Re: [bwm-tools-tech] bwm tools traffic shaping issue
Brought to you by:
nkukard
Menu
▾
▴
Re: [bwm-tools-tech] bwm tools traffic shaping issue
|
From: Giang Hu <fre...@gm...> - 2005-05-25 12:29:54
|
Hi Vishal, bwmd take traffic limiting effect only if traffic target is *QUEUE*. As your status: Chain bwmd (3 references) pkts bytes target prot opt in out source destination 14 807 QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0 5136 703K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Only small *FORWARD* traffic go through *QUEUE *when all others jump to ACCEPT (did you downloaded from gateway? Set */nfmark/* for *INPUT* chain?) Just a though, good luck Giang Hu. vishal singh wrote: > Hi Nigel > > In brief, let me first describe what I am trying to do: > > I have configured one Linux Box, 192.168.1.69 as a router and > installed bwm tools. This has the default gateway of 192.168.1.114 > > Also, I have configured another Linux Box, 192.168.1.163 and made the > previous box as its default gateway. So anything that not on the local > net, goes to 192.168.1.69. > > This is my bwm firewall file: > > > <firewall> > <global> > <modules> > <load name="ip_queue"/> > <load name="ip_conntrack_ftp"/> > <load name="ip_nat_ftp"/> > </modules> > > > #Classes > > <class name= "http_public_traffic_inout"> > <address name="http_inout" proto="tcp" dst-port="80"/> > </class> > > > <class name= "https_public_traffic_inout"> > <address name="https_inout" proto="tcp" dst-port="443"/> > </class> > > > <class name= "ftp_public_traffic_inout"> > <address name="ftp_inout" proto="tcp" dst-port="21"/> > </class> > > > > <class name= "DNS_traffic_inout"> > <address name="DNS_inout" proto="udp" dst-port="53"/> > </class> > > > <class name= "icmp_traffic_inout"> > <address name="icmp_inout" proto="icmp" /> > </class> > > > > > > > <class name= "http_private_traffic_inout"> > <address name="http_inout" dst="192.168.0.0/16" proto="tcp" > dst-port="80"/> > </class> > > <class name= "ftp_private_traffic_inout"> > <address name="ftp_inout" dst="192.168.0.0/16" proto="tcp" > dst-port="21"/> > </class> > > > <class name= "telnet_private_traffic_inout"> > <address name="telnet_inout" dst="192.168.0.0/16" proto="tcp" > dst-port="23"/> > </class> > > > <class name= "ssh_private_traffic_inout"> > <address name="ssh_inout" dst="192.168.0.0/16" proto="tcp" > dst-port="22"/> > </class> > > > <class name= "smtp_private_traffic_inout"> > <address name="http_inout" src="192.168.1.112" proto="tcp" > dst-port="25"/> > </class> > > > <class name= "pop3_private_traffic_inout"> > <address name="pop3_inout" src="192.168.1.112" dst="63.80.142.98" > proto="tcp" dst-port="110"/> > </class> > > > > > <class name= "icmp_private_traffic_inout"> > <address name="icmp_inout" dst="192.168.0.0/16" proto="icmp" /> > </class> > > > > > > > <class name= "http_private_traffic_outin"> > <address name="http_outin" dst="192.168.0.0/16" proto="tcp" > dst-port="80" /> > </class> > > <class name= "ftp_private_traffic_outin"> > <address name="ftp_outin" dst="192.168.0.0/16" proto="tcp" > dst-port="21"/> > </class> > > > <class name= "telnet_private_traffic_outin"> > <address name="telnet_outin" dst="192.168.0.0/16" proto="tcp" > dst-port="23"/> > </class> > > > <class name= "ssh_private_traffic_outin"> > <address name="ssh_outin" dst="192.168.0.0/16" proto="tcp" > dst-port="22"/> > </class> > > > <class name= "icmp_private_traffic_outin"> > <address name="icmp_outin" proto="icmp" /> > </class> > > > > > <class name= "snmp_private_traffic"> > <address name="snmpprivate" proto="tcp" dst-port="161"/> > </class> > </global> > > <acl> > <table name="filter"> > <chain name="INPUT"> > <rule target="bwmd"> > </rule> > </chain> > <chain name="OUTPUT"> > <rule target="bwmd"> > </rule> > </chain> > <chain name="FORWARD"> > <rule target="bwmd"> > </rule> > </chain> > </table> > </acl> > > > <traffic> > <flow name="total_in" max-rate="64000" report-timeout="60"> > <flow name="http_https_public" max-rate="16000" > burst-rate="120000" nfmark="100"> > http_public_traffic_inout > https_public_traffic_inout > http_private_traffic_inout > </flow> > <flow name="ftp_public" max-rate="16000" burst-rate="64000" > nfmark="101"> > ftp_public_traffic_inout > </flow> > <flow name="dns_icmp_public" max-rate="4000" burst-rate="4500" > nfmark="102"> > DNS_traffic_inout > icmp_private_traffic_outin > </flow> > <flow name="ftp_private" max-rate="128000" burst-rate="128000" > nfmark="103"> > ftp_private_traffic_inout > </flow> > </flow> > > </traffic> > > > </firewall> > > > This is the o/p of iptables -L -n -v > > > [root@bplinux60 bwm_tools]# iptables -L -n -v > Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes) > pkts bytes target prot opt in out source > destination > 8701 1178K bwmd all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes) > pkts bytes target prot opt in out source > destination > 47 2163 bwmd all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes) > pkts bytes target prot opt in out source > destination > 270 28205 bwmd all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain bwmd (3 references) > pkts bytes target prot opt in out source > destination > 14 807 QUEUE all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0 > 5136 703K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > And this the o/p of iptables -L -n -v -t mangle > > [root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle > Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes) > pkts bytes target prot opt in out source > destination > > Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes) > pkts bytes target prot opt in out source > destination > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 MARK set 0x64 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:443 MARK set 0x64 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 192.168.0.0/16 tcp dpt:80 MARK set 0x64 > 10 471 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 MARK set 0x65 > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 MARK set 0x66 > 4 336 MARK icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK set 0x66 > 10 471 MARK tcp -- * * 0.0.0.0/0 > 192.168.0.0/16 tcp dpt:21 MARK set 0x67 > > Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes) > pkts bytes target prot opt in out source > destination > > > > > My problem is; when I fire bwmd and thereafter run bwm_monitor, the > monitor does display some counters , but I see no traffic limiting. > For example, if I limit ftp traffic to 8kb, it makes no effect. And > strangely, ftp counters arent updated. > > Please help!!! > > > Vishal Singh > > > > Vishal Singh > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by Yahoo. > Introducing Yahoo! Search Developer Network - Create apps using Yahoo! > Search APIs Find out how you can build Yahoo! directly into your own > Applications - visit > http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 > _______________________________________________ > bwm-tools-tech mailing list > bwm...@li... > https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech > |
