similar to: iptables add - heavy on cpu time

Hi! I have some problems with htb performance. THE SETUP: I have a network with 3 ISP uplinks and 1 local network uplink. There are about 1700 clients. I was shaping their bandwidth with HTB using iptables mangling in a manner: tc class add dev $DEV parent 1:10 classid 1:${CLASS_ID} htb rate \ 16kbit ceil 512kbit burst 2kb prio 2 quantum 1500 tc qdisc add dev $DEV parent 1:${CLASS_ID}

Hi all iam using Iptables+TC+HTB on Redhat 9 working fine with the bandwidth control I am taging my eth1 with Vlan interface with Cisco Switch when even though i have mention ceil, its crossing more than Ceil, when they are effected Virus in their network or DoS attacks, its should be control the mentioned Ceil right, why this uploads are increaing.. when the uploads are increased all the

Hi All, I want to create chains to mark bag packets. my firewall has 3 network cards. eth0 - connected to internet. eth1 - connected to DMZ eth2 - connected to LAN eth0 only accepts SSH (tcp -port 22) and ICMP for pinging.. If it gets anything other than that, I want to create a new chain and log and DROP . what are the suitable rules for it? what about the below rule? iptables -A

Hi, my name is Calin and I''m new to linux, but I guess its the right place to ask this: what do I set on a linux RH9 box with 2.4.24 kernel to route a 10 machine private network (192.168.x.x) by 3 limited bandwidth, public IPs (193.231.x.x). The network uses a switch, the linux box has 1 ethernet card, the link is available trough a wireles ethernet bridge from my ISP. I begun to read

What is the cause for such a message while running kernel 2.6.1 on RH9 ? Neighbour table overflow. NET: 282 messages suppressed. Neighbour table overflow. Alex Iruc _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Does anybody know a good ip traffic monitoring software that has multiuser capability? I need some type of software with an interface on which users can login with their user/pass and see how much traffic (how many megabytes) they consumed over a certain period of time. Speed graphs are NOT a must, just something to show them hou much traffic they did. I''m currently using net-acct mysql

Hello! One simple question regaring htb2->htb3 way. I''m using 2.4.25 kernel with tc3 from Devik''s site, RH9. My data flow is about 100Mbit duplex and is subject to grow, so I''m creating root class with 200Mbit rate, with r2q=10, quantum = rate/r2q, and 1500 < quantum < 200000 (sch_htb.c) with such r2q my default shaping window will be from 120Kbit to 16Mbit,

Hi there, I''ve set up a gateway machine with rp-l2tpd (this one: http://sourceforge.net/projects/rp-l2tp/) For some reason my isp choose for l2tp. My gateway has two cards eth0 (local network 172.16.0.0) eth1 (local network between my gateway and cablemodem 10.0.0.0) ppp0 is set up over eth1 towards my isp eth0 ip is fixed ip eth1 ip is dhcp from my isp through the cable modem ppp0 is

Hello, Is it possible to mark packets from particular IP and if it downloads over 100Kbytes, then it enters in CBQ shaper 32kbit/s for example ? My kernel is 2.4.22. If someone experimented with connection bytes patch please answer me. Regards, Todor Neshev _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc

I have found this problem while trying to see the active rules on IPTABLES: [root@worf root]# iptables --list /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod

I''m being cast headlong into unfamiliar waters here, and being desperate for some air, thought I''d come here for some help. :) Anyway, my employer is going through some whiplash-inducing growth spurts, and as a result, the simple "Internet T-1 -> Linux Firewall/NAT -> LAN" setup just isn''t going to cut it anymore. First, we''re bringing in 2

I have a linux box with kernel 2.4.22 and iptables 1.2.9 First, i patch linux kernel with Norbet Buckmuller''s .diff #cd \usr\src\linux #patch -p1 < imq-combo-debian-2.4.22.diff All correct Second, i -try to- patch iptables (following www.linuximq.net/faq.html) #cd /usr/src/linux/net/ipv4/netfilter I edit IMQ.pom-ng.patch and replace $KERNEL_DIR with /usr/src/linux #patch

Greetings, I want to setup bandwidth restrictions for a few clients that use openvpn to connect to my server. I''m using iptables to mark the packets in the mangle table (PRE/POSTROUTING) on eth0 before they get sent via the tunnel. Will the mark survive even if the packets then get routed via an openvpn tunnel (tunX) out the box or does openvpn change it removing the mark ? damnit,

I have many iptables setmark commands, but as soon as there is one match, I would like to skip all the rest. How to do this. -------not-working-not-mark-zero-is-not-accepted--------- iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... iptables -t mangle -A PREROUTING -m MARK ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... iptables -t mangle -A

Hi all I''m sure you have heard this before but sorry.I wrote a script once and never looked at it again.An as my luck will have it I need it now and it is gone.I''m trying my best to rewrite it:-( My 1st question is: If my server is a gateway and I''m marking packets for iptables should I use OUTPUT,INPUT,PREROUTING,POSTROUTING or FORWARD rules in iptables And If I

Hi, I would like to know if there is any possibility to select from iptables the files with maximum size of 300 kbytes and send them to a proxy server. As I know until now you can only mark files with maximum size of 64 kbytes. thank you in advance, Codrin. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc

is there a way to LOG & -j OTHER-TARGET packet with one rule, or i have to use two ? raptor _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi all. I remember someone in here was at least affiliated with the above mentioned ipp2p-project (an extension to iptables that allows to match peer-to-peer traffic). About two weeks ago I tried to contact the author of this extension via the address that is mentioned on the project website, since I wanted to send in a patch, but with no success. At least I didn''t receive a reply.

Using below configuration multiplied by 3000+ nodes to control bandwidth causes very high kernel cpu usage (99.5%) narrowed it down to the mangle table. Any ideas to do this more efficiently would be appreciated. The mangle table entry (indicated by ***) is sucking all the cpu. I am running RH7.3 kernel 2.4.18-3 and iptables 1.2.5 This setup has worked well for more than 1000 devices but as the

hi, anyone to know a tool that will display more friendly output ... probably a tree like structure (if no cross sections occur)... OR a top like output... thanx raptor _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/