LARTC - Jan 2005 - Confuse, putting packets in wrong mangle table.

Hi!

Rio Martin. wrote:
> Folks,
> I am a little bit confuse in how to put these packets into correct mangle 
> table for traffic shaping.
> 
> This is what i ve planned to do:
> 
> - - - - :eth0 [ LINUX-BOX ] eth1: - - - -
> 
> Let say:
> eth0: 220.100.1.1
> eth1: 192.168.1.1
> eth1:1 192.168.1.2
> 
> 192.168.1.0/24 get natted into 220.100.1.1 before reaching the internet.
> I put every packets coming from internet (eth0) this way:
> # iptables -t mangle -I PREROUTING -i eth0 .. * * * *
> 
> But what if i would like to do the same way with ip 192.168.1.1 and 
> 192.168.1.2 ? How to put the packets in correct mangle table?
You can only shape traffic leaving your interface. You have to shape the 
incoming traffic at interface eth1, the outgoing traffic at interface eth0.

This site is great for learning:
http://www.knowplace.org/shaper/qdisc.html#egress

I found to use iptables+CLASSIFY method the easiest way to classify packets.

Your question is a little dizzy...

-- 
Udv,
   Nandor
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Folks,
I am a little bit confuse in how to put these packets into correct mangle 
table for traffic shaping.

This is what i ve planned to do:

- - - - :eth0 [ LINUX-BOX ] eth1: - - - -

Let say:
eth0: 220.100.1.1
eth1: 192.168.1.1
eth1:1 192.168.1.2

192.168.1.0/24 get natted into 220.100.1.1 before reaching the internet.
I put every packets coming from internet (eth0) this way:
# iptables -t mangle -I PREROUTING -i eth0 .. * * * *

But what if i would like to do the same way with ip 192.168.1.1 and 
192.168.1.2 ? How to put the packets in correct mangle table?

Thanks before ..

Regards,
Rio Martin.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wed, 19 Jan 2005 09:19:58 +0100  Tóth Nándor <nug@sch.bme.hu> wrote:
Rio Martin. wrote:
>> Folks,
>> I am a little bit confuse in how to put these packets into correct
mangle
>> table for traffic shaping.
>> This is what i ve planned to do:
>> 
>> - - - - :eth0 [ LINUX-BOX ] eth1: - - - -
>> 
>> Let say:
>> eth0: 220.100.1.1
>> eth1: 192.168.1.1
>> eth1:1 192.168.1.2
>>
>> 192.168.1.0/24 get natted into 220.100.1.1 before reaching the
internet.
>> I put every packets coming from internet (eth0) this way:
>> # iptables -t mangle -I PREROUTING -i eth0 .. * * * *
>> 
>> But what if i would like to do the same way with ip 192.168.1.1 and 
>> 192.168.1.2 ? How to put the packets in correct mangle table?
>You can only shape traffic leaving your interface. You have to shape the 
>incoming traffic at interface eth1, the outgoing traffic at interface eth0.
>This site is great for learning:
>http://www.knowplace.org/shaper/qdisc.html#egress
>I found to use iptables+CLASSIFY method the easiest way to classify packets.
>
>Your question is a little dizzy...
Oopss sorry then :))

Actually, there is squid proxy running in my box, with those two private IPs 
(192.168.1.1 & 192.168.1.2)
Both get natted to 220.100.1.1.

I need to shape incoming traffic to both of these ips but i am affraid i have 
to face that i am not able to shape traffic which is generate from this box 
unless those two IPs were outside the box.

If i have one more public IP than i should not so much worry about, cause i 
can shape it using IMQ.

So any other ideas maybe? i''m thinkin just in case IMQ would help ..
Thanks for the info u gave anyway..

