Thread: [bwm-tools-tech] bwm tools traffic shaping issue
Brought to you by:
nkukard
Menu
▾
▴
bwm-tools-tech
|
From: vishal s. <vis...@ho...> - 2005-05-25 10:22:13
|
Hi Nigel
In brief, let me first describe what I am trying to do:
I have configured one Linux Box, 192.168.1.69 as a router and installed bwm
tools. This has the default gateway of 192.168.1.114
Also, I have configured another Linux Box, 192.168.1.163 and made the
previous box as its default gateway. So anything that not on the local net,
goes to 192.168.1.69.
This is my bwm firewall file:
<firewall>
<global>
<modules>
<load name="ip_queue"/>
<load name="ip_conntrack_ftp"/>
<load name="ip_nat_ftp"/>
</modules>
#Classes
<class name= "http_public_traffic_inout">
<address name="http_inout" proto="tcp" dst-port="80"/>
</class>
<class name= "https_public_traffic_inout">
<address name="https_inout" proto="tcp" dst-port="443"/>
</class>
<class name= "ftp_public_traffic_inout">
<address name="ftp_inout" proto="tcp" dst-port="21"/>
</class>
<class name= "DNS_traffic_inout">
<address name="DNS_inout" proto="udp" dst-port="53"/>
</class>
<class name= "icmp_traffic_inout">
<address name="icmp_inout" proto="icmp" />
</class>
<class name= "http_private_traffic_inout">
<address name="http_inout" dst="192.168.0.0/16" proto="tcp" dst-port="80"/>
</class>
<class name= "ftp_private_traffic_inout">
<address name="ftp_inout" dst="192.168.0.0/16" proto="tcp" dst-port="21"/>
</class>
<class name= "telnet_private_traffic_inout">
<address name="telnet_inout" dst="192.168.0.0/16" proto="tcp"
dst-port="23"/>
</class>
<class name= "ssh_private_traffic_inout">
<address name="ssh_inout" dst="192.168.0.0/16" proto="tcp" dst-port="22"/>
</class>
<class name= "smtp_private_traffic_inout">
<address name="http_inout" src="192.168.1.112" proto="tcp" dst-port="25"/>
</class>
<class name= "pop3_private_traffic_inout">
<address name="pop3_inout" src="192.168.1.112" dst="63.80.142.98"
proto="tcp" dst-port="110"/>
</class>
<class name= "icmp_private_traffic_inout">
<address name="icmp_inout" dst="192.168.0.0/16" proto="icmp" />
</class>
<class name= "http_private_traffic_outin">
<address name="http_outin" dst="192.168.0.0/16" proto="tcp" dst-port="80"
/>
</class>
<class name= "ftp_private_traffic_outin">
<address name="ftp_outin" dst="192.168.0.0/16" proto="tcp" dst-port="21"/>
</class>
<class name= "telnet_private_traffic_outin">
<address name="telnet_outin" dst="192.168.0.0/16" proto="tcp"
dst-port="23"/>
</class>
<class name= "ssh_private_traffic_outin">
<address name="ssh_outin" dst="192.168.0.0/16" proto="tcp" dst-port="22"/>
</class>
<class name= "icmp_private_traffic_outin">
<address name="icmp_outin" proto="icmp" />
</class>
<class name= "snmp_private_traffic">
<address name="snmpprivate" proto="tcp" dst-port="161"/>
</class>
</global>
<acl>
<table name="filter">
<chain name="INPUT">
<rule target="bwmd">
</rule>
</chain>
<chain name="OUTPUT">
<rule target="bwmd">
</rule>
</chain>
<chain name="FORWARD">
<rule target="bwmd">
</rule>
</chain>
</table>
</acl>
<traffic>
<flow name="total_in" max-rate="64000" report-timeout="60">
<flow name="http_https_public" max-rate="16000" burst-rate="120000"
nfmark="100">
http_public_traffic_inout
https_public_traffic_inout
http_private_traffic_inout
</flow>
<flow name="ftp_public" max-rate="16000" burst-rate="64000" nfmark="101">
ftp_public_traffic_inout
</flow>
<flow name="dns_icmp_public" max-rate="4000" burst-rate="4500"
nfmark="102">
DNS_traffic_inout
icmp_private_traffic_outin
</flow>
<flow name="ftp_private" max-rate="128000" burst-rate="128000"
nfmark="103">
ftp_private_traffic_inout
</flow>
</flow>
</traffic>
</firewall>
This is the o/p of iptables -L -n -v
[root@bplinux60 bwm_tools]# iptables -L -n -v
Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes)
pkts bytes target prot opt in out source
destination
8701 1178K bwmd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes)
pkts bytes target prot opt in out source
destination
47 2163 bwmd all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes)
pkts bytes target prot opt in out source
destination
270 28205 bwmd all -- * * 0.0.0.0/0
0.0.0.0/0
Chain bwmd (3 references)
pkts bytes target prot opt in out source
destination
14 807 QUEUE all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0
5136 703K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
And this the o/p of iptables -L -n -v -t mangle
[root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes)
pkts bytes target prot opt in out source
destination
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 MARK set 0x64
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 MARK set 0x64
0 0 MARK tcp -- * * 0.0.0.0/0
192.168.0.0/16 tcp dpt:80 MARK set 0x64
10 471 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 MARK set 0x65
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 MARK set 0x66
4 336 MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 MARK set 0x66
10 471 MARK tcp -- * * 0.0.0.0/0
192.168.0.0/16 tcp dpt:21 MARK set 0x67
Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes)
pkts bytes target prot opt in out source
destination
My problem is; when I fire bwmd and thereafter run bwm_monitor, the monitor
does display some counters , but I see no traffic limiting. For example, if
I limit ftp traffic to 8kb, it makes no effect. And strangely, ftp counters
arent updated.
Please help!!!
Vishal Singh
Vishal Singh
|
|
From: Kobe L. <ko...@mo...> - 2005-05-25 10:43:14
|
Hi,
This all looks perfect. Execpt you'r wrongly marking FTP traffiic.
FTP Data traffic is NOT going over port 21, but over port 20 (if
using active mode) or over some other portrange the server descides
(usually somthing in the high port ranges 50.000+).
Try to limit HTTP traffic (port 80) and download a huge file from
somewhere, you'll see it work.
Greetz
Kobe
vishal singh wrote:
> Hi Nigel
>
> In brief, let me first describe what I am trying to do:
>
> I have configured one Linux Box, 192.168.1.69 as a router and
> installed bwm tools. This has the default gateway of 192.168.1.114
>
> Also, I have configured another Linux Box, 192.168.1.163 and made the
> previous box as its default gateway. So anything that not on the local
> net, goes to 192.168.1.69.
>
> This is my bwm firewall file:
>
>
> <firewall>
> <global>
> <modules>
> <load name="ip_queue"/>
> <load name="ip_conntrack_ftp"/>
> <load name="ip_nat_ftp"/>
> </modules>
>
>
> #Classes
>
> <class name= "http_public_traffic_inout">
> <address name="http_inout" proto="tcp" dst-port="80"/>
> </class>
>
>
> <class name= "https_public_traffic_inout">
> <address name="https_inout" proto="tcp" dst-port="443"/>
> </class>
>
>
> <class name= "ftp_public_traffic_inout">
> <address name="ftp_inout" proto="tcp" dst-port="21"/>
> </class>
>
>
>
> <class name= "DNS_traffic_inout">
> <address name="DNS_inout" proto="udp" dst-port="53"/>
> </class>
>
>
> <class name= "icmp_traffic_inout">
> <address name="icmp_inout" proto="icmp" />
> </class>
>
>
>
>
>
>
> <class name= "http_private_traffic_inout">
> <address name="http_inout" dst="192.168.0.0/16" proto="tcp"
> dst-port="80"/>
> </class>
>
> <class name= "ftp_private_traffic_inout">
> <address name="ftp_inout" dst="192.168.0.0/16" proto="tcp"
> dst-port="21"/>
> </class>
>
>
> <class name= "telnet_private_traffic_inout">
> <address name="telnet_inout" dst="192.168.0.0/16" proto="tcp"
> dst-port="23"/>
> </class>
>
>
> <class name= "ssh_private_traffic_inout">
> <address name="ssh_inout" dst="192.168.0.0/16" proto="tcp"
> dst-port="22"/>
> </class>
>
>
> <class name= "smtp_private_traffic_inout">
> <address name="http_inout" src="192.168.1.112" proto="tcp"
> dst-port="25"/>
> </class>
>
>
> <class name= "pop3_private_traffic_inout">
> <address name="pop3_inout" src="192.168.1.112" dst="63.80.142.98"
> proto="tcp" dst-port="110"/>
> </class>
>
>
>
>
> <class name= "icmp_private_traffic_inout">
> <address name="icmp_inout" dst="192.168.0.0/16" proto="icmp" />
> </class>
>
>
>
>
>
>
> <class name= "http_private_traffic_outin">
> <address name="http_outin" dst="192.168.0.0/16" proto="tcp"
> dst-port="80" />
> </class>
>
> <class name= "ftp_private_traffic_outin">
> <address name="ftp_outin" dst="192.168.0.0/16" proto="tcp"
> dst-port="21"/>
> </class>
>
>
> <class name= "telnet_private_traffic_outin">
> <address name="telnet_outin" dst="192.168.0.0/16" proto="tcp"
> dst-port="23"/>
> </class>
>
>
> <class name= "ssh_private_traffic_outin">
> <address name="ssh_outin" dst="192.168.0.0/16" proto="tcp"
> dst-port="22"/>
> </class>
>
>
> <class name= "icmp_private_traffic_outin">
> <address name="icmp_outin" proto="icmp" />
> </class>
>
>
>
>
> <class name= "snmp_private_traffic">
> <address name="snmpprivate" proto="tcp" dst-port="161"/>
> </class>
> </global>
>
> <acl>
> <table name="filter">
> <chain name="INPUT">
> <rule target="bwmd">
> </rule>
> </chain>
> <chain name="OUTPUT">
> <rule target="bwmd">
> </rule>
> </chain>
> <chain name="FORWARD">
> <rule target="bwmd">
> </rule>
> </chain>
> </table>
> </acl>
>
>
> <traffic>
> <flow name="total_in" max-rate="64000" report-timeout="60">
> <flow name="http_https_public" max-rate="16000"
> burst-rate="120000" nfmark="100">
> http_public_traffic_inout
> https_public_traffic_inout
> http_private_traffic_inout
> </flow>
> <flow name="ftp_public" max-rate="16000" burst-rate="64000"
> nfmark="101">
> ftp_public_traffic_inout
> </flow>
> <flow name="dns_icmp_public" max-rate="4000" burst-rate="4500"
> nfmark="102">
> DNS_traffic_inout
> icmp_private_traffic_outin
> </flow>
> <flow name="ftp_private" max-rate="128000" burst-rate="128000"
> nfmark="103">
> ftp_private_traffic_inout
> </flow>
> </flow>
>
> </traffic>
>
>
> </firewall>
>
>
> This is the o/p of iptables -L -n -v
>
>
> [root@bplinux60 bwm_tools]# iptables -L -n -v
> Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes)
> pkts bytes target prot opt in out source
> destination
> 8701 1178K bwmd all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes)
> pkts bytes target prot opt in out source
> destination
> 47 2163 bwmd all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes)
> pkts bytes target prot opt in out source
> destination
> 270 28205 bwmd all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain bwmd (3 references)
> pkts bytes target prot opt in out source
> destination
> 14 807 QUEUE all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match !0x0
> 5136 703K ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> And this the o/p of iptables -L -n -v -t mangle
>
> [root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle
> Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 MARK set 0x64
> 0 0 MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:443 MARK set 0x64
> 0 0 MARK tcp -- * * 0.0.0.0/0
> 192.168.0.0/16 tcp dpt:80 MARK set 0x64
> 10 471 MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:21 MARK set 0x65
> 0 0 MARK udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:53 MARK set 0x66
> 4 336 MARK icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK set 0x66
> 10 471 MARK tcp -- * * 0.0.0.0/0
> 192.168.0.0/16 tcp dpt:21 MARK set 0x67
>
> Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes)
> pkts bytes target prot opt in out source
> destination
>
>
>
>
> My problem is; when I fire bwmd and thereafter run bwm_monitor, the
> monitor does display some counters , but I see no traffic limiting.
> For example, if I limit ftp traffic to 8kb, it makes no effect. And
> strangely, ftp counters arent updated.
>
> Please help!!!
>
>
> Vishal Singh
>
>
>
> Vishal Singh
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Yahoo.
> Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
> Search APIs Find out how you can build Yahoo! directly into your own
> Applications - visit
> http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
> _______________________________________________
> bwm-tools-tech mailing list
> bwm...@li...
> https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech
>
>
|
|
From: Giang Hu <fre...@gm...> - 2005-05-25 12:29:54
|
Hi Vishal, bwmd take traffic limiting effect only if traffic target is *QUEUE*. As your status: Chain bwmd (3 references) pkts bytes target prot opt in out source destination 14 807 QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0 5136 703K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Only small *FORWARD* traffic go through *QUEUE *when all others jump to ACCEPT (did you downloaded from gateway? Set */nfmark/* for *INPUT* chain?) Just a though, good luck Giang Hu. vishal singh wrote: > Hi Nigel > > In brief, let me first describe what I am trying to do: > > I have configured one Linux Box, 192.168.1.69 as a router and > installed bwm tools. This has the default gateway of 192.168.1.114 > > Also, I have configured another Linux Box, 192.168.1.163 and made the > previous box as its default gateway. So anything that not on the local > net, goes to 192.168.1.69. > > This is my bwm firewall file: > > > <firewall> > <global> > <modules> > <load name="ip_queue"/> > <load name="ip_conntrack_ftp"/> > <load name="ip_nat_ftp"/> > </modules> > > > #Classes > > <class name= "http_public_traffic_inout"> > <address name="http_inout" proto="tcp" dst-port="80"/> > </class> > > > <class name= "https_public_traffic_inout"> > <address name="https_inout" proto="tcp" dst-port="443"/> > </class> > > > <class name= "ftp_public_traffic_inout"> > <address name="ftp_inout" proto="tcp" dst-port="21"/> > </class> > > > > <class name= "DNS_traffic_inout"> > <address name="DNS_inout" proto="udp" dst-port="53"/> > </class> > > > <class name= "icmp_traffic_inout"> > <address name="icmp_inout" proto="icmp" /> > </class> > > > > > > > <class name= "http_private_traffic_inout"> > <address name="http_inout" dst="192.168.0.0/16" proto="tcp" > dst-port="80"/> > </class> > > <class name= "ftp_private_traffic_inout"> > <address name="ftp_inout" dst="192.168.0.0/16" proto="tcp" > dst-port="21"/> > </class> > > > <class name= "telnet_private_traffic_inout"> > <address name="telnet_inout" dst="192.168.0.0/16" proto="tcp" > dst-port="23"/> > </class> > > > <class name= "ssh_private_traffic_inout"> > <address name="ssh_inout" dst="192.168.0.0/16" proto="tcp" > dst-port="22"/> > </class> > > > <class name= "smtp_private_traffic_inout"> > <address name="http_inout" src="192.168.1.112" proto="tcp" > dst-port="25"/> > </class> > > > <class name= "pop3_private_traffic_inout"> > <address name="pop3_inout" src="192.168.1.112" dst="63.80.142.98" > proto="tcp" dst-port="110"/> > </class> > > > > > <class name= "icmp_private_traffic_inout"> > <address name="icmp_inout" dst="192.168.0.0/16" proto="icmp" /> > </class> > > > > > > > <class name= "http_private_traffic_outin"> > <address name="http_outin" dst="192.168.0.0/16" proto="tcp" > dst-port="80" /> > </class> > > <class name= "ftp_private_traffic_outin"> > <address name="ftp_outin" dst="192.168.0.0/16" proto="tcp" > dst-port="21"/> > </class> > > > <class name= "telnet_private_traffic_outin"> > <address name="telnet_outin" dst="192.168.0.0/16" proto="tcp" > dst-port="23"/> > </class> > > > <class name= "ssh_private_traffic_outin"> > <address name="ssh_outin" dst="192.168.0.0/16" proto="tcp" > dst-port="22"/> > </class> > > > <class name= "icmp_private_traffic_outin"> > <address name="icmp_outin" proto="icmp" /> > </class> > > > > > <class name= "snmp_private_traffic"> > <address name="snmpprivate" proto="tcp" dst-port="161"/> > </class> > </global> > > <acl> > <table name="filter"> > <chain name="INPUT"> > <rule target="bwmd"> > </rule> > </chain> > <chain name="OUTPUT"> > <rule target="bwmd"> > </rule> > </chain> > <chain name="FORWARD"> > <rule target="bwmd"> > </rule> > </chain> > </table> > </acl> > > > <traffic> > <flow name="total_in" max-rate="64000" report-timeout="60"> > <flow name="http_https_public" max-rate="16000" > burst-rate="120000" nfmark="100"> > http_public_traffic_inout > https_public_traffic_inout > http_private_traffic_inout > </flow> > <flow name="ftp_public" max-rate="16000" burst-rate="64000" > nfmark="101"> > ftp_public_traffic_inout > </flow> > <flow name="dns_icmp_public" max-rate="4000" burst-rate="4500" > nfmark="102"> > DNS_traffic_inout > icmp_private_traffic_outin > </flow> > <flow name="ftp_private" max-rate="128000" burst-rate="128000" > nfmark="103"> > ftp_private_traffic_inout > </flow> > </flow> > > </traffic> > > > </firewall> > > > This is the o/p of iptables -L -n -v > > > [root@bplinux60 bwm_tools]# iptables -L -n -v > Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes) > pkts bytes target prot opt in out source > destination > 8701 1178K bwmd all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes) > pkts bytes target prot opt in out source > destination > 47 2163 bwmd all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes) > pkts bytes target prot opt in out source > destination > 270 28205 bwmd all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain bwmd (3 references) > pkts bytes target prot opt in out source > destination > 14 807 QUEUE all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0 > 5136 703K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > And this the o/p of iptables -L -n -v -t mangle > > [root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle > Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes) > pkts bytes target prot opt in out source > destination > > Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes) > pkts bytes target prot opt in out source > destination > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 MARK set 0x64 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:443 MARK set 0x64 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 192.168.0.0/16 tcp dpt:80 MARK set 0x64 > 10 471 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 MARK set 0x65 > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 MARK set 0x66 > 4 336 MARK icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK set 0x66 > 10 471 MARK tcp -- * * 0.0.0.0/0 > 192.168.0.0/16 tcp dpt:21 MARK set 0x67 > > Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes) > pkts bytes target prot opt in out source > destination > > > > > My problem is; when I fire bwmd and thereafter run bwm_monitor, the > monitor does display some counters , but I see no traffic limiting. > For example, if I limit ftp traffic to 8kb, it makes no effect. And > strangely, ftp counters arent updated. > > Please help!!! > > > Vishal Singh > > > > Vishal Singh > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by Yahoo. > Introducing Yahoo! Search Developer Network - Create apps using Yahoo! > Search APIs Find out how you can build Yahoo! directly into your own > Applications - visit > http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 > _______________________________________________ > bwm-tools-tech mailing list > bwm...@li... > https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech > |
|
From: vishal s. <vis...@ho...> - 2005-05-25 17:50:26
|
Hi even i noticed that. Does that mean firewall rules are wrong? Didnt understand "downloaded from gateway". Could you tell me if I am wrong in setting up the network? My "router" has only one i/face active, 192.168.1.69. and all packets are sent to it and come out of it. Is that the problem?? Vishal Singh >From: Giang Hu <fre...@gm...> >To: bwm...@li... >Subject: Re: [bwm-tools-tech] bwm tools traffic shaping issue >Date: Wed, 25 May 2005 19:32:38 +0700 > >Hi Vishal, > >bwmd take traffic limiting effect only if traffic target is *QUEUE*. As >your status: > >Chain bwmd (3 references) >pkts bytes target prot opt in out source >destination > 14 807 QUEUE all -- * * 0.0.0.0/0 >0.0.0.0/0 MARK match !0x0 >5136 703K ACCEPT all -- * * 0.0.0.0/0 >0.0.0.0/0 > >Only small *FORWARD* traffic go through *QUEUE *when all others jump to >ACCEPT (did you downloaded from gateway? Set */nfmark/* for *INPUT* chain?) > >Just a though, good luck >Giang Hu. > >vishal singh wrote: > >>Hi Nigel >> >>In brief, let me first describe what I am trying to do: >> >>I have configured one Linux Box, 192.168.1.69 as a router and installed >>bwm tools. This has the default gateway of 192.168.1.114 >> >>Also, I have configured another Linux Box, 192.168.1.163 and made the >>previous box as its default gateway. So anything that not on the local >>net, goes to 192.168.1.69. >> >>This is my bwm firewall file: >> >> >><firewall> >><global> >> <modules> >> <load name="ip_queue"/> >> <load name="ip_conntrack_ftp"/> >> <load name="ip_nat_ftp"/> >> </modules> >> >> >>#Classes >> >> <class name= "http_public_traffic_inout"> >><address name="http_inout" proto="tcp" dst-port="80"/> >></class> >> >> >><class name= "https_public_traffic_inout"> >><address name="https_inout" proto="tcp" dst-port="443"/> >></class> >> >> >><class name= "ftp_public_traffic_inout"> >><address name="ftp_inout" proto="tcp" dst-port="21"/> >></class> >> >> >> >><class name= "DNS_traffic_inout"> >><address name="DNS_inout" proto="udp" dst-port="53"/> >></class> >> >> >><class name= "icmp_traffic_inout"> >><address name="icmp_inout" proto="icmp" /> >></class> >> >> >> >> >> >> >><class name= "http_private_traffic_inout"> >><address name="http_inout" dst="192.168.0.0/16" proto="tcp" >>dst-port="80"/> >></class> >> >><class name= "ftp_private_traffic_inout"> >><address name="ftp_inout" dst="192.168.0.0/16" proto="tcp" >>dst-port="21"/> >></class> >> >> >><class name= "telnet_private_traffic_inout"> >><address name="telnet_inout" dst="192.168.0.0/16" proto="tcp" >>dst-port="23"/> >></class> >> >> >><class name= "ssh_private_traffic_inout"> >><address name="ssh_inout" dst="192.168.0.0/16" proto="tcp" >>dst-port="22"/> >></class> >> >> >><class name= "smtp_private_traffic_inout"> >><address name="http_inout" src="192.168.1.112" proto="tcp" >>dst-port="25"/> >></class> >> >> >><class name= "pop3_private_traffic_inout"> >><address name="pop3_inout" src="192.168.1.112" dst="63.80.142.98" >>proto="tcp" dst-port="110"/> >></class> >> >> >> >> >><class name= "icmp_private_traffic_inout"> >><address name="icmp_inout" dst="192.168.0.0/16" proto="icmp" /> >></class> >> >> >> >> >> >> >><class name= "http_private_traffic_outin"> >><address name="http_outin" dst="192.168.0.0/16" proto="tcp" dst-port="80" >>/> >></class> >> >><class name= "ftp_private_traffic_outin"> >><address name="ftp_outin" dst="192.168.0.0/16" proto="tcp" >>dst-port="21"/> >></class> >> >> >><class name= "telnet_private_traffic_outin"> >><address name="telnet_outin" dst="192.168.0.0/16" proto="tcp" >>dst-port="23"/> >></class> >> >> >><class name= "ssh_private_traffic_outin"> >><address name="ssh_outin" dst="192.168.0.0/16" proto="tcp" >>dst-port="22"/> >></class> >> >> >><class name= "icmp_private_traffic_outin"> >><address name="icmp_outin" proto="icmp" /> >></class> >> >> >> >> >><class name= "snmp_private_traffic"> >><address name="snmpprivate" proto="tcp" dst-port="161"/> >></class> >></global> >> >><acl> >> <table name="filter"> >> <chain name="INPUT"> >> <rule target="bwmd"> >> </rule> >> </chain> >> <chain name="OUTPUT"> >> <rule target="bwmd"> >> </rule> >> </chain> >> <chain name="FORWARD"> >> <rule target="bwmd"> >> </rule> >> </chain> >> </table> >></acl> >> >> >><traffic> >> <flow name="total_in" max-rate="64000" report-timeout="60"> >> <flow name="http_https_public" max-rate="16000" burst-rate="120000" >>nfmark="100"> >> http_public_traffic_inout >> https_public_traffic_inout >> http_private_traffic_inout >> </flow> >> <flow name="ftp_public" max-rate="16000" burst-rate="64000" >>nfmark="101"> >> ftp_public_traffic_inout >> </flow> >> <flow name="dns_icmp_public" max-rate="4000" burst-rate="4500" >>nfmark="102"> >> DNS_traffic_inout >> icmp_private_traffic_outin >> </flow> >> <flow name="ftp_private" max-rate="128000" burst-rate="128000" >>nfmark="103"> >> ftp_private_traffic_inout >> </flow> >> </flow> >> >> </traffic> >> >> >></firewall> >> >> >>This is the o/p of iptables -L -n -v >> >> >>[root@bplinux60 bwm_tools]# iptables -L -n -v >>Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes) >>pkts bytes target prot opt in out source >>destination >>8701 1178K bwmd all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> >>Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes) >>pkts bytes target prot opt in out source >>destination >> 47 2163 bwmd all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> >>Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes) >>pkts bytes target prot opt in out source >>destination >> 270 28205 bwmd all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> >>Chain bwmd (3 references) >>pkts bytes target prot opt in out source >>destination >> 14 807 QUEUE all -- * * 0.0.0.0/0 >>0.0.0.0/0 MARK match !0x0 >>5136 703K ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> >> >> >>And this the o/p of iptables -L -n -v -t mangle >> >>[root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle >>Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes) >>pkts bytes target prot opt in out source >>destination >> >>Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes) >>pkts bytes target prot opt in out source >>destination >> >>Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes) >>pkts bytes target prot opt in out source >>destination >> 0 0 MARK tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:80 MARK set 0x64 >> 0 0 MARK tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:443 MARK set 0x64 >> 0 0 MARK tcp -- * * 0.0.0.0/0 >>192.168.0.0/16 tcp dpt:80 MARK set 0x64 >> 10 471 MARK tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:21 MARK set 0x65 >> 0 0 MARK udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpt:53 MARK set 0x66 >> 4 336 MARK icmp -- * * 0.0.0.0/0 >>0.0.0.0/0 MARK set 0x66 >> 10 471 MARK tcp -- * * 0.0.0.0/0 >>192.168.0.0/16 tcp dpt:21 MARK set 0x67 >> >>Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes) >>pkts bytes target prot opt in out source >>destination >> >>Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes) >>pkts bytes target prot opt in out source >>destination >> >> >> >> >>My problem is; when I fire bwmd and thereafter run bwm_monitor, the >>monitor does display some counters , but I see no traffic limiting. For >>example, if I limit ftp traffic to 8kb, it makes no effect. And strangely, >>ftp counters arent updated. >> >>Please help!!! >> >> >>Vishal Singh >> >> >> >>Vishal Singh >> >> >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by Yahoo. >>Introducing Yahoo! Search Developer Network - Create apps using Yahoo! >>Search APIs Find out how you can build Yahoo! directly into your own >>Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 >>_______________________________________________ >>bwm-tools-tech mailing list >>bwm...@li... >>https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech >> > |
|
From: Giang Hu <fre...@gm...> - 2005-05-26 02:14:56
|
On 5/26/05, vishal singh <vis...@ho...> wrote: >=20 > Hi > even i noticed that. Does that mean firewall rules are wrong?=20 - No, I did not say "firewall rules are wrong" :-o.=20 Didnt understand "downloaded from gateway". - "downloaded from gateway" you are running services (ftp,...) on=20 192.168.1.69 <http://192.168.1.69> and then your client downloaded from it Could you tell me if I am wrong in setting up the network? My "router" has > only one i/face active, 192.168.1.69 <http://192.168.1.69>. and all=20 > packets are sent to it and > come out of it. Is that the problem?? Again, I didnt say you are any wrong and I dont know howto explain. Sorry I= =20 could not help you so far :( Its not hard to build a (more really) testing network using ip alias: - Config your "router" to run two ip. Ex: eth0:0 run 192.168.1.69/16<http://192.168.1.69/16>and eth0:1 10.0.0.1/8 <http://10.0.0.1/8> - Config your client ip something like 10.x.x.x/8 with default gw 10.0.0.1/8<http://10.0.0.1/8> - Config firewall rules and running test I mean a "suggestion", good luck :) Giang Hu=20 Vishal Singh >From: Giang Hu <fre...@gm...> > >To: bwm...@li... > >Subject: Re: [bwm-tools-tech] bwm tools traffic shaping issue > >Date: Wed, 25 May 2005 19:32:38 +0700 > > > >Hi Vishal, > > > >bwmd take traffic limiting effect only if traffic target is *QUEUE*. As > >your status: > > > >Chain bwmd (3 references) > >pkts bytes target prot opt in out source > >destination > > 14 807 QUEUE all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >0.0.0.0/0 <http://0.0.0.0/0> MARK match !0x0 > >5136 703K ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >0.0.0.0/0 <http://0.0.0.0/0> > > > >Only small *FORWARD* traffic go through *QUEUE *when all others jump to > >ACCEPT (did you downloaded from gateway? Set */nfmark/* for *INPUT*=20 > chain?) > > > >Just a though, good luck > >Giang Hu. > > > >vishal singh wrote: > > > >>Hi Nigel > >> > >>In brief, let me first describe what I am trying to do: > >> > >>I have configured one Linux Box, 192.168.1.69 <http://192.168.1.69> as = a=20 > router and installed > >>bwm tools. This has the default gateway of 192.168.1.114<http://192.168= .1.114> > >> > >>Also, I have configured another Linux Box, 192.168.1.163<http://192.168= .1.163>and made the > >>previous box as its default gateway. So anything that not on the local > >>net, goes to 192.168.1.69 <http://192.168.1.69>. > >> > >>This is my bwm firewall file: > >> > >> > >><firewall> > >><global> > >> <modules> > >> <load name=3D"ip_queue"/> > >> <load name=3D"ip_conntrack_ftp"/> > >> <load name=3D"ip_nat_ftp"/> > >> </modules> > >> > >> > >>#Classes > >> > >> <class name=3D "http_public_traffic_inout"> > >><address name=3D"http_inout" proto=3D"tcp" dst-port=3D"80"/> > >></class> > >> > >> > >><class name=3D "https_public_traffic_inout"> > >><address name=3D"https_inout" proto=3D"tcp" dst-port=3D"443"/> > >></class> > >> > >> > >><class name=3D "ftp_public_traffic_inout"> > >><address name=3D"ftp_inout" proto=3D"tcp" dst-port=3D"21"/> > >></class> > >> > >> > >> > >><class name=3D "DNS_traffic_inout"> > >><address name=3D"DNS_inout" proto=3D"udp" dst-port=3D"53"/> > >></class> > >> > >> > >><class name=3D "icmp_traffic_inout"> > >><address name=3D"icmp_inout" proto=3D"icmp" /> > >></class> > >> > >> > >> > >> > >> > >> > >><class name=3D "http_private_traffic_inout"> > >><address name=3D"http_inout" dst=3D"192.168.0.0/16 <http://192.168.0.0/= 16>"=20 > proto=3D"tcp" > >>dst-port=3D"80"/> > >></class> > >> > >><class name=3D "ftp_private_traffic_inout"> > >><address name=3D"ftp_inout" dst=3D"192.168.0.0/16 <http://192.168.0.0/1= 6>"=20 > proto=3D"tcp" > >>dst-port=3D"21"/> > >></class> > >> > >> > >><class name=3D "telnet_private_traffic_inout"> > >><address name=3D"telnet_inout" dst=3D"192.168.0.0/16 <http://192.168.0.= 0/16>"=20 > proto=3D"tcp" > >>dst-port=3D"23"/> > >></class> > >> > >> > >><class name=3D "ssh_private_traffic_inout"> > >><address name=3D"ssh_inout" dst=3D"192.168.0.0/16 <http://192.168.0.0/1= 6>"=20 > proto=3D"tcp" > >>dst-port=3D"22"/> > >></class> > >> > >> > >><class name=3D "smtp_private_traffic_inout"> > >><address name=3D"http_inout" src=3D"192.168.1.112 <http://192.168.1.112= >"=20 > proto=3D"tcp" > >>dst-port=3D"25"/> > >></class> > >> > >> > >><class name=3D "pop3_private_traffic_inout"> > >><address name=3D"pop3_inout" src=3D"192.168.1.112 <http://192.168.1.112= >"=20 > dst=3D"63.80.142.98 <http://63.80.142.98>" > >>proto=3D"tcp" dst-port=3D"110"/> > >></class> > >> > >> > >> > >> > >><class name=3D "icmp_private_traffic_inout"> > >><address name=3D"icmp_inout" dst=3D"192.168.0.0/16 <http://192.168.0.0/= 16>"=20 > proto=3D"icmp" /> > >></class> > >> > >> > >> > >> > >> > >> > >><class name=3D "http_private_traffic_outin"> > >><address name=3D"http_outin" dst=3D"192.168.0.0/16 <http://192.168.0.0/= 16>"=20 > proto=3D"tcp" dst-port=3D"80" > >>/> > >></class> > >> > >><class name=3D "ftp_private_traffic_outin"> > >><address name=3D"ftp_outin" dst=3D"192.168.0.0/16 <http://192.168.0.0/1= 6>"=20 > proto=3D"tcp" > >>dst-port=3D"21"/> > >></class> > >> > >> > >><class name=3D "telnet_private_traffic_outin"> > >><address name=3D"telnet_outin" dst=3D"192.168.0.0/16 <http://192.168.0.= 0/16>"=20 > proto=3D"tcp" > >>dst-port=3D"23"/> > >></class> > >> > >> > >><class name=3D "ssh_private_traffic_outin"> > >><address name=3D"ssh_outin" dst=3D"192.168.0.0/16 <http://192.168.0.0/1= 6>"=20 > proto=3D"tcp" > >>dst-port=3D"22"/> > >></class> > >> > >> > >><class name=3D "icmp_private_traffic_outin"> > >><address name=3D"icmp_outin" proto=3D"icmp" /> > >></class> > >> > >> > >> > >> > >><class name=3D "snmp_private_traffic"> > >><address name=3D"snmpprivate" proto=3D"tcp" dst-port=3D"161"/> > >></class> > >></global> > >> > >><acl> > >> <table name=3D"filter"> > >> <chain name=3D"INPUT"> > >> <rule target=3D"bwmd"> > >> </rule> > >> </chain> > >> <chain name=3D"OUTPUT"> > >> <rule target=3D"bwmd"> > >> </rule> > >> </chain> > >> <chain name=3D"FORWARD"> > >> <rule target=3D"bwmd"> > >> </rule> > >> </chain> > >> </table> > >></acl> > >> > >> > >><traffic> > >> <flow name=3D"total_in" max-rate=3D"64000" report-timeout=3D"60"> > >> <flow name=3D"http_https_public" max-rate=3D"16000" burst-rate=3D"1200= 00" > >>nfmark=3D"100"> > >> http_public_traffic_inout > >> https_public_traffic_inout > >> http_private_traffic_inout > >> </flow> > >> <flow name=3D"ftp_public" max-rate=3D"16000" burst-rate=3D"64000" > >>nfmark=3D"101"> > >> ftp_public_traffic_inout > >> </flow> > >> <flow name=3D"dns_icmp_public" max-rate=3D"4000" burst-rate=3D"4500" > >>nfmark=3D"102"> > >> DNS_traffic_inout > >> icmp_private_traffic_outin > >> </flow> > >> <flow name=3D"ftp_private" max-rate=3D"128000" burst-rate=3D"128000" > >>nfmark=3D"103"> > >> ftp_private_traffic_inout > >> </flow> > >> </flow> > >> > >> </traffic> > >> > >> > >></firewall> > >> > >> > >>This is the o/p of iptables -L -n -v > >> > >> > >>[root@bplinux60 bwm_tools]# iptables -L -n -v > >>Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes) > >>pkts bytes target prot opt in out source > >>destination > >>8701 1178K bwmd all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> > >> > >>Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes) > >>pkts bytes target prot opt in out source > >>destination > >> 47 2163 bwmd all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> > >> > >>Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes) > >>pkts bytes target prot opt in out source > >>destination > >> 270 28205 bwmd all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> > >> > >>Chain bwmd (3 references) > >>pkts bytes target prot opt in out source > >>destination > >> 14 807 QUEUE all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> MARK match !0x0 > >>5136 703K ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> > >> > >> > >> > >>And this the o/p of iptables -L -n -v -t mangle > >> > >>[root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle > >>Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes) > >>pkts bytes target prot opt in out source > >>destination > >> > >>Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes) > >>pkts bytes target prot opt in out source > >>destination > >> > >>Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes) > >>pkts bytes target prot opt in out source > >>destination > >> 0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:80 MARK set 0x64 > >> 0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:443 MARK set 0x64 > >> 0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>192.168.0.0/16 <http://192.168.0.0/16> tcp dpt:80 MARK set 0x64 > >> 10 471 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:21 MARK set 0x65 > >> 0 0 MARK udp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> udp dpt:53 MARK set 0x66 > >> 4 336 MARK icmp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>0.0.0.0/0 <http://0.0.0.0/0> MARK set 0x66 > >> 10 471 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> > >>192.168.0.0/16 <http://192.168.0.0/16> tcp dpt:21 MARK set 0x67 > >> > >>Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes) > >>pkts bytes target prot opt in out source > >>destination > >> > >>Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes) > >>pkts bytes target prot opt in out source > >>destination > >> > >> > >> > >> > >>My problem is; when I fire bwmd and thereafter run bwm_monitor, the > >>monitor does display some counters , but I see no traffic limiting. For > >>example, if I limit ftp traffic to 8kb, it makes no effect. And=20 > strangely, > >>ftp counters arent updated. > >> > >>Please help!!! > >> > >> > >>Vishal Singh > >> > >> > >> > >>Vishal Singh > >> > >> > >> > >> > >>------------------------------------------------------- > >>This SF.Net <http://SF.Net> email is sponsored by Yahoo. > >>Introducing Yahoo! Search Developer Network - Create apps using Yahoo! > >>Search APIs Find out how you can build Yahoo! directly into your own > >>Applications - visit=20 > http://developer.yahoo.net/?fr=3Doffad-ysdn-ostg-q22005 > >>_______________________________________________ > >>bwm-tools-tech mailing list > >>bwm...@li... > >>https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech > >> > > >=20 >=20 >=20 --=20 You are in control of your own wonderful life :) |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X