On a router, there is no need for and IMQ because there is always an
egress path.
For example:
Internet -> eth1 -> iptables -> routing -> ... -> egress
qdisc ->
eth0 -> LAN
LAN -> eth0 -> iptables -> routing -> .... -> egress qdisc
-> eth1
-> Internet
Local Process / Proxy -> routing -> iptables -> egress qdisc ->
eth1/eth0 -> LAN/Internet
So,
All ''Incoming'' Shaping would be done at eth0,
and all ''Outgoing'' Shaping would be done at eth1.
The easiest solution, to prevent changing any of your local LAN
related Traffic Shaping Rules,
would be to use an iptables mark (-j MARK --set-mark) at PREROUTING,
OUTPUT, or POSTROUTING to classify, by port, routed traffic from the
Internet to the LAN, the LAN to the Internet, or the proxy to the
Internet/LAN. Then, add to your qdisc a class with a filter based on
the firewall mark. very easy!
an example ''Outgoing'' (LAN/Proxy to Internet)
tc qdisc add dev eth1 root handle 1: htb default 2
tc class add dev eth1 1: classid 1:1 htb rate XXX ceil XXX
tc class add dev eth1 parent 1:1 classid 1:2 htb rate XXX ceil XXX
tc qdisc add dev eth1 parent 1:2 handle 2: sfq perturb 10
tc class add dev eth1 parent 1:1 classid 1:3 htb rate XXX ceil XXX
tc qdisc add dev eth1 parent 1:3 handle 3: sfq perturb 10
tc class add dev eth1 parent 1:1 classid 1:4 htb rate XXX ceil XXX
tc qdisc add dev eth1 parent 1:4 handle 4: sfq perturb 10
tc class add dev eth1 parent 1:1 classid 1:5 htb rate XXX ceil XXX
tc qdisc add dev eth1 parent 1:5 handle 5: sfq perturb 10
tc filter add dev eth1 protocol ip parent 1: prio 1 handle 1 fw flowid 1:3
tc filter add dev eth1 protocol ip parent 1: prio 1 handle 2 fw flowid 1:4
tc filter add dev eth1 protocol ip parent 1: prio 1 handle 3 fw flowid 1:5
iptables -A OUTPUT -o eth1 -p tcp --dport 25 -j MARK --set-mark 1
iptables -A FORWARD -o eth1 -p tcp --dport 25 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 80 -j MARK --set-mark 2
iptables -A FORWARD -o eth1 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 110 -j MARK --set-mark 3
iptables -A FORWARD -o eth1 -p tcp --dport 110 -j DROP
so what happens? you have 4 classes, each with their own bandwidth rates
and ceilings, sharing when they can. 3 of the 4 classes receive their flows
based on destination port. the fourth is the default for all other traffic.
iptables marks traffic coming from the Proxy destined for the Internet with a
1, 2, or 3 depending on port. iptables drops all related traffic on the FORWARD
chain to prevent UNproxied traffic from getting to the internet.
the ''Incoming rules shouldn''t change much from the outgoing.,
there
should just be another layer of classes to allow for normal, local
ethernet traffic to and from the Local Processes on the Server/Router.
i.e. DHCP, FTP, etc... Local Traffic should recieve what''s left over
when you subtract your internet bandwidth from your interface speed.
Again, Firewall Marking will alleviate the problems associated with
classifying local/internet traffic from tc.
hope this helped a little!
