Re: [LARTC] Traffic control + NAT + HTB

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ruslan,

 : Can you help me understand hot to make HTB work with NAT in my situation?

You appear to have the right solution in mind.  Mark the packets before
the address has been altered, and add the filter command to put the
packets into your 60Mbit class.

 :   ---------------
 : | linux         | eth0  -------
 : | 193.220.70.33 |------|switch |--|cisco|<-->internet
 : | NAT           |      ---------
 : -----------------        |
 :                           |
 : ------------  eth0       |
 : client1     |-------------
 : 192.168.1.1 |
 : -------------
 :
 : Client's(192.168.1.2) default route is to 193.220.70.33
 :
 : On linux server(193.220.70.33) there is rule:
 : iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to
 : 193.220.70.33
 :
 : As i understand i can control traffic bandwidth going to client1 and
 : from client1 on linux server due to one interface on linux server.(maybe
 : i'm wrong)

I noticed your question earlier about using a machine with a single
interface as a router.  Is that what you are doing here?  If so, then
you'll want to add one other command, and here's why:

 - Your linux machine will only shape data it is transmitting.
 - You are shaping only data transmitted from client1 through the gateway
   (practically speaking this means you are capping the outbound flow
   from client1).

 : /usr/local/iproute2/sbin/tc qdisc add dev eth0 root handle 1: htb
 : /usr/local/iproute2/sbin/tc class add dev eth0 parent 1:1 classid 1:20 \
 :   htb rate 32kbit ceil 60Mbit
 : /usr/local/iproute2/sbin/tc qdisc add dev eth0 parent 1:20 handle 20: sfq
 : /usr/local/iproute2/sbin/tc filter add dev eth0 parent 1:0 protocol ip \
 :   handle 1 fw flowid 1:20

Your tc commands look correct.  You have an implicit class which will
transmit as fast as the hardware allows--that is HTB's default.

 : /sbin/iptables -t mangle -A POSTROUTING -s 192.168.1.2 -j MARK --set-mark 1

Now, simply add this:

  /sbin/iptables -t mangle -A POSTROUTING -d 192.168.1.2 -j MARK --set-mark 1

Now, you'll be shaping both upload (from source client1) and download
(to destination client1).

 : Will be packet with src 192.168.1.2 put into classid 1:20, or for that
 : moment it will be already nated and his source will be 193.220.70.33?

The mark will survive while the packet is being handled by the kernel, so
even after NAT, the mark will be available.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx



[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux