Re-2: [bwm-tools-tech] Please Help ...Traffic Control don't work !

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Nigel,

thanks for the fast answer !

OK, i chance all "-j ACCEPT" targets in "-j bwmd" in my filter-table, but then i can't open any website's.
And i see no traffic over the bwmd chain !
(Under the mangle-table i can't chance the ACCEPT-target. When i try this, i become an errormessage !
Is this right ?)

But i try this any time before, because i see it of the website from Kobe.
He use extra the rule "-A bwmd -j ACCEPT".
When i add this to my rules, i see traffic over this rule, but nothing again over the bwmd Queue !

What can be wrong ?

Bye for now

Ralph

Original Message       processed by Tobit InfoCenter 
Subject: Re: [bwm-tools-tech] Please Help ...Traffic Control don't work ! (15-Apr-2005 11:56)
From:    nk...@lb...
To:      ral...@ra...

Hi Ralph,

I see nothing is being sent to be QUEUE'd for bandwidth shaping...

  0     0 QUEUE      all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match !0x0

counters are 0.

I assume you have a box acting as a firewall for example...   intenret => firewall => network  or similar.

All the ACCEPT targets for traffic that must be shaped must change to -j bwmd (what i mean is, everything that has been MARK'd), i see you have the bwmd chain, this is good... you're nearly up and running!

-Nigel

ral...@ra... wrote: 
Hi again,

sorry i must disturb again, but the traffic control don't work and i don't know why !?

Ok i chance a little bit by my firewall.xml what i post yesterday.
Now i can open all website with and without squid.
But what i see and think, all traffic from http and https goes past the bwm_tool.
So i test ftp traffic, and suddenly i have move in my Forward chain when i look under
"iptables -L -n -v -t mangle" (see below).
But the ftp and all other traffic don't control from the bwm_tool.

Please help, what is wrong in my firewall-file !?
Or is anything wrong around the bwm_tool ?
When i start the bwm_tool at first i sent the iptables with "bwm_firewall firewall.xml -l", then i start bwmd or bwmd -f.
So i think it must work, or not ?

Here comes now the output with "iptables -L -n -v -t mangle" and "iptables -L -n -v", hope you
see anything.

iptables -L -t mangle -v -n
Chain PREROUTING (policy ACCEPT 153K packets, 122M bytes)
 pkts bytes target     prot opt in     out     source               destination
 80557  101M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 TOS set 0x08
 9286  411K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 TOS set 0x08
   323 50860 TOS        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 TOS set 0x10
  175 11695 TOS        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 TOS set 0x10
Chain INPUT (policy ACCEPT 126K packets, 104M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 22009 packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination
 8030  393K MARK       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           MARK set 0x514
   10   673 MARK       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           MARK set 0x514
  131  5451 MARK       tcp  --  eth1   *       192.168.125.5       !192.168.125.0/24    MARK set 0x4e3
    0     0 MARK       udp  --  eth1   *       192.168.125.5       !192.168.125.0/24    MARK set 0x4e3
     8030  393K MARK       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           MARK set 0x8fc
   10   673 MARK       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           MARK set 0x8fc
  131  5451 MARK       tcp  --  eth1   *       192.168.125.5       !192.168.125.0/24    MARK set 0x8cb
    0     0 MARK       udp  --  eth1   *       192.168.125.5       !192.168.125.0/24    MARK set 0x8cb
    Chain OUTPUT (policy ACCEPT 130K packets, 99M bytes)
 pkts bytes target     prot opt in     out     source               destination
  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 TOS set 0x08
54457 3505K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:53 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 TOS set 0x10
  175 41207 TOS        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 TOS set 0x10
  302 21791 TOS        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 TOS set 0x10
Chain POSTROUTING (policy ACCEPT 152K packets, 117M bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
     175 11695 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
      239 18164 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123
      839  211K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1812
      160 34803 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 122K  104M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  187 18996 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 input_int  all  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol ipsec proto50
 1517 72824 input_int  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
   95 79913 input_ext  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  278 13316 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp toPMTU
    0     0 forward_int  all  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol ipsec proto 50
 8040  394K forward_int  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
13969   17M forward_ext  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy DROP 5 packets, 200 bytes)
 pkts bytes target     prot opt in     out     source               destination
  296 43919 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
 130K   99M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    Chain POSTROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain PREROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain bwmd (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 QUEUE      all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match !0x0
Chain forward_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   150 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED icmp type 3
13967   17M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain forward_int (2 references)
 pkts bytes target     prot opt in     out     source               destination
 8028  393K ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   12   480 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1   104 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type3
   59 72560 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535
    3    99 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:1024:65535
   32  7150 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain input_int (2 references)
 pkts bytes target     prot opt in     out     source               destination
 1517 72824 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Hope you can see anything about this, when not, please let me know what you need.

Understand i right, that all traffic what i want to control with the bwm_tool must go over the FORWARD Chains !? 

Best Regards

Ralph Buchmann

To: bwm...@li...
    bwm...@li...
    bwm...@li...
Cc: nk...@lb...

To: nk...@lb...
    bwm...@li...