Hi, I have the same question. "Randy Wallace" <randywallacejr@gmail.com> writes:> On a router, there is no need for and IMQ because there is always an > egress path. > For example: > Internet -> eth1 -> iptables -> routing -> ... -> egress qdisc -> > eth0 -> LAN > LAN -> eth0 -> iptables -> routing -> .... -> egress qdisc -> eth1 > -> Internet > Local Process / Proxy -> routing -> iptables -> egress qdisc ->What about Internet -> eth1 -> iptables -> Local Process ? First I thought it should be easy to put a virtual interface in between: Internet <-> eth1 <-> virtual dev (maybe tun/tap or modified dummy) <-> local process or routing <-> eth0 <-> LAN Then I could use egress shaping on eth1 and the virtual device (and have a setup as simple as a "plain router setup") But I did not manage to do this yet. Anybody using a setup like this one? (maybe bridging or iptables -j ROUTE might help? it seems impossible to force a packet to pass through netfilter for a second time) Greetings Jens PS: Randy: sorry for replying to the wrong address first
Jens Thiele wrote:> Hi, > > I have the same question. > > > What about > Internet -> eth1 -> iptables -> Local Process ? > > First I thought it should be easy to put a virtual interface in between: > > Internet <-> eth1 <-> virtual dev (maybe tun/tap or modified > dummy) <-> local process or routing <-> eth0 <-> LAN > > Then I could use egress shaping on eth1 and the virtual device > (and have a setup as simple as a "plain router setup") > > But I did not manage to do this yet. Anybody using a setup like this > one? (maybe bridging or iptables -j ROUTE might help? it seems > impossible to force a packet to pass through netfilter for a second time) > > Greetings > Jens >You have to use IMQ for that. IMQ act as "dummy" device which hooks itself to iptables after NAT (or before, depends on config) so you can use egress shaping on it before packet reach local proces or forwarding. You can''t use IFB in your case because packet goes to IFB before NAT and thus you don''t know if it is designated for router itself or client behind NAT. /ak
Hi randy, I think you didn''t understand me, I have this situation Internet -- eth0 -- firewall/router/qos -- eth1 -- Lan My Lan traffic is pretty cool, and its shaped by the router inbound and outbound. Now all I want is shape the same firewall/router/qos, shaping its ingress and egress traffic, example: If I download anything from the server (within a ssh session) won''t affect my Lan, or I am using Squid proxy, or a Mail Server, or a http server. thanks in advance... -- Ing. Ying Xie Syscount Providers CEO / President USA: +1.419.301.6329 Panama: 202-9950/51 _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Ales Klok <orrie@seznam.cz> writes:> Jens Thiele wrote: >> Hi, >> >> I have the same question. >> >> What about >> Internet -> eth1 -> iptables -> Local Process ? >> >> First I thought it should be easy to put a virtual interface in between: >> >> Internet <-> eth1 <-> virtual dev (maybe tun/tap or modified >> dummy) <-> local process or routing <-> eth0 <-> LAN >> >> Then I could use egress shaping on eth1 and the virtual device >> (and have a setup as simple as a "plain router setup") >> >> But I did not manage to do this yet. Anybody using a setup like this >> one? (maybe bridging or iptables -j ROUTE might help? it seems >> impossible to force a packet to pass through netfilter for a second time) >> >> Greetings >> Jens >> > You have to use IMQ for that. IMQ act as "dummy" device which hooks > itself to iptables after NAT (or before, depends on config) so you can > use egress shaping on it before packet reach local proces or > forwarding. You can''t use IFB in your case because packet goes to IFB > before NAT and thus you don''t know if it is designated for router > itself or client behind NAT.So, if I understand it right in a setup without NAT it would look like: Internet<->eth1<->IFB<->local process or routing<->eth0<->LAN and there would be no problem. I could do egress shaping on eth1 (for "upstream") and egress shaping on IFB (for "downstream"). In a setup with NAT (and maybe IPSEC) the problem is that if I want to do the egress shaping at the IFB interface ("downstream") I therefore want the NAT (and maybe IPSEC) happen before the packets cross the IFB interface. A picture again: Internet<->eth1<->NAT<->IFB<->local process or routing<->eth0<->LAN Is this correct? Is there a solution to reach that goal (other than IMQ)? Or do I have to use 2 machines if I don''t want to use IMQ? | Machine 1 | Machine 2 | Internet<->eth1<->NAT (maybe IPSEC)<->eth0<->eth1<->local process or routing<->eth0<->LAN A last more general question: Is ingress shaping considered useless or why does it seem that difficult to get it to work? Greetings Jens