 tc -s class ls > > dev eth0'' to see the packets flying but i dont really know how to make > > sure they are being marked correctly. I must assume that ALL packets on > > ports 65436 and 50000-510000 are being marked because they are being > > shaped. Just not sure why incoming packets are being markek and > > shaped. Outbound shaping is working just fine. > > You can see counters for iptables rules with iptables -t mangle -L -v -n > > Andy.I have been thinking about this without getting much of anywhere, but here''s what I think. Let me start by paraphasing your setup: You have a cable modem that is connecting to a NATting box that runs only IPCOP. This IPCOP box forwards everything to the LAN. On the LAN side of IPCOP all the packets you wish to shape have an IP ending 1.101. The computer with IP 1.100 can be ignored for shaping purposes. If you MARK in iptables on IPCOP, I think the mark is internal only so that 101 will never see the mark. You may not even be able to MARK on the IPCOP box (I know nothing of IPCOP). If you are able to on the IPCOP machine, consider setting the TOS field in the mangle table for externally initiated FTP such that either all bits are on or all are off (or some other unique value); then on 101 examine TOS and MARK appropriately on the 101 machine or, preferably, just u32 match the TOS there. If mangling TOS on IPCOP is possible and fruitful, be sure to do your homework regarding mangle and PREROUTING (or whatever chain does what you need). The IPCOP computer will "know" by the interface and --dport / --sport which FTP sessions were initiated from the internet versus those initiated on your LAN, but I can''t see how 101 ever could. IPCOP might also run one or more of netfilter''s conntracks for FTP if that were needed. If I come up with anything after sleeping on this, I''ll let you know. But for now the above is all I can conceive. gyxpy _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
gypsy wrote:>Andy Furniss wrote: > > >>>>>I am running proftpd on (192.168.1.101) with the port set to 65437 and >>>>>with passive ports set to 50000-51000. Proftpd allows you to specify a >>>>>range of ports to use on passive transfers. I need to be able to limit >>>>>my outbound ftp traffic to 40 Kbytes per second. >>>>> >>>>> >>Could you post the bits of the proftpd config that do this - I have (but >>rarely use) proftpd and could test. >> >> >> >>>>>The only way I can see to do this is limit by marking packets with >>>>>iptables. I am marking traffic on 65436 which is the active ftp data >>>>>port (65437-1) and 50000-60000. Outbound shaping is working >>>>>fine....however....inbound ftp traffic is also being shaped to 40K. I >>>>>have no idea why. >>>>> >>>>> >>Is this when there is ftp traffic both ways or just inbound? >> >> >> >>>>>Seems to me the below rules should mark outbound packets and shape only >>>>>outbound packets. I dont understand why inbound packets are getting >>>>>shaped. >>>>> >>>>>Here is the script: >>>>>#!/bin/bash >>>>>#shaping passive and active outbound ftp traffic on an internal computer >>>>>without affecting inbound and lan speed >>>>> >>>>># mark the outbound passive ftp packets on ports 50000-51000 >>>>>iptables -t mangle -N MYSHAPER-OUT >>>>>iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT >>>>> >>>>>iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK >>>>>--set-mark 20 >>>>>iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK >>>>>--set-mark 20 >>>>>iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK >>>>>--set-mark 26 >>>>> >>>>> >>>>> >>>>1) Are you sure these rules are correctly marking and that the marks >>>>exist at the time the tc filter sees the packet? My hunch is NOT. >>>>ASIDE: We _really_ need a way for filters to report hit counts! >>>> >>>> >>>> >>>> >>>> >>>No, I am not sure. I have used the command ''watch -n1 tc -s class ls >>>dev eth0'' to see the packets flying but i dont really know how to make >>>sure they are being marked correctly. I must assume that ALL packets on >>>ports 65436 and 50000-510000 are being marked because they are being >>>shaped. Just not sure why incoming packets are being markek and >>>shaped. Outbound shaping is working just fine. >>> >>> >>You can see counters for iptables rules with iptables -t mangle -L -v -n >> >>Andy. >> >> > >I have been thinking about this without getting much of anywhere, but >here''s what I think. > >Let me start by paraphasing your setup: >You have a cable modem that is connecting to a NATting box that runs >only IPCOP. This IPCOP box forwards everything to the LAN. On the LAN >side of IPCOP all the packets you wish to shape have an IP ending >1.101. The computer with IP 1.100 can be ignored for shaping purposes. > >If you MARK in iptables on IPCOP, I think the mark is internal only so >that 101 will never see the mark. You may not even be able to MARK on >the IPCOP box (I know nothing of IPCOP). If you are able to on the >IPCOP machine, consider setting the TOS field in the mangle table for >externally initiated FTP such that either all bits are on or all are off >(or some other unique value); then on 101 examine TOS and MARK >appropriately on the 101 machine or, preferably, just u32 match the TOS >there. > >If mangling TOS on IPCOP is possible and fruitful, be sure to do your >homework regarding mangle and PREROUTING (or whatever chain does what >you need). > >The IPCOP computer will "know" by the interface and --dport / --sport >which FTP sessions were initiated from the internet versus those >initiated on your LAN, but I can''t see how 101 ever could. IPCOP might >also run one or more of netfilter''s conntracks for FTP if that were >needed. > >If I come up with anything after sleeping on this, I''ll let you know. >But for now the above is all I can conceive. > >gyxpy > > >You are correct on my setup. I am currently trying the addition that Andy recommended and it appears to be working. I am marking the ACK packets from the uploader and it seems to be fine now. No slow down for uploads and outbound is shaped nicely. I will continue to test to make sure everything is AOK. Mark _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>> >> >> > You are correct on my setup. > > I am currently trying the addition that Andy recommended and it > appears to be working. I am marking the ACK packets from the uploader > and it seems to be fine now. No slow down for uploads and outbound is > shaped nicely. I will continue to test to make sure everything is AOK. > Mark > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >Sorry for the reply to myself. There are some drawbacks to the method i am using, im just not sure if they will actually affect anything. With this method, ANY traffic on ports 50000-51000 leaving my box will be shaped. Not sure if there is any other programs out there that use these ports. I have found an excellent utility to do the shaping also. Its called ''pyshaper''. I am testing it also. It seems to work nicely. I have it set to shape outbound connections based on username. It runs netstat every 15 seconds and picks the transfers on certain usernames and shapes them on the fly. Works very well in my situation. I will continue to test both options to see which is best for me. Thanks for all the help. Mark _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Saturday 27 November 2004 09:01, nix4me wrote: <snip>> I have found an excellent utility to do the shaping also. Its called > ''pyshaper''. I am testing it also. It seems to work nicely. I have it > set to shape outbound connections based on username. It runs netstat > every 15 seconds and picks the transfers on certain usernames and shapes > them on the fly. Works very well in my situation. I will continue to > test both options to see which is best for me.You could also use Netfilter and the owner match module. -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi, There''s tool to configure iptables MARK and tc using script maybe like htb.init ? Regards, Kris _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Does anyone know how to shape icmp traffic using htb.init script ? Thanks _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi, I have a setup with 2 ISPs and 2 LANs, with a /29 subnet on each ISP and a /24 on the LANS. The gateway box is setup to equally load balance over the ISPs using an IP address from each. The other 4 IPs are added as virtual devices on the external interfaces. The problem arises when external A connects to ISP1_IP2_Port_25, works fine first time, but then if I try from A to connect to ISP2_IP6_Port_25 the routing is all wrong and doesn''t connect. Anyone got any suggestions on how to deal with this issue? I''ve been tearing my hair out. Regards, Daniel. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/