Well what it looks like is, you are marking packets coming on the LAN which is 192.168, while the outgoing packets are NAT to a real ip.. since the ip is different on the packet the mark won't carry on so you can't shape it out ppp0.. Why not just use the iptables rules on ppp0 postrouting? On Sun, 2004-05-09 at 18:12, Andy Furniss wrote: > reader wrote: > > I try to shape traffic using HTB and mark packets within iptables using > > PREROUTING. But the filterrules seems to ignore the marks set with > > PREROUTING > > Only POSTROUTING marks are accepted. > > > > First my configuration > > > > I have a router connected to the internet via ADSL over interface ppp0. > > eth0 is a tunnel to ppp0 and eth1 serves the LAN. > > LAN is 192.168.57.0/24 on 10Mbit > > ppp0 is 80.126.16.44 on 320Kbit upstream and 2048Kbit downstream > > > > > > These are the kernel/programs involved: > > > > Kernel 2.4.20 (Suse 8.2) > > iproute version 2.4.7 > > iptables version 1.2.7a > > > > Underneath the HTB script and a snapshot of the iptables script. The HTB > > script is executed on the beginning of the iptables script. > > > >> # Configure HTB qdisc > >> /usr/sbin/tc qdisc add dev eth1 root handle 1:0 htb default 30 > >> /usr/sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate > >> 1960kbit burst 15k > >> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate > >> 152kbit ceil 152kbit burst 2k prio 1 > >> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate > >> 950kbit ceil 1808kbit burst 15k prio 5 > >> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:30 htb rate > >> 646kbit ceil 900kbit burst 15k prio 10 > >> /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:40 htb rate > >> 133kbit ceil 152kbit burst 15k prio 15 > >> /usr/sbin/tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > >> /usr/sbin/tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > >> /usr/sbin/tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > >> /usr/sbin/tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 > >> # Filter rules > >> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle > >> 1 fw flowid 1:10 > >> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle > >> 2 fw flowid 1:10 > >> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle > >> 4 fw flowid 1:20 > >> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle > >> 5 fw flowid 1:20 > >> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle > >> 8 fw flowid 1:30 > >> /usr/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle > >> 10 fw flowid 1:40 > >> > > > >> # Snapshot off iptables script. scp and ssh as an exapmle > >> # Standard policy is -j DROP > >> > >> /usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1 > >> --dport 22 \ > >> -m tos --tos Maximize-Throughput -j MARK --set-mark 10 > >> /usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m tcp -i eth1 > ^^ > > You are only marking packets inbound on eth1, but shaping outbound. > > Andy. > > > > >> --dport 22 \ > >> -m tos --tos Minimize-Delay -j MARK --set-mark 2 > >> > >> /usr/sbin/iptables -A FORWARD -p tcp -i eth1 -o ppp0 -s 192.168.57.0/24 \ > >> -d 0/0 --dport 22 -j ACCEPT > >> /usr/sbin/iptables -A POSTROUTING -t nat -p tcp -o ppp0 -s > >> 192.168.57.0/24 \ > >> -d 0/0 --dport 22 -j SNAT --to 80.126.16.44 > > > > > > And the packages seem to be marked as intented: > > > > 515 31080 MARK tcp -- eth1 * 0.0.0.0/0 > > 0.0.0.0/0 tcp dpt:22 TOS match 0x10 MARK set 0x2 > > > > > > But tc -s class show dev eth1 says only htb 1:30 is used. > > > > I get the feeling it is something with the POSTROUTING rule but can not > > work out what is wrong. > > > > Thanks > > > > > > Ben Thijssen. > > > > _______________________________________________ > > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