- Rio.Martin -
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Rio Martin. wrote:
> On Wed, 19 Jan 2005 09:19:58 +0100  Tóth Nándor <nug@sch.bme.hu>
wrote:
> Rio Martin. wrote:
> 
>>>Folks,
>>>I am a little bit confuse in how to put these packets into correct
mangle
>>>table for traffic shaping.
>>>This is what i ve planned to do:
>>>
>>>- - - - :eth0 [ LINUX-BOX ] eth1: - - - -
>>>
>>>Let say:
>>>eth0: 220.100.1.1
>>>eth1: 192.168.1.1
>>>eth1:1 192.168.1.2
>>>
>>>192.168.1.0/24 get natted into 220.100.1.1 before reaching the
internet.
>>>I put every packets coming from internet (eth0) this way:
>>># iptables -t mangle -I PREROUTING -i eth0 .. * * * *
>>>
>>>But what if i would like to do the same way with ip 192.168.1.1 and 
>>>192.168.1.2 ? How to put the packets in correct mangle table?
>>
>>You can only shape traffic leaving your interface. You have to shape the
>>incoming traffic at interface eth1, the outgoing traffic at interface
eth0.
>>This site is great for learning:
>>http://www.knowplace.org/shaper/qdisc.html#egress
>>I found to use iptables+CLASSIFY method the easiest way to classify
packets.
>>
>>Your question is a little dizzy...
> 
> 
> Oopss sorry then :))
> 
> Actually, there is squid proxy running in my box, with those two private
IPs
> (192.168.1.1 & 192.168.1.2)
> Both get natted to 220.100.1.1.
Is there only one proxy running?
> 
> I need to shape incoming traffic to both of these ips but i am affraid i
have
> to face that i am not able to shape traffic which is generate from this box
> unless those two IPs were outside the box.
Maybe true - maybe not you would need to test with imq.
There is also a kernel option to do with nat of local connections.
> 
> If i have one more public IP than i should not so much worry about, cause i
> can shape it using IMQ.
> 
> So any other ideas maybe? i''m thinkin just in case IMQ would help
..
Possibly - but I don''t understand your setup or what you want to shape
:-)
> Thanks for the info u gave anyway..
> 
> - Rio.Martin -
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Tuesday 25 January 2005 12:41, Andy Furniss wrote:
> Is there only one proxy running?
> > I need to shape incoming traffic to both of these ips but i am affraid
i
> > have to face that i am not able to shape traffic which is generate
from
> > this box unless those two IPs were outside the box.
> Maybe true - maybe not you would need to test with imq.
> There is also a kernel option to do with nat of local connections.
> > If i have one more public IP than i should not so much worry about,
cause
> > i can shape it using IMQ.

I''ll make it simple for you as possible.

i have linux box which have eth0 220.1.1.1 as primary ip and aliasses: eth0:1 
192.168.1.1 , eth0:1 192.168.1.2

Both 192.168.1.1 & 192.168.1.2 NATed to 220.1.1.1
OKay, now my question is:

How do i manage and limit traffic generated from those ips (192.168.1.1 & 
192.168.1.2) ? Not just traffic outside, but traffic coming to those ips from 
Internet.
I found it so difficult because traffic coming from internet to eth0 will be 
using 220.1.1.1 not 192.168.x.x

Thanks ..

- Rio.Martin -



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Rio Martin. wrote:
> On Tuesday 25 January 2005 12:41, Andy Furniss wrote:
> 
>>Is there only one proxy running?
>>
>>>I need to shape incoming traffic to both of these ips but i am
affraid i
>>>have to face that i am not able to shape traffic which is generate
from
>>>this box unless those two IPs were outside the box.
>>
>>Maybe true - maybe not you would need to test with imq.
>>There is also a kernel option to do with nat of local connections.
>>
>>>If i have one more public IP than i should not so much worry about,
cause
>>>i can shape it using IMQ.
> 
> 
> 
> I''ll make it simple for you as possible.
> 
> i have linux box which have eth0 220.1.1.1 as primary ip and aliasses:
eth0:1
> 192.168.1.1 , eth0:1 192.168.1.2
> 
> Both 192.168.1.1 & 192.168.1.2 NATed to 220.1.1.1
> OKay, now my question is:
> 
> How do i manage and limit traffic generated from those ips (192.168.1.1
&
> 192.168.1.2) ? Not just traffic outside, but traffic coming to those ips
from
> Internet.
> I found it so difficult because traffic coming from internet to eth0 will
be
> using 220.1.1.1 not 192.168.x.x
If you use IMQ and get it to hook after NAT in PREROUTING then forwarded 
traffic should have been denatted and have local addresses. You can use 
TC filters to classify for htb etc.

Traffic from internet to squid will probably have 220. IP address.

