Re: [LARTC] NAT+mangle+tc

From: Alexander Samad <alex@samad.com.au>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] NAT+mangle+tc
Date: Mon, 11 Oct 2004 21:04:17 +0000	[thread overview]
Message-ID: <20041011210417.GA522@samad.com.au> (raw)
In-Reply-To: <a763a15b0410110429231ff35@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3253 bytes --]

Hi

What you can do is mark the packets in netfilter (iptables) and then use
the marks to assign the packets to classes

you can do something like

iptables -t mangle -A PREROUTING -s AddrIWantToShape -j mark 0x02
iptables -t mangle -A PREROUTING -s AddrIWantToShape2 -j mark 0x03

iptables -t nat -A POSTROUTING -s AddrIWantToShape -o InternetInt -j MASQ
iptables -t nat -A POSTROUTING -s AddrIWantToShape2 -o InternetInt -j MASQ


tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 2 fw flowid 1:30
tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 3 fw flowid 1:40

Something like that

Alex

On Mon, Oct 11, 2004 at 07:45:02PM +0300, emo terziev wrote:
> Hi , Jason
>    I know LARTC HOWTO. mi download shapers work fine, but 
> I don't know can i limit upload when i have NAT because source IP
> address is changed
> and i cannot make u32 src filter. 
> 
> in other hand package marking isn't usable in my case because i want 
>   user A to have for example 128K to Group A networks  and 64K to group B
>   user B to have   256k to group A and 1Mbit to group B
> 
> download is easy, but for upload i unfortunatly don't know how should  to be  :(
>  ,This is over my knowlage i think. 
> 
> Please anyone with more experience just to give mi idea how can be done.
> 
> 
>     +-----------+   |  S  |
>     | User A |---+  W |                     +NAT  
>     +----------+    |  I   |    eth1         eth0                    group A
>     +----------+    |  T  |        +--------+        +--- 180 diferent
> Networks -----------------+
>     | User B |----+  C  +-----| Router |--------|                     
>                          Internet
>     +----------+    |  H  |        +--------+        +---all rest
> internet  ---------------------------+
>        ....    ... / ...                                              
>       group B
>     +----------+    |  H  |
>     | User N |---+  U  |
>     +-----------+   |  B  |           ---------------->
>                      +-----+
> 
> 
> 
> Best Regards
> emo terziev
> 
> On Mon, 11 Oct 2004 12:09:24 -0400, Jason Boxman <jasonb@edseek.com> wrote:
> > On Monday 11 October 2004 07:29, emo terziev wrote:
> > > Hi All,
> > >   I wonder can I do NAT+mangle+tc on same maschine? I want to shape
> > > outgoing traffic per IP on my gateway computer.
> > 
> > Sure, you can do that on the same machine.
> > 
> > You can do NAT with a variety of scripts or just hand written iptables rules.
> > Personally, I use the gShield iptables firewall.  As for `tc`, you might look
> > into the LARTC HOWTO.
> > 
> > http://lartc.org/
> > 
> > --
> > 
> > Jason Boxman
> > Perl Programmer / *NIX Systems Administrator
> > Shimberg Center for Affordable Housing | University of Florida
> > http://edseek.com/ - Linux and FOSS stuff
> > 
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]