[LARTC] prerouting does not effect filtering
Andy Furniss
andy.furniss@dsl.pipex.com
Sun, 09 May 2004 23:12:55 +0100
reader wrote:
> I try to shape traffic using HTB and mark packets within iptables using
> PREROUTING. But the filterrules seems to ignore the marks set with
> PREROUTING
> Only POSTROUTING marks are accepted.
>
> First my configuration
>
> I have a router connected to the internet via ADSL over interface ppp0.
> eth0 is a tunnel to ppp0 and eth1 serves the LAN.
> LAN is 192.168.57.0/24 on 10Mbit
> ppp0 is 80.126.16.44 on 320Kbit upstream and 2048Kbit downstream
>
>
> These are the kernel/programs involved:
>
> Kernel 2.4.20 (Suse 8.2)
> iproute version 2.4.7
> iptables version 1.2.7a
>
> Underneath the HTB script and a snapshot of the iptables script. The HTB
> script is executed on the beginning of the iptables script.
>
>> # Configure HTB qdisc
>> /usr/sbin/tc qdisc add dev eth1 root handle 1:0 htb default 30
>> /usr/sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate
>> 1960kbit burst 15k
>> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate
>> 152kbit ceil 152kbit burst 2k prio 1
>> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate
>> 950kbit ceil 1808kbit burst 15k prio 5
>> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:30 htb rate
>> 646kbit ceil 900kbit burst 15k prio 10
>> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:40 htb rate
>> 133kbit ceil 152kbit burst 15k prio 15
>> /usr/sbin/tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
>> /usr/sbin/tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10
>> /usr/sbin/tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10
>> /usr/sbin/tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10
>> # Filter rules
>> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle
>> 1 fw flowid 1:10
>> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle
>> 2 fw flowid 1:10
>> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle
>> 4 fw flowid 1:20
>> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle
>> 5 fw flowid 1:20
>> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle
>> 8 fw flowid 1:30
>> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle
>> 10 fw flowid 1:40
>>
>
>> # Snapshot off iptables script. scp and ssh as an exapmle
>> # Standard policy is -j DROP
>>
>> /usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1
>> --dport 22 \
>> -m tos --tos Maximize-Throughput -j MARK --set-mark 10
>> /usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1
^^
You are only marking packets inbound on eth1, but shaping outbound.
Andy.
>> --dport 22 \
>> -m tos --tos Minimize-Delay -j MARK --set-mark 2
>>
>> /usr/sbin/iptables -A FORWARD -p tcp -i eth1 -o ppp0 -s 192.168.57.0/24 \
>> -d 0/0 --dport 22 -j ACCEPT
>> /usr/sbin/iptables -A POSTROUTING -t nat -p tcp -o ppp0 -s
>> 192.168.57.0/24 \
>> -d 0/0 --dport 22 -j SNAT --to 80.126.16.44
>
>
> And the packages seem to be marked as intented:
>
> 515 31080 MARK tcp -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22 TOS match 0x10 MARK set 0x2
>
>
> But tc -s class show dev eth1 says only htb 1:30 is used.
>
> I get the feeling it is something with the POSTROUTING rule but can not
> work out what is wrong.
>
> Thanks
>
>
> Ben Thijssen.
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>