Re: iptables mark qos

From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 08/20/04 

Date: 20 Aug 2004 07:57:04 -0700

moritz@uplink-verein.ch (moritz gartenmeister) wrote in message news:<25d255b5.0408180653.63eb169f@posting.google.com>...
> hi all
>
> i really reach my limits with the following task:
> os: debian
> program: iptables + brigde
> goal: transparent bridge with traffic-shaping
>
> this sounds not so complicated at the first glance, but...
> i got a computer with 4 nics (3 of them are used for the bridge, 1 for
> administration). the firewall will be placed between router and LAN,
> but with 2 servers between. the traffic should be classified by the
> following points:

I'm hopelessly confused about your physical and logical setup -- ascii
art?

> 1. dst/src: there are severeal ip-ranges with no bandwithlimits, this
> means the traffic should be forwarded without further checking,
> including LAN and the two servers.
> 2. all other traffic should be shaped by application
> (layer7-extension).

What app? Layer 7? Kinda late to shape/police traffic there, don't
you think? Doesn't make sense to me -- maybe I'm being obtuse.

> i tried to mark the packets in the mangle table (PREROUTING or
> filter). ...

Incoming? Outgoing? Both?

> but i am really confused... marking the packets (e.g. HTTP)
> doesn't work, ...

Marking how? fwmark? TOS? Other?

> because it will mark every packet without checking for
> dst/src. marking packets by dst/src will not work, because they are
> not correctly marked for the traffic-shaper.

Which traffic-shaper are you referring to -- there are several?

> any ideas (in the case you understand my problem)? the problem (i
> assume) is, that i cannot use a userspecified target in the mangle
> table and i cannot use the mark target in filter table.

You can do both if you know how -- but I've no idea what your setup
is, how you want traffic routed and shaped or why and absolutely no
hard data/output to see what's up?

> regards
> moritz

You'll need to be quite specific about your hardware and network setup
-- it's still very unclear to me. Bridge? Router? What's what and
where is it? How _do_ you connect to internet/ISP? Single
connection? Leased router? Why a bridge/firewall? This one:
http://ebtables.sourceforge.net ?
or this:
http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO-1.html
or something else?
DMZ? Public IPs? Private IP space? Admin NIC? How many subnets do
you have? Connected to what? Via which interface? And 100's of
other questions ...

Also some cut-n-paste output of things like:
ifconifg
route -n
netstat -rn
arp -vn
ip link show
ip addr show
ip route show
ip neighbor show

What, if any, services are you providing -- via public IP or NAT or
virtual hosting or what?

Multiple route tables? Any ip rules? What _are_ your firewall rules?

What are you using -- netfilter script? HOWTO? Which one(s)?

I'm in the dark and can't help without some light -- lots of it ;-)

Also your _reason_ for a Linux bridge rather than a router might shed
some light also. Be warned: I've never seen the purpose of using
Linux as a bridge -- what do you hope to gain?

get back with info,
prg
email above disabled