If you want to try a way without IMQ then AIUI you can patch squid so 
you can classify hit/miss traffic and then you could shape traffic as 
egress on eth0. I don''t use squid - but I assume here it limits the
rate
it pulls miss pages to the rate that client requests.

http://www.docum.org/docum.org/faq/cache/65.html

Andy.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Thursday 27 January 2005 12:37, Andy Furniss wrote:
> > I''ll make it simple for you as possible.
> > i have linux box which have eth0 220.1.1.1 as primary ip and aliasses:
> > eth0:1 192.168.1.1 , eth0:1 192.168.1.2
> > Both 192.168.1.1 & 192.168.1.2 NATed to 220.1.1.1
> > OKay, now my question is:
> > How do i manage and limit traffic generated from those ips
(192.168.1.1 &
> > 192.168.1.2) ? Not just traffic outside, but traffic coming to those
ips
> > from Internet.
> > I found it so difficult because traffic coming from internet to eth0
will
> > be using 220.1.1.1 not 192.168.x.x
>
> If you use IMQ and get it to hook after NAT in PREROUTING then forwarded
> traffic should have been denatted and have local addresses. You can use
> TC filters to classify for htb etc.
> Traffic from internet to squid will probably have 220. IP address.
Thats what i''m worrying of, the ip address from internet would be
220.1.1.1,
not 192.168.x.x
IMQ with iptables marking unable to mark the packets to 192.168.x.x
> If you want to try a way without IMQ then AIUI you can patch squid so
> you can classify hit/miss traffic and then you could shape traffic as
> egress on eth0. I don''t use squid - but I assume here it limits
the rate
> it pulls miss pages to the rate that client requests.
> http://www.docum.org/docum.org/faq/cache/65.html
I ve tried this before, but never succeed. I didnt know where should i attach 
the 10:100 class. In the document, just told to add this class in tc, without 
giving some information which interface should i attach this class.

Regards,
Rio Martin.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Rio Martin. wrote:
> On Thursday 27 January 2005 12:37, Andy Furniss wrote:
> 
>>>I''ll make it simple for you as possible.
>>>i have linux box which have eth0 220.1.1.1 as primary ip and
aliasses:
>>>eth0:1 192.168.1.1 , eth0:1 192.168.1.2
>>>Both 192.168.1.1 & 192.168.1.2 NATed to 220.1.1.1
>>>OKay, now my question is:
>>>How do i manage and limit traffic generated from those ips
(192.168.1.1 &
>>>192.168.1.2) ? Not just traffic outside, but traffic coming to those
ips
>>>from Internet.
>>>I found it so difficult because traffic coming from internet to eth0
will
>>>be using 220.1.1.1 not 192.168.x.x
>>
>>If you use IMQ and get it to hook after NAT in PREROUTING then forwarded
>>traffic should have been denatted and have local addresses. You can use
>>TC filters to classify for htb etc.
>>Traffic from internet to squid will probably have 220. IP address.
> 
> 
> Thats what i''m worrying of, the ip address from internet would be
220.1.1.1,
> not 192.168.x.x
> IMQ with iptables marking unable to mark the packets to 192.168.x.x
Iptables can''t mark traffic from inet to lan, but imq hooked after nat 
in prerouting will see local addresses for inet to lan traffic and 
220.1.1.1 for traffic from inet to squid.

You use tc filters and u32 to match them eg.

$TC filter add dev $DWIF protocol ip parent 1:2 prio 1 u32 \
    match ip dst 192.168.0.2 flowid 1:32

> 
> 
>>If you want to try a way without IMQ then AIUI you can patch squid so
>>you can classify hit/miss traffic and then you could shape traffic as
>>egress on eth0. I don''t use squid - but I assume here it limits
the rate
>>it pulls miss pages to the rate that client requests.
>>http://www.docum.org/docum.org/faq/cache/65.html
> 
> 
> I ve tried this before, but never succeed. I didnt know where should i
attach
> the 10:100 class. In the document, just told to add this class in tc,
without
> giving some information which interface should i attach this class.
I''ve not used squid, but think the idea is to shape on eth0 traffic
from
inet to lan and miss traffic from squid to lan. The patch lets you 
classify miss traffic from squid which you make an htb class for and you 
can then involve it in sharing/priorotising etc with other inet to lan 
traffic.

