Re: [bwm-tools-tech] bwm tools traffic shaping issue
Brought to you by:
nkukard
Menu
▾
▴
Re: [bwm-tools-tech] bwm tools traffic shaping issue
|
From: vishal s. <vis...@ho...> - 2005-05-25 17:50:26
|
Hi even i noticed that. Does that mean firewall rules are wrong? Didnt understand "downloaded from gateway". Could you tell me if I am wrong in setting up the network? My "router" has only one i/face active, 192.168.1.69. and all packets are sent to it and come out of it. Is that the problem?? Vishal Singh >From: Giang Hu <fre...@gm...> >To: bwm...@li... >Subject: Re: [bwm-tools-tech] bwm tools traffic shaping issue >Date: Wed, 25 May 2005 19:32:38 +0700 > >Hi Vishal, > >bwmd take traffic limiting effect only if traffic target is *QUEUE*. As >your status: > >Chain bwmd (3 references) >pkts bytes target prot opt in out source >destination > 14 807 QUEUE all -- * * 0.0.0.0/0 >0.0.0.0/0 MARK match !0x0 >5136 703K ACCEPT all -- * * 0.0.0.0/0 >0.0.0.0/0 > >Only small *FORWARD* traffic go through *QUEUE *when all others jump to >ACCEPT (did you downloaded from gateway? Set */nfmark/* for *INPUT* chain?) > >Just a though, good luck >Giang Hu. > >vishal singh wrote: > >>Hi Nigel >> >>In brief, let me first describe what I am trying to do: >> >>I have configured one Linux Box, 192.168.1.69 as a router and installed >>bwm tools. This has the default gateway of 192.168.1.114 >> >>Also, I have configured another Linux Box, 192.168.1.163 and made the >>previous box as its default gateway. So anything that not on the local >>net, goes to 192.168.1.69. >> >>This is my bwm firewall file: >> >> >><firewall> >><global> >> <modules> >> <load name="ip_queue"/> >> <load name="ip_conntrack_ftp"/> >> <load name="ip_nat_ftp"/> >> </modules> >> >> >>#Classes >> >> <class name= "http_public_traffic_inout"> >><address name="http_inout" proto="tcp" dst-port="80"/> >></class> >> >> >><class name= "https_public_traffic_inout"> >><address name="https_inout" proto="tcp" dst-port="443"/> >></class> >> >> >><class name= "ftp_public_traffic_inout"> >><address name="ftp_inout" proto="tcp" dst-port="21"/> >></class> >> >> >> >><class name= "DNS_traffic_inout"> >><address name="DNS_inout" proto="udp" dst-port="53"/> >></class> >> >> >><class name= "icmp_traffic_inout"> >><address name="icmp_inout" proto="icmp" /> >></class> >> >> >> >> >> >> >><class name= "http_private_traffic_inout"> >><address name="http_inout" dst="192.168.0.0/16" proto="tcp" >>dst-port="80"/> >></class> >> >><class name= "ftp_private_traffic_inout"> >><address name="ftp_inout" dst="192.168.0.0/16" proto="tcp" >>dst-port="21"/> >></class> >> >> >><class name= "telnet_private_traffic_inout"> >><address name="telnet_inout" dst="192.168.0.0/16" proto="tcp" >>dst-port="23"/> >></class> >> >> >><class name= "ssh_private_traffic_inout"> >><address name="ssh_inout" dst="192.168.0.0/16" proto="tcp" >>dst-port="22"/> >></class> >> >> >><class name= "smtp_private_traffic_inout"> >><address name="http_inout" src="192.168.1.112" proto="tcp" >>dst-port="25"/> >></class> >> >> >><class name= "pop3_private_traffic_inout"> >><address name="pop3_inout" src="192.168.1.112" dst="63.80.142.98" >>proto="tcp" dst-port="110"/> >></class> >> >> >> >> >><class name= "icmp_private_traffic_inout"> >><address name="icmp_inout" dst="192.168.0.0/16" proto="icmp" /> >></class> >> >> >> >> >> >> >><class name= "http_private_traffic_outin"> >><address name="http_outin" dst="192.168.0.0/16" proto="tcp" dst-port="80" >>/> >></class> >> >><class name= "ftp_private_traffic_outin"> >><address name="ftp_outin" dst="192.168.0.0/16" proto="tcp" >>dst-port="21"/> >></class> >> >> >><class name= "telnet_private_traffic_outin"> >><address name="telnet_outin" dst="192.168.0.0/16" proto="tcp" >>dst-port="23"/> >></class> >> >> >><class name= "ssh_private_traffic_outin"> >><address name="ssh_outin" dst="192.168.0.0/16" proto="tcp" >>dst-port="22"/> >></class> >> >> >><class name= "icmp_private_traffic_outin"> >><address name="icmp_outin" proto="icmp" /> >></class> >> >> >> >> >><class name= "snmp_private_traffic"> >><address name="snmpprivate" proto="tcp" dst-port="161"/> >></class> >></global> >> >><acl> >> <table name="filter"> >> <chain name="INPUT"> >> <rule target="bwmd"> >> </rule> >> </chain> >> <chain name="OUTPUT"> >> <rule target="bwmd"> >> </rule> >> </chain> >> <chain name="FORWARD"> >> <rule target="bwmd"> >> </rule> >> </chain> >> </table> >></acl> >> >> >><traffic> >> <flow name="total_in" max-rate="64000" report-timeout="60"> >> <flow name="http_https_public" max-rate="16000" burst-rate="120000" >>nfmark="100"> >> http_public_traffic_inout >> https_public_traffic_inout >> http_private_traffic_inout >> </flow> >> <flow name="ftp_public" max-rate="16000" burst-rate="64000" >>nfmark="101"> >> ftp_public_traffic_inout >> </flow> >> <flow name="dns_icmp_public" max-rate="4000" burst-rate="4500" >>nfmark="102"> >> DNS_traffic_inout >> icmp_private_traffic_outin >> </flow> >> <flow name="ftp_private" max-rate="128000" burst-rate="128000" >>nfmark="103"> >> ftp_private_traffic_inout >> </flow> >> </flow> >> >> </traffic> >> >> >></firewall> >> >> >>This is the o/p of iptables -L -n -v >> >> >>[root@bplinux60 bwm_tools]# iptables -L -n -v >>Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes) >>pkts bytes target prot opt in out source >>destination >>8701 1178K bwmd all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> >>Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes) >>pkts bytes target prot opt in out source >>destination >> 47 2163 bwmd all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> >>Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes) >>pkts bytes target prot opt in out source >>destination >> 270 28205 bwmd all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> >>Chain bwmd (3 references) >>pkts bytes target prot opt in out source >>destination >> 14 807 QUEUE all -- * * 0.0.0.0/0 >>0.0.0.0/0 MARK match !0x0 >>5136 703K ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> >> >> >>And this the o/p of iptables -L -n -v -t mangle >> >>[root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle >>Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes) >>pkts bytes target prot opt in out source >>destination >> >>Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes) >>pkts bytes target prot opt in out source >>destination >> >>Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes) >>pkts bytes target prot opt in out source >>destination >> 0 0 MARK tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:80 MARK set 0x64 >> 0 0 MARK tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:443 MARK set 0x64 >> 0 0 MARK tcp -- * * 0.0.0.0/0 >>192.168.0.0/16 tcp dpt:80 MARK set 0x64 >> 10 471 MARK tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:21 MARK set 0x65 >> 0 0 MARK udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpt:53 MARK set 0x66 >> 4 336 MARK icmp -- * * 0.0.0.0/0 >>0.0.0.0/0 MARK set 0x66 >> 10 471 MARK tcp -- * * 0.0.0.0/0 >>192.168.0.0/16 tcp dpt:21 MARK set 0x67 >> >>Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes) >>pkts bytes target prot opt in out source >>destination >> >>Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes) >>pkts bytes target prot opt in out source >>destination >> >> >> >> >>My problem is; when I fire bwmd and thereafter run bwm_monitor, the >>monitor does display some counters , but I see no traffic limiting. For >>example, if I limit ftp traffic to 8kb, it makes no effect. And strangely, >>ftp counters arent updated. >> >>Please help!!! >> >> >>Vishal Singh >> >> >> >>Vishal Singh >> >> >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by Yahoo. >>Introducing Yahoo! Search Developer Network - Create apps using Yahoo! >>Search APIs Find out how you can build Yahoo! directly into your own >>Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 >>_______________________________________________ >>bwm-tools-tech mailing list >>bwm...@li... >>https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech >> > |
