Actually i gave up, i tried and tried and tried so many times, upgrading
software falling back to an old version
but it didn''t work, that''s it.
i can''t do work together tc with iptables and iproute2
when i mark a packet with iptables tc doesn''t recognize them so it
falls at the default leaf of the tc''s tree
what i like is to mark packets depending on their ip (the one who make a
connetion into de linux (gateway) box) and port.
i''ll transcript my script because i really don''t know what to
do.
p.d. so, what i like to do is just simple, i guess; everything comes from eth1
and goes to eth1 (lan users to linux box services) must be shapped by ipaddres +
port (dport i guess INPUT/OUTPUT CHAIN?)
and everything comes from ETH1 goes to ETH0 (Internet Access i guess
PREROUTING/POSTROUTING/FORWARD chain) MUST BE SHAPPED BY PORT + IPADDRESS
i have this situation on the linux server:
eth0: (Out to internet)
eth1: (LAN)
configutarion: eth0 (network 200.123.166.72, broadcast: 200.123.166.79; (ip
range: 200.123.166.73-77)
eth0 ip: 200.123.166.73
eth0: gw: 200.123.166.78
eth0: netmask: 255.255.255.248
eth dns1: 200.123.166.73
eth0 dns2: 200.123.166.74
configuration: eth1 (network 172.16.0.0 broadcast: 172.16.0.255 (ip range:
172.16.0.1-254)
eth1 ip: 172.16.0.1
eth1: gw: (none)
eth1: netmask: 255.255.0.0
eth1: dns1: 200.123.166.73
eth1: dns2: 200.123.166.74
LINUX BOX SERVING THIS SERVICES: HTTP (PORT 80) SMTP (PORT 25) POP3 (PORT 110)
SSH (PORT 22) FTP (PORT 20-21) SMB FS (PORT 136-139) IRC (PORT 6667)
CONFIGURATION OF TC:
tc=/sbin/tc
iptables=/sbin/iptables
echo "Building tc Classes"
IFACE="eth0 eth1"
for i in $IFACE;do
$tc qdisc add dev $i root handle 1: htb default 10
$tc class add dev $i parent 1: classid 1:1 htb rate 2048mbit
$tc class add dev $i parent 1:1 classid 1:10 htb rate 10kbit ceil 128kbit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:20 htb rate 10kbit ceil 256kbit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:30 htb rate 10kbit ceil 512kbit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:40 htb rate 10kbit ceil 1024bit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:50 htb rate 10kbit ceil 2048bit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:60 htb rate 10kbit ceil 256kbit
quantum 1514 # USED FOR HTTP/IRC
$tc class add dev $i parent 1:1 classid 1:70 htb rate 10kbit ceil 128kbit
quantum 1514 # USED FOR EMAIL (SMTP/POP3)
$tc qdisc add dev $i parent 1:10 handle 10: sfq perturb 10
$tc qdisc add dev $i parent 1:20 handle 20: sfq perturb 10
$tc qdisc add dev $i parent 1:30 handle 30: sfq perturb 10
$tc qdisc add dev $i parent 1:40 handle 40: sfq perturb 10
$tc qdisc add dev $i parent 1:50 handle 50: sfq perturb 10
$tc qdisc add dev $i parent 1:60 handle 60: sfq perturb 10
$tc qdisc add dev $i parent 1:70 handle 70: sfq perturb 10
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 10 fw flowid 1:10
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 20 fw flowid 1:20
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 30 fw flowid 1:30
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 40 fw flowid 1:40
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 50 fw flowid 1:50
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 60 fw flowid 1:60
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 70 fw flowid 1:70
PORTS="80 6667 20 21"
#ANY IP MUST BE SHAPPED BY THESE PORTS TO THE 1:60 LEAF
for i in $PORTS;do
$iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport $i -j
MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p udp --dport $i -j
MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p tcp --dport $i -j
MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p udp --dport $i -j
MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p tcp --dport $i
-j MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p udp --dport $i
-j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p tcp --dport $i
-j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p udp --dport $i
-j MARK --set-mark 60
done
SOOOOOOOOOOOOOOOOOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR GOING
JUST FALLS ON 1:10 (DEFAULT LEAF)
This is an extract from the script, so it show you the LOCAL PROCESS of
information not PREROUTING
PLEASE HELPPPPPPPPP ME I DON''T KNOW WHAT TO DO AND MY SYSTEM IS GOING
DOWN FASTER.-
MY CONFIGURATION IS:
ip utility, iproute2-ss050330
tc utility, iproute2-ss050330
iptables v1.3.3
kernel: 2.6.13
patch applied for kernel and iproute and iptables (esfq + wrr)
heeeeeeeeeeeeeeeelp
thank you so much
Guillermo from Argentina
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Actually i gave up, i tried and tried and tried so many times, upgrading
software falling back to an old version
but it didn''t work, that''s it.
i can''t do work together tc with iptables and iproute2
when i mark a packet with iptables tc doesn''t recognize them so it
falls at the default leaf of the tc''s tree
what i like is to mark packets depending on their ip (the one who make a
connetion into de linux (gateway) box) and port.