Andy.


> 
> Regards,
> Rio Martin.
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Saturday 29 January 2005 00:55, Andy Furniss wrote:
> > I ve tried this before, but never succeed. I didnt know where should i
> > attach the 10:100 class. In the document, just told to add this class
in
> > tc, without giving some information which interface should i attach
this
> > class.
> I''ve not used squid, but think the idea is to shape on eth0
traffic from
> inet to lan and miss traffic from squid to lan. The patch lets you
> classify miss traffic from squid which you make an htb class for and you
> can then involve it in sharing/priorotising etc with other inet to lan
> traffic.
> Andy.

Thanks Andy for the info u gave,
But the patch is totally missed with Squid-2.5.STABLE7, so i have to do it 
manually.

I tried to placed this 10:100 class into eth0 (inet interface) and 
successfully do some shaping on outgoing request from squid to origin server 
where client request.
It wont shape the incoming from origin server to squid.
As u see, this is tcp_outgoing_priority, not tcp_incoming_priority.. :))

so i still have to figure out more how to shape incoming packets to this squid 
proxy.

- Rio.Martin -
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Rio Martin. wrote:
> On Saturday 29 January 2005 00:55, Andy Furniss wrote:
> 
>>>I ve tried this before, but never succeed. I didnt know where should
i
>>>attach the 10:100 class. In the document, just told to add this
class in
>>>tc, without giving some information which interface should i attach
this
>>>class.
>>
>>I''ve not used squid, but think the idea is to shape on eth0
traffic from
>>inet to lan and miss traffic from squid to lan. The patch lets you
>>classify miss traffic from squid which you make an htb class for and you
>>can then involve it in sharing/priorotising etc with other inet to lan
>>traffic.
>>Andy.
> 
> 
> 
> Thanks Andy for the info u gave,
> But the patch is totally missed with Squid-2.5.STABLE7, so i have to do it 
> manually.
> 
> I tried to placed this 10:100 class into eth0 (inet interface) and 
> successfully do some shaping on outgoing request from squid to origin
server
> where client request.
> It wont shape the incoming from origin server to squid.
> As u see, this is tcp_outgoing_priority, not tcp_incoming_priority.. :))
> 
> so i still have to figure out more how to shape incoming packets to this
squid
> proxy.
Ahh - I thought that squid could limit connections based on the rate the 
client could sustain.

You can shape incoming to squid with imq if hooked after nat, because 
its traffic will have real dst address - other will have been denatted.

If you want to further shape traffic to squid (eg by what local address 
requested or connected to/was directed to) then I can''t think of a way.

Andy.


> 
> - Rio.Martin -
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Monday 31 January 2005 23:17, Andy Furniss wrote:
> Ahh - I thought that squid could limit connections based on the rate the
> client could sustain.
> You can shape incoming to squid with imq if hooked after nat, because
> its traffic will have real dst address - other will have been denatted.
Could you give me some example, how to do that?
Thanks ..

- Rio.Martin -

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Rio Martin. wrote:
> On Monday 31 January 2005 23:17, Andy Furniss wrote:
> 
>>Ahh - I thought that squid could limit connections based on the rate the
>>client could sustain.
>>You can shape incoming to squid with imq if hooked after nat, because
>>its traffic will have real dst address - other will have been denatted.
> 
> 
> Could you give me some example, how to do that?
> Thanks ..
> 
There may be a way to do this with a dummy device soon, but for now you 
need too patch kernel with imq from http://www.linuximq.net choose to 
hook after nat (may be default - the first letter in imq kernel config 
needs to be A)

Set up htb with your rules for sharing/ priorotising interactive traffic 
attached to imq0.

In prerouting mangle you can do some marking eg. small tcp/udp to get 
priority. Then append a rule like this -

iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0

Somewhere in you htb setup make a class for you squid traffic and filter 
traffic to it something like -

tc class add dev imq0 parent 1:2 classid 1:33 htb rate 220kbit ceil 
480kbit quantum 1500 prio 1

tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 \
    match ip dst 220.1.1.1 flowid 1:33

You also need to first modprobe imq if it''s a module and bring it up
with -

modprobe imq numdevs=1

ip link set imq0 up

Andy.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/