Martin,
Thanks for the pointers.
I may have been too quick to suggest a "solution" before describing the
problem I'm having. More specifically: machine A is an outbound emailer and
machine B runs a website. When A is sending at high volume it can take up to
30 seconds to get an HTTP response from machine B. I naively assumed the
solution was to install more NIC cards and build separate "channels" for A &
B.
Here's my current setup:
64.41.183.130 (eth0)
64.41.183.131 (eth2)
FW
192.168.1.8 (eth1)
|
/ \
/ \
/ \
A B
192.168.1.26 192.168.1.17
As for iptables, I currently include these two statements:
-A PREROUTING -i eth0 -d 64.41.183.130 -p tcp -m tcp --dport 80 -j
DNAT --to-destination 192.168.1.17:80
-A PREROUTING -i eth2 -d 64.41.183.131 -p tcp -m tcp --dport 25 -j
DNAT --to-destination 192.168.1.26:25
which presumably routes web traffic coming in on eth0 to the web server
(machine B) and which routes smtp traffic coming in on eth1 to the email
server (machine A). ASSUMING this is correct, I'd like to be able to turn
this around and map outbound traffic from A through 64.130.183.130 and
outbound traffic from B through 64.130.183.131. Another naive assumption I
have made is that eth1 could become a chokepoint and I could add eth3 with
IP 192.168.1.9. So, that when everything was done, I would have these 2
channels:
A <-> 192.168.1.8 <-> 64.131.183.131 (handles all inbound/outbound smtp
traffic)
AND
B <-> 192.168.1.9 <-> 64.131.183.130 (handles all inbound/outbound http
traffic)
I hope that provides enough details for you.
Thankyou,
Jeff
-----Original Message-----
From: Martin A. Brown [mailto:mabrown-lartc@xxxxxxxxxxxxxx]
Sent: Monday, February 17, 2003 10:11 AM
To: Jeff Cordova
Cc: lartc@xxxxxxxxxxxxxxx
Subject: Re: [LARTC] ROUTING, POSTROUTING, & Traffic Control
Jeff,
[I rearranged your question a bit.]
: Can I do this? If possible, can someone please give explicit details.
Yes. In order to help you more, we'd need to know IP addresses, and also
a bit more about why you think you need to add more NICs. Depending on
what your answer is to that question, we can make a recommendation on
whether you should simply use tc/fwmark with your existing hardware
configuration to perform your traffic control or whether you really need
to have more physical devices.
: I have 2 machines (A & B) behind a Linux Firewall (FW).
: I have 2 ethernet cards on the FW - eth0 talks to the internet, eth1
talks
: to machines A & B.
: Machine A has lots of inbound & outbound traffic while machine B doesn't.
: It seems reasonable that I could add 2 new ethernet cards (eth2 & eth3)
to
: the FW and by configuring iptables and/or routing tables force traffic on
A
: to be handled by eth0/eth1 and traffic for B to be handled by eth2/eth3.
If you are looking at reserving a certain amount of bandwidth for machine
B while still allowing machine A the lion's share of the bandwidth, you
are looking at a simple HTB setup on your eth0.
I'd recommend reading up on HTB, queuing and so forth on the following
sites for documentation:
http://lartc.org/howto/ # -- broad docs on linux traffic control
http://www.docum.org/ # -- more hands on docs (and intro)
HTB software:
http://luxik.cdi.cz/~devik/qos/htb/
In short, you can use "tc filter" to select based on fwmark, source
address, destination address, and a number of other criteria. This will
allow you to place traffic from machine A or machine B into a particular
class, thus reserving bandwidth for each one.
Is that what you were looking for?
Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