i''ll transcript my script because i really don''t know what to
do.
p.d. so, what i like to do is just simple, i guess; everything comes from eth1
and goes to eth1 (lan users to linux box services) must be shapped by ipaddres +
port (dport i guess INPUT/OUTPUT CHAIN?)
and everything comes from ETH1 goes to ETH0 (Internet Access i guess
PREROUTING/POSTROUTING/FORWARD chain) MUST BE SHAPPED BY PORT + IPADDRESS
i have this situation on the linux server:
eth0: (Out to internet)
eth1: (LAN)
configutarion: eth0 (network 200.123.166.72, broadcast: 200.123.166.79; (ip
range: 200.123.166.73-77)
eth0 ip: 200.123.166.73
eth0: gw: 200.123.166.78
eth0: netmask: 255.255.255.248
eth dns1: 200.123.166.73
eth0 dns2: 200.123.166.74
configuration: eth1 (network 172.16.0.0 broadcast: 172.16.0.255 (ip range:
172.16.0.1-254)
eth1 ip: 172.16.0.1
eth1: gw: (none)
eth1: netmask: 255.255.0.0
eth1: dns1: 200.123.166.73
eth1: dns2: 200.123.166.74
LINUX BOX SERVING THIS SERVICES: HTTP (PORT 80) SMTP (PORT 25) POP3 (PORT 110)
SSH (PORT 22) FTP (PORT 20-21) SMB FS (PORT 136-139) IRC (PORT 6667)
CONFIGURATION OF TC:
tc=/sbin/tc
iptables=/sbin/iptables
echo "Building tc Classes"
IFACE="eth0 eth1"
for i in $IFACE;do
$tc qdisc add dev $i root handle 1: htb default 10
$tc class add dev $i parent 1: classid 1:1 htb rate 2048mbit
$tc class add dev $i parent 1:1 classid 1:10 htb rate 10kbit ceil 128kbit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:20 htb rate 10kbit ceil 256kbit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:30 htb rate 10kbit ceil 512kbit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:40 htb rate 10kbit ceil 1024bit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:50 htb rate 10kbit ceil 2048bit
quantum 1514
$tc class add dev $i parent 1:1 classid 1:60 htb rate 10kbit ceil 256kbit
quantum 1514 # USED FOR HTTP/IRC
$tc class add dev $i parent 1:1 classid 1:70 htb rate 10kbit ceil 128kbit
quantum 1514 # USED FOR EMAIL (SMTP/POP3)
$tc qdisc add dev $i parent 1:10 handle 10: sfq perturb 10
$tc qdisc add dev $i parent 1:20 handle 20: sfq perturb 10
$tc qdisc add dev $i parent 1:30 handle 30: sfq perturb 10
$tc qdisc add dev $i parent 1:40 handle 40: sfq perturb 10
$tc qdisc add dev $i parent 1:50 handle 50: sfq perturb 10
$tc qdisc add dev $i parent 1:60 handle 60: sfq perturb 10
$tc qdisc add dev $i parent 1:70 handle 70: sfq perturb 10
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 10 fw flowid 1:10
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 20 fw flowid 1:20
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 30 fw flowid 1:30
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 40 fw flowid 1:40
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 50 fw flowid 1:50
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 60 fw flowid 1:60
$tc filter add dev $i parent 1:0 protocol ip prio 0 handle 70 fw flowid 1:70
PORTS="80 6667 20 21"
#ANY IP MUST BE SHAPPED BY THESE PORTS TO THE 1:60 LEAF
for i in $PORTS;do
$iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport $i -j
MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p udp --dport $i -j
MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p tcp --dport $i -j
MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p udp --dport $i -j
MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p tcp --dport $i
-j MARK --set-mark 60
$iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p udp --dport $i
-j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p tcp --dport $i
-j MARK --set-mark 60
$iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p udp --dport $i
-j MARK --set-mark 60
done
SOOOOOOOOOOOOOOOOOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR GOING
JUST FALLS ON 1:10 (DEFAULT LEAF)
This is an extract from the script, so it show you the LOCAL PROCESS of
information not PREROUTING
PLEASE HELPPPPPPPPP ME I DON''T KNOW WHAT TO DO AND MY SYSTEM IS GOING
DOWN FASTER.-
MY CONFIGURATION IS:
ip utility, iproute2-ss050330
tc utility, iproute2-ss050330
iptables v1.3.3
kernel: 2.6.13
patch applied for kernel and iproute and iptables (esfq + wrr)
heeeeeeeeeeeeeeeelp
thank you so much
Guillermo from Argentina
On Saturday 01 October 2005 16:05, Guillermo Javier Nardoni wrote:> SOOOOOOOOOOOOOOOOOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR > GOING JUST FALLS ON 1:10 (DEFAULT LEAF)Check with iptables -L -v -n -t mangle to see if you the counters are incrementing like it should be. Also, classes and marks are in hex. So try "--set-mark 0x60" to force the number be interpreted as a hex number. And using iptables + tc works. I used in a few hundred scripts. Check out www.docum.org for working examples. Stef
Guillermo Javier Nardoni wrote:> Actually i gave up, i tried and tried and tried so many times, upgrading software falling back to an old version > but it didn''t work, that''s it. > i can''t do work together tc with iptables and iproute2 > when i mark a packet with iptables tc doesn''t recognize them so it falls at the default leaf of the tc''s treeTry what Stef says - but even if mark doesn''t work for you there are always other ways - iptables CLASSIFY or use tc filters to classify.> > what i like is to mark packets depending on their ip (the one who make a connetion into de linux (gateway) box) and port. > > i''ll transcript my script because i really don''t know what to do. > > p.d. so, what i like to do is just simple, i guess; everything comes from eth1 and goes to eth1 (lan users to linux box services) must be shapped by ipaddres + port (dport i guess INPUT/OUTPUT CHAIN?) > and everything comes from ETH1 goes to ETH0 (Internet Access i guess PREROUTING/POSTROUTING/FORWARD chain) MUST BE SHAPPED BY PORT + IPADDRESS >Remember you can only shape outbound traffic on eth0/1 if you want to shape inbound then you need to use policers/dummy/imq (though you can shape inbound on eth0 that is for LAN by shaping on eth1).> i have this situation on the linux server: > > eth0: (Out to internet) > eth1: (LAN) > > configutarion: eth0 (network 200.123.166.72, broadcast: 200.123.166.79; (ip range: 200.123.166.73-77) > eth0 ip: 200.123.166.73 > eth0: gw: 200.123.166.78 > eth0: netmask: 255.255.255.248 > eth dns1: 200.123.166.73 > eth0 dns2: 200.123.166.74 > > configuration: eth1 (network 172.16.0.0 broadcast: 172.16.0.255 (ip range: 172.16.0.1-254) > eth1 ip: 172.16.0.1 > eth1: gw: (none) > eth1: netmask: 255.255.0.0 > eth1: dns1: 200.123.166.73 > eth1: dns2: 200.123.166.74I assume your routing is all OK and just tc is not working.> > LINUX BOX SERVING THIS SERVICES: HTTP (PORT 80) SMTP (PORT 25) POP3 (PORT 110) SSH (PORT 22) FTP (PORT 20-21) SMB FS (PORT 136-139) IRC (PORT 6667) > > CONFIGURATION OF TC: > > tc=/sbin/tc > iptables=/sbin/iptables > > echo "Building tc Classes" > IFACE="eth0 eth1" > > for i in $IFACE;do > $tc qdisc add dev $i root handle 1: htb default 10 > > $tc class add dev $i parent 1: classid 1:1 htb rate 2048mbitShould be kbit and may still be too high for your inet link.> > $tc class add dev $i parent 1:1 classid 1:10 htb rate 10kbit ceil 128kbit quantum 1514 > $tc class add dev $i parent 1:1 classid 1:20 htb rate 10kbit ceil 256kbit quantum 1514 > $tc class add dev $i parent 1:1 classid 1:30 htb rate 10kbit ceil 512kbit quantum 1514 > $tc class add dev $i parent 1:1 classid 1:40 htb rate 10kbit ceil 1024bit quantum 1514 > $tc class add dev $i parent 1:1 classid 1:50 htb rate 10kbit ceil 2048bit quantum 1514Missing ks on last two ceils.> > $tc class add dev $i parent 1:1 classid 1:60 htb rate 10kbit ceil 256kbit quantum 1514 # USED FOR HTTP/IRC > $tc class add dev $i parent 1:1 classid 1:70 htb rate 10kbit ceil 128kbit quantum 1514 # USED FOR EMAIL (SMTP/POP3) > > > $tc qdisc add dev $i parent 1:10 handle 10: sfq perturb 10 > $tc qdisc add dev $i parent 1:20 handle 20: sfq perturb 10 > $tc qdisc add dev $i parent 1:30 handle 30: sfq perturb 10 > $tc qdisc add dev $i parent 1:40 handle 40: sfq perturb 10 > $tc qdisc add dev $i parent 1:50 handle 50: sfq perturb 10 > > $tc qdisc add dev $i parent 1:60 handle 60: sfq perturb 10 > $tc qdisc add dev $i parent 1:70 handle 70: sfq perturb 10 > > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 10 fw flowid 1:10 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 20 fw flowid 1:20 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 30 fw flowid 1:30 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 40 fw flowid 1:40 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 50 fw flowid 1:50 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 60 fw flowid 1:60 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 70 fw flowid 1:70Won''t make any difference here but 1 is the top prio for filters.> > > PORTS="80 6667 20 21" > #ANY IP MUST BE SHAPPED BY THESE PORTS TO THE 1:60 LEAF > for i in $PORTS;do > $iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60 > $iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60Marking in INPUT will have no effect for tc - I don''t know what you are trying to do here. Andy.