>
> Now, What I need is to subdivide this 64 kbit bandwidth *32kbit for WWW and
> 32 Kbit for mail**.
Do you want to share 64kbit so if there is no mail then www can have all
64kbit?
When there is no mail, WWW should take all 64 kbit and also when there is no WWW, mail should take all 64 kbit.
remember. This is only for downloading. NOT for UPLAODING as this is a SNATed firewll.
pls see below for SNATed rules.
#SNAT from LAN1 192.168.101.0/24
iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 192.168.101.0/24 -m multiport --dports 20,21,69,80,443 -j SNAT --to-source 203.143.26.130
iptables -t nat -A POSTROUTING -p udp -o eth0 -s 192.168.101.0/24 --dport 1024: -j SNAT --to-source 203.143.26.130
iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 192.168.101.0/24 --dport 1024: -j SNAT --to-source 203.143.26.130
iptables -t nat -A POSTROUTING -p udp -o eth0 -s 192.168.101.0/24 --dport 53 -j SNAT --to-source 203.143.26.130
iptables -t nat -A POSTROUTING -p icmp -o eth0 -s 192.168.101.0/24 -j SNAT --to-source 203.143.26.130
#SNAT from DMZ ip address of 192.168.100.3 (mail and proxy server)
iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 192.168.100.3 -m multiport --dports 21,22,25,80,443 -j SNAT --to-source 203.143.26.130
iptables -t nat -A POSTROUTING -p udp -o eth0 -s 192.168.100.3 --dport 53 -j SNAT --to-source 203.143.26.130
iptables -t nat -A POSTROUTING -p icmp -o eth0 -s 192.168.100.3 -j SNAT --to-source 203.143.26.130
> Can I subdivide in that way ? If divided , What will happen to other
> services such as ICMP, SSH, ACK etc ?
You need to make your rules to allow for these as well - depending on
what other traffic hits the server it may be best to give everything
other than big tcp www/mail packets priority.
Server only acts as a mail server and a proxy server. in addition to that, I ssh to that server from LAN. from that server too, I ssh to some servers. And also, I make ping to that server rom LAN. Again, from that server I make ping to other servers. That's it.
How can I make such rules?
>
> *Then, How can I achieve this task?
> *
> I modfied the the above script . This is what it looks like after editing.
>
>
>
> *#traffic shaping on eth1 (Downloading)
IT can be hard to shape properly from the wrong end of a slow wan - but
your rates here are low so it should be OK.
64 kbit is the allocated bandwidth for DMZ. If needed, I can make it to 128 kbit.
>
> INTERFAZ_DMZ=eth1
> FULLBANDWIDTH=256
> BANDWIDTH4DMZ=64
>
> tc qdisc del root dev $INTERFAZ_DMZ
>
> tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4
> tc class add dev $INTERFAZ_DMZ parent 1: classid 1:2 htb rate
> "$FULLBANDWIDTH"Kbit
> tc class add dev $INTERFAZ_DMZ parent 1: classid 1:5 htb rate
> "$BANDWIDTH4DMZ"Kbit
>
> **tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:10 htb rate 32kbit
> tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:11 htb rate 32Kbit
>
> tc qdisc add dev $INTERFAZ_DMZ parent 1:10 handle 10: sfq perturb 10
> tc qdisc add dev $INTERFAZ_DMZ parent 1:11 handle 11: sfq perturb 10
>
> #192.168.100.3 is the BOX acts as a mail server and a proxyserver.
> tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip
> dst 192.168.100.0/24 classid 1:10
> tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip
> dst 192.168.100.0/24 match ip dport 25 classid 1:11
>
If these go in in order of entry (they usually do if prio is the same ,
but not always!) then nothing will reach 1:11.
Then, What will have to do? How can I write the script properly?
>
>
> Pls let me know if it is Okay? or any better way to rewrite it?
It depends what you want and on your setup. Do you have traffic from LAN
to the proxy/mail - do you really need to shape that or not?
my DMZ is 192.168.100.0/24
my LAN is 192.168.101.0/24
LAN users access my DMZ proxy and mail server (its ip is 192.168.100.3) as I have DNATed as bellow.
#DNAT from LAN1 to ip 192.168.100.3
iptables -t nat -A PREROUTING -p tcp -i eth2 -d 192.168.101.254 --dport 25 -j DNAT --to-destination 192.168.100.3:25
iptables -t nat -A PREROUTING -p tcp -i eth2 -d 192.168.101.254 --dport 3128 -j DNAT--to-destination 192.168.100.3:3128
Tha's it. NO NEED to shape this.
Do you have traffic from the internet to LAN as well - do you need to
shape that - maybe sharing bandwidth with DMZ.
LAN users actualy browse internet and send and recieve mails via DMZ proxy server and Mail server. No other traffic.
>
> EXPECT YOUR COMMENTS.
>
>
>
>
>
> ****
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
Thank you
Indunil Jayasooriya
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
