* [LARTC] NAT+mangle+tc
@ 2004-10-11 11:29 emo terziev
2004-10-11 16:09 ` Jason Boxman
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: emo terziev @ 2004-10-11 11:29 UTC (permalink / raw)
To: lartc
Hi All,
I wonder can I do NAT+mangle+tc on same maschine? I want to shape
outgoing traffic per IP on my gateway computer.
Regards
Emil Terziev
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] NAT+mangle+tc
2004-10-11 11:29 [LARTC] NAT+mangle+tc emo terziev
@ 2004-10-11 16:09 ` Jason Boxman
2004-10-11 16:45 ` emo terziev
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Jason Boxman @ 2004-10-11 16:09 UTC (permalink / raw)
To: lartc
On Monday 11 October 2004 07:29, emo terziev wrote:
> Hi All,
> I wonder can I do NAT+mangle+tc on same maschine? I want to shape
> outgoing traffic per IP on my gateway computer.
Sure, you can do that on the same machine.
You can do NAT with a variety of scripts or just hand written iptables rules.
Personally, I use the gShield iptables firewall. As for `tc`, you might look
into the LARTC HOWTO.
http://lartc.org/
--
Jason Boxman
Perl Programmer / *NIX Systems Administrator
Shimberg Center for Affordable Housing | University of Florida
http://edseek.com/ - Linux and FOSS stuff
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] NAT+mangle+tc
2004-10-11 11:29 [LARTC] NAT+mangle+tc emo terziev
2004-10-11 16:09 ` Jason Boxman
@ 2004-10-11 16:45 ` emo terziev
2004-10-11 21:04 ` Alexander Samad
2004-10-12 2:20 ` Ethy H. Brito
3 siblings, 0 replies; 5+ messages in thread
From: emo terziev @ 2004-10-11 16:45 UTC (permalink / raw)
To: lartc
Hi , Jason
I know LARTC HOWTO. mi download shapers work fine, but
I don't know can i limit upload when i have NAT because source IP
address is changed
and i cannot make u32 src filter.
in other hand package marking isn't usable in my case because i want
user A to have for example 128K to Group A networks and 64K to group B
user B to have 256k to group A and 1Mbit to group B
download is easy, but for upload i unfortunatly don't know how should to be :(
,This is over my knowlage i think.
Please anyone with more experience just to give mi idea how can be done.
+-----------+ | S |
| User A |---+ W | +NAT
+----------+ | I | eth1 eth0 group A
+----------+ | T | +--------+ +--- 180 diferent
Networks -----------------+
| User B |----+ C +-----| Router |--------|
Internet
+----------+ | H | +--------+ +---all rest
internet ---------------------------+
.... ... / ...
group B
+----------+ | H |
| User N |---+ U |
+-----------+ | B | ---------------->
+-----+
Best Regards
emo terziev
On Mon, 11 Oct 2004 12:09:24 -0400, Jason Boxman <jasonb@edseek.com> wrote:
> On Monday 11 October 2004 07:29, emo terziev wrote:
> > Hi All,
> > I wonder can I do NAT+mangle+tc on same maschine? I want to shape
> > outgoing traffic per IP on my gateway computer.
>
> Sure, you can do that on the same machine.
>
> You can do NAT with a variety of scripts or just hand written iptables rules.
> Personally, I use the gShield iptables firewall. As for `tc`, you might look
> into the LARTC HOWTO.
>
> http://lartc.org/
>
> --
>
> Jason Boxman
> Perl Programmer / *NIX Systems Administrator
> Shimberg Center for Affordable Housing | University of Florida
> http://edseek.com/ - Linux and FOSS stuff
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] NAT+mangle+tc
2004-10-11 11:29 [LARTC] NAT+mangle+tc emo terziev
2004-10-11 16:09 ` Jason Boxman
2004-10-11 16:45 ` emo terziev
@ 2004-10-11 21:04 ` Alexander Samad
2004-10-12 2:20 ` Ethy H. Brito
3 siblings, 0 replies; 5+ messages in thread
From: Alexander Samad @ 2004-10-11 21:04 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 3253 bytes --]
Hi
What you can do is mark the packets in netfilter (iptables) and then use
the marks to assign the packets to classes
you can do something like
iptables -t mangle -A PREROUTING -s AddrIWantToShape -j mark 0x02
iptables -t mangle -A PREROUTING -s AddrIWantToShape2 -j mark 0x03
iptables -t nat -A POSTROUTING -s AddrIWantToShape -o InternetInt -j MASQ
iptables -t nat -A POSTROUTING -s AddrIWantToShape2 -o InternetInt -j MASQ
tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 2 fw flowid 1:30
tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 3 fw flowid 1:40
Something like that
Alex
On Mon, Oct 11, 2004 at 07:45:02PM +0300, emo terziev wrote:
> Hi , Jason
> I know LARTC HOWTO. mi download shapers work fine, but
> I don't know can i limit upload when i have NAT because source IP
> address is changed
> and i cannot make u32 src filter.
>
> in other hand package marking isn't usable in my case because i want
> user A to have for example 128K to Group A networks and 64K to group B
> user B to have 256k to group A and 1Mbit to group B
>
> download is easy, but for upload i unfortunatly don't know how should to be :(
> ,This is over my knowlage i think.
>
> Please anyone with more experience just to give mi idea how can be done.
>
>
> +-----------+ | S |
> | User A |---+ W | +NAT
> +----------+ | I | eth1 eth0 group A
> +----------+ | T | +--------+ +--- 180 diferent
> Networks -----------------+
> | User B |----+ C +-----| Router |--------|
> Internet
> +----------+ | H | +--------+ +---all rest
> internet ---------------------------+
> .... ... / ...
> group B
> +----------+ | H |
> | User N |---+ U |
> +-----------+ | B | ---------------->
> +-----+
>
>
>
> Best Regards
> emo terziev
>
> On Mon, 11 Oct 2004 12:09:24 -0400, Jason Boxman <jasonb@edseek.com> wrote:
> > On Monday 11 October 2004 07:29, emo terziev wrote:
> > > Hi All,
> > > I wonder can I do NAT+mangle+tc on same maschine? I want to shape
> > > outgoing traffic per IP on my gateway computer.
> >
> > Sure, you can do that on the same machine.
> >
> > You can do NAT with a variety of scripts or just hand written iptables rules.
> > Personally, I use the gShield iptables firewall. As for `tc`, you might look
> > into the LARTC HOWTO.
> >
> > http://lartc.org/
> >
> > --
> >
> > Jason Boxman
> > Perl Programmer / *NIX Systems Administrator
> > Shimberg Center for Affordable Housing | University of Florida
> > http://edseek.com/ - Linux and FOSS stuff
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] NAT+mangle+tc
2004-10-11 11:29 [LARTC] NAT+mangle+tc emo terziev
` (2 preceding siblings ...)
2004-10-11 21:04 ` Alexander Samad
@ 2004-10-12 2:20 ` Ethy H. Brito
3 siblings, 0 replies; 5+ messages in thread
From: Ethy H. Brito @ 2004-10-12 2:20 UTC (permalink / raw)
To: lartc
On Tue, 12 Oct 2004 07:04:17 +1000
Alexander Samad <alex@samad.com.au> wrote:
> you can do something like
>
> iptables -t mangle -A PREROUTING -s AddrIWantToShape -j mark 0x02
> iptables -t mangle -A PREROUTING -s AddrIWantToShape2 -j mark 0x03
-- SNIP --
>
> tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 2 fw flowid 1:30
> tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 3 fw flowid 1:40
>
Hi All.
I am also fighting this for some time now. And I got:
(icmp incoming thru eth1 should be put into output eth2 flow 1:1)
iptables -t mangle -A PREROUTING -i eth1 -p icmp -j MARK --set-mark 1
tc filter add dev eth2 protocol ip parent 1: pref 1 handle 1 fw flowid 1:1
RTNETLINK answers: Invalid argument
Linux Slackware 8.1
iptables v1.2.6a
Kernel 2.4.20-pre10 with
<*> Firewall based classifier
tc downloaded from docum.org
The funny thing is that the line bellow do not give me any errors:
tc filter add dev $INTERNET protocol ip \
parent 1:0 prio 1 u32 \
match ip src X.Y.W.Z/29 \
flowid 1:FFFE
It is another classifier I know. But what am I doing wrong?
--
Ethy H. Brito /"\
InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil / \
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-10-12 2:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-10-11 11:29 [LARTC] NAT+mangle+tc emo terziev
2004-10-11 16:09 ` Jason Boxman
2004-10-11 16:45 ` emo terziev
2004-10-11 21:04 ` Alexander Samad
2004-10-12 2:20 ` Ethy H. Brito